Websites that deal in personal or financial information typically offer secure connections. With a secure connection, your data is encrypted so that it cannot be easily read by anyone who might intercept it between your computer and the website.
When to use a secure connection
Usually, a secure connection is made for you when needed. For example when you log into a commercial website or create a new account on a website which requires personal address and financial information, the connection usually changes to secure. Generally speaking, sites should automatically switch to a secure connection when requesting or displaying sensitive information. See "Recognizing a secure connection" below.
Some websites may offer both secure and non-secure login options. You should always choose secure login. (Some older browsers cannot use secure connections.)
Tip: When logging into a website, watch for choices such as Standard and SSL. Standard refers to an non-secure login. SSL refers to a secure login (Secure Sockets Layer, the web encryption protocol).
Recognizing a secure connection
With Safari 5 through 5.1.7, a lock icon appears near the top right corner if all of the webpage's content uses a secure connection.
Also, with a secure connection the address of the website begins with "https:" instead of "http:".
Note: In Safari 4 or earlier, the lock icon appears if any part of a webpage's content uses a secure connection.
You may see unsecured pages after a secure login (no lock icon or "https", that is). This does not indicate a security risk. Typically, only the pages that display or request sensitive information are secured. A page where you view a product's information does not need to be secure. Whenever you come back to a page that displays or requests sensitive information, the lock icon should reappear.
Tip: Sometimes a secure login form at a trusted site does not appear to be secure at first. You might see a button that says "Sign into our secure server" on a page that is not secure. A secure connection might appear after you click the button. If you are not sure how a site works, a simple test is to enter "guest" as your user name and password. Look to see if the connection changes to secure after you click the submit button.
Important: You should not enter any sensitive information on a form if you are not sure it is secure. If a legitimate organization requests sensitive information on an insecure form, you should consider contacting them via telephone instead.
Why is a secure login important?
Choosing secure login prevents someone from easily intercepting your name and password. For that reason, secure login is a good idea even when your account at the website does not contain sensitive information. With your login information, someone could use your identity on that site, or at another site where you used the same login.
It's good practice to use different passwords on each website you log in to. If you use the same password everywhere, it could be intercepted at an unsecured site, then used maliciously at a secure site. Consider the password tips listed in Choosing good passwords in Mac OS X.
Avoiding fake "secure" sites
Identity thieves collect names, passwords, and other information by tricking people into thinking they are on a trusted site. You can avoid many fake "secure" sites by following these guidelines:
Do not trust any "secure" indicators other than those shown above
Some sites put fake lock icons or other false assurances of security within the page's content. Any assurance within the page itself is meaningless. The connection is not secure unless the lock icon appears and the address begins with "https" as mentioned above.
Be careful with links that are included in an email
In Mail, before clicking a website link within an email, especially ones from a sender you don't know, you can hover your cursor over the text of the link to see a tooltip description of where the link really goes. If the URL looks suspicious, or goes to a different site than the text says it should, do not click on it. See below for examples of deceptive links.
Instead, if you know the website's address, open a new browser window. Type the website's address yourself, and do not let it auto-complete.
Another way to be sure is to use a bookmark you created.
Typing it yourself or using a bookmark protects you from schemes that disguise counterfeit websites behind seemingly-trustworthy links. Such links can lead you to fake websites that hope to collect your information for malicious purposes. If you have doubts about a message's origin, type the address into your browser. Don't follow suspicious links.
Examples of deceptive links
Regardless of how a deceptive email works, its goal is to disguise the actual address of the fake site, making it appear to be the address of a trusted site. Here are three common tricks you may see:
- Deliberately confusing address
You may see an address with a form similar to this:
- Image of a link
Sometimes, you may see what appears to be a text link that's really an image file (a screenshot taken of text). The image itself is a link to the fake site. You can identify an image by trying to copy the text. If you can't select and copy the text in an email, it may not be text.
- Hidden links
You may see an address that looks perfectly normal, such as: (https://store.apple.com/)
However, using HTML or a script embedded in the email, the sender can cause the link to go somewhere else. You can only determine the true destination by viewing the source code of the email, which is usually HTML or rich text (RTF). Most email applications have a feature that automatically displays a web address as a live link when typed, without the HTML formatting that would otherwise be required to get this effect. Simply put, this means that a web address link does not necessarily go where it appears to go. A sender can mislead you by putting a different destination in the source code. You should suspect this when the address that appears in the Safari browser window is not the one that appears in the email.
About third-party certificate authentication
To verify that publishers of a website are who they claim to be, Safari checks the site's third-party security certificate. Certificates are granted (or "signed") by a trusted third party, known as a certificate authority (CA). The lock icon appears only when trust is established. If the certificate is not trusted, you see an alert that the website's identity could not be verified.
If you choose to continue to an unverified site, you are trusting the site for one session only. If you quit and reopen Safari, the warning will appear again.
Advanced tip: If you want to see which authority signed the certificate of a site that you are visiting, click the lock icon near the top right corner of the Safari window.