Knowing if an Online Transaction is Secure

Published 13/05/2004 10:51   |    Updated 23/04/2008 12:00
How do I know if an online transaction is secure?


Firstly, what is a secure connection?

A secure connection is an encrypted exchange of information between the website you are visiting and Internet Explorer. Encryption is provided through a document the website provides called a certificate. When you send information to the website, it is encrypted at your computer and decrypted at the website. Under normal circumstances, the information cannot be read or tampered with while it is being sent, but it's possible that someone might find a way to crack the encryption.

Even if the connection between your computer and the website is encrypted, it does not guarantee that the website is trustworthy. Your privacy can still be compromised by the way the website uses or distributes your information.



Are secure connections private?

Not necessarily. Even though the information you are sending and receiving is encrypted (encoded), an intermediate party might be able to see the website you are connecting to. By knowing the website you are connecting to, the other party might have a pretty good idea what you are doing on that site.


For example, if you're looking for a new job using a computer at work, your company might watch for key words in websites or keep a log of visited sites. If you upload a resume to a job website, the document might be encrypted, but your company would still know you're looking for a new job.



How can I tell if I have a secure connection?

In Internet Explorer, you will see a lock icon in the Security Status bar. The Security Status bar is located on the right side of the Address bar.


The certificate that is used to encrypt the connection also contains information about the identity of the website owner or organization. You can click the lock to view the identity of the website.



Why do I see different colors in the Security status bar?
When you visit a website that uses a secure connection, the color of the Security Status bar tells you whether the certificate is valid or not, and it displays the level of validation that was performed by the certifying organization.

The following table describes what the Security Status bar colors mean.


What it means


The certificate is out of date, invalid or has an error.


The authenticity of the certificate or certification authority that issued it cannot be verified. This might indicate a problem with the certification authority's website.


The certificate has normal validation. This means that communication between your browser and the website is encrypted. The certification authority makes no assertion about the business practices of the website.


The certificate uses extended validation. This means that communication between your browser and website is encrypted and that the certification authority has confirmed the website is owned or operated by a business that is legally organized under the jurisdiction shown in the certificate and on the Security Status bar. The certification authority makes no assertion about the business practices of the website.


What should I do if I think a website is trying to mislead me about their identity?

If you believe that the site is attempting to mislead you about its identity, you should contact certification authority whose name appears in the certificate and in the Security Status bar.


If a website has secure transactions, does that mean the website is safe to use?

Not necessarily. The secure(encrypted) connection is not a guarantee that it is safe to use. A secure connection only assures you of the identity of the website, based on the information provided by the certifying organization. You should only consider giving personal information to a website that you know and trust. To learn how to decide if you can trust a website, see When to trust a website.



How can I increase the safety of my online transactions?

While there is no guarantee of safety on the web, you can minimize online privacy or security problems by using websites you know and trust. Internet Explorer cannot tell if a website owner is trustworthy. Try to use sites you've used previously or that are recommended by trusted friends or family. You should also turn on Internet Explorer's Phishing Filter to help identify fraudulent websites.


What does it mean when I have both secure and non-secure (mixed) content?

Secure and non-secure content, or mixed content, means that a webpage is trying to display elements using both secure (HTTPS/SSL) and non-secure (HTTP) web server connections. This often happens with online stores or financial sites that display images, banners, or scripts that are coming from a server that is not secured.

The risk of displaying mixed content is that a non-secure webpage or script might be able to access information from the secure content.

Note: Internet Explorer uses an encrypted protocol called Secure Sockets Layer (SSL) to access secure webpages. These pages use the prefix HTTPS, while regular webpages use HTTP.



I'm having trouble using some websites that include mixed content, what do I do?

If you are having trouble using sites that include mixed content, you might want to temporarily have Internet Explorer allow all mixed content. To do this, follow these steps:

To allow mixed content

  1. Open Internet Explorer by clicking the Start button, and then clicking Internet Explorer.
  2. Click the Tools button, and then click Internet Options.
  3. Click the Security tab, and then click the Custom level button.
  4. In the Security Settings dialog box, scroll to the Display mixed content setting in the Miscellaneous section, and then click Enable.
  5. Click OK in the Security Settings dialog box, click Yes to confirm that you want to make the change, and then click OK to exit Internet Options.

Note: After allowing mixed content, you will see webpages with both HTTPS and non-HTTPS content but Internet Explorer will not show the lock icon.



See also: How do I know when to trust a website?


and How do I know when to trust an email?


Please tell us how we can make this answer more useful.