Checking HTTPS is not enough for online payment, authentic identity of the website also needs to be paid attention to2016-05-10
To deal with the security problem of increasingly rampant traffic hijacking, data leak and phishing fraud, more and more websites start to use SSL certificate to protect the security of data transmission and prove the authentic identity of the site to users. HTTPS encryption and SSL certification are the two main functions of SSL certificate. Netizens can know about the security, authenticity and legality of a website judging from the information presented by SSL certificate.
HTTPS encryption is one of the familiar and effective proofs for netizens to judge the security of a website. However, when sensitive operations of online payment and online banking transactions that concern money security are being conducted, we need to verify the authenticity and legality of the website through the identity authentication information besides checking HTTPS.
Beware of HTTP, recognize HTTPS!
At present, important websites of online banking, third-party payment and other money security related websites is all using SSL certificate. Therefore, users should beware of websites with address prefixed HTTP, the clear text protocol, when access to these types of websites. It is highly possible the website is a phishing site.
Checking HTTPS is not enough for online payment, authentic identity of the website also needs to be paid attention to
HTTPS encryption is very important. But only depending on HTTPS is not enough, authentic identity of the website also needs to be paid attention to in online payment, online banking transaction and other sensitive operations concern money security.
According to international standard, SSL certificate can be divided into four levels of product, DV SSL certificate, IV SSL certificate, OV SSL certificate and EV SSL certificate. All SSL certificate products can realize HTTPS encryption, but only IV SSL certificate, OV SSL certificate and EV SSL certificate are supportive of website identity authentication. The basic level DV SSL certificate only verifies ownership of domain. The identity information of this owner will not be verified. Therefore, you need to check the SSL certificate information to know whether the HTTPS website you see is only data-encrypted or it has passed rigorous identity authentication.
It is easy to check SSL certificate information of the website. First access to the website using HTTPS protocol and click on the security lock, next click on check the certificate in the window that pops out and then click the user in detailed information. You can see the domain name bound to this website and the owner it belongs to.
If the website uses EV SSL certificate, the highest level of verification, you don’t need to take all the trivial steps. The striking green address bar and corporate name in the status bar can easily tell you the real identity of this website.
Self-signed SSL certificate is not trustful
SSL certificate should be issued by authoritative CA (like WoSign CA). It is the premise of judging the security, authenticity and legality of the website through SSL certificate. Root certificate of authoritative CA is preset in the browser. SSL certificate issued by them is trusted by all browsers.
However, self-signed SSL certificate can be issued at anybody’s will using related tools without supervision of a third-party. It is not trusted by browsers and operating systems. When users access to websites using this kind of certificate, they will be prompted warning by the browser. Users should close the window if this kind of warning is noticed.
WoSign SSL certificate
WoSign CA is an authoritative certificate authority that has passed the international certification of WebTrust and gained the license of the Ministry of Industry and Information Technology. WoSign is also a member unit of international CA browser industry league. WoSign SSL certificate supports all browsers and mobile terminals and has been providing SSL certificate products and services for many known corporates.