Security has become a part of all our everyday lives. Our cars get inspected on arrival at work. Our ID is checked and we are signed in and out. Metal detectors are installed in hotels and shopping centers. Schools are no different, and security at ICS is kept high to protect our students.

We can bemoan the necessity of such measures, or we can accept them and appreciate them for what they are: efforts to protect us and keep us safe. In an ideal world, we wouldn’t need security measures. In the real world, such measures are necessary.

What’s true in the real world is true in the online world. Criminals and terrorists operate onlline as they do offline, and individuals and website managers need to take precautions to keep their information, accounts and websites secure.

This week, I am renewing the security certificate for the ICS website and related services. This certificate means that when users log in to our mail, elearning or eportfolio services they can be reassured that their account information, passwords, etc. are being protected. It’s part of the background security that all websites must operate. And it’s important for everyone to know how it works.

HTTPS: website security

When you load a typical website, it uses a communication protocol to send the webpage information to your browser and receive any information your browser sends. That communication is HTTP – “hypertext transfer protocol.” There are plenty of details about how that communication works (and it’s really great!), but the most important thing to understand is that it is an open communication, not encrypted or secure in any way. Any information can be intercepted and read by anyone who cares to try. Think of it like sending a postcard in the mail: your message is written in the open and able to be seen by anyone.

In order to protect passwords and other information (online purchasing, for example), a secure method was created – HTTPS.  You can see this in the URL of your web browser when you go to a website login screen. Not only will you see “https” in front of the URL, you’ll also see a lock icon:

This lock icon (and some sites pay for a green “bar of trust”) shows that https is working. It also is a hidden menu. Click on it, and you should see a message similar to the one below:

This shows that the website is using a security certificate to encrypt the communication. This encryption is tight and prevents criminals from intercepting the information that you enter into the website.

Verifying a security certificate

There’s an additional layer of security that you can see in the screenshot above: verification. At ICS, we used to use our own security certificates to encrypt information. That is something that we can do and it does encrypt and protect the information that is sent over https.

However, anybody can create a certificate, including criminals, so if the certificate is not verified by an independent, recognized authority, web browsers will show an error warning that the website might be insecure. It’s not saying that the site is dangerous, just that it could be. Think of it as someone coming to your door claiming to be from the water company who wants to read your water meter. That person might be a criminal, or might really be someone from the water company. Until they can show some verification that they are who they say they are, you probably won’t trust them.

Therefore, ICS now uses security certificates that are verified by StartCom, one of the recognized security certificate authorities. As part of that, we have to renew our security certificates every few years and verify that we are a legitimate school running legitimate websites.

In order to get a verified security certificate, there are various steps that we have to follow:

1. I have to verify my own personal identity by providing copies of my passport and national ID card.
2. We have to verify that the school is a legitimate organization by providing copies of our license from the Ministry of Education.
3. We have to verifiy that Jim Laney is our Head of School by providing copies of his identification and verification of his position by the Board of Governors.
4. We have to verify that I am entitled to act on behalf of the school by providing a letter of authorization from Jim.

Whew! It’s a bit of a hassle getting all that documentation together. We also have to verify our physical presence through the mail. It’s not easy …but it’s not supposed to be. If it was too easy, criminals could easily set up fake websites and steal your information. Instead, you can be reassured whenever you log in to our systems that we have been verified to be trustworthy.

What does this mean for you as a web user?

The main thing that any web user should know and do is that HTTPS is set up to protect your information. Whenever you log in to a website or provide information such as credit card details or bank information, you should look for HTTPS. It’s also worth checking a security certificate for sites that you use – banks, shopping sites, etc. – to make sure their certificate is verified. As a real world analogy, would you put your money in a bank that didn’t have security guards? Would you go shopping in a store or mall that didn’t have any kind of security to protect your money, credit cards, or your purchase?

Like in the offline world, online security systems are a necessary fact of life. It’s worth understanding what they are and why they are necessary. Recognize the signs of security systems online (lock, https) and make sure they’re there when you are sending secure information. It’s like the car check in the morning: let it reassure you that people are working to keep you protected.