12 Security Questions to Ask Before Accessing Any Website

With the increase in business conducted over the internet, the security of the sites you visit should be something that you verify.

What should you be looking for?

  • Is the connection between your computer and the site secure ?

  • How can my browser help me determine the safety of a website ?

  • How can my anti-virus help ?

  • How can I tell if I am being re-directed to another site

  • Are there additional checks I can do if I am unsure ?

  • What tools are available to help me ?

How can I tell if I’m using a secure website?

Check for Secure Socket Layer (SSL)

Before you make a payment or share sensitive information online you need to be sure the website is secure. When on the web you’ll notice that the website’s address probably begins with Http://, meaning the site is using Hypertext Transfer Protocol. However, this site does not have an added security layer. If you are going to provide financial or sensitive personal information that URL (Web page address) should begin with Https://. Here is an example:

If you visit a few shopping sites, you’ll notice that the security layer is added when you are asked to enter sensitive information. As your access other site you’ll notice that a variety of Http: and Https: addresses. These may change based on the function. So if you are making a purchase, be sure that you are on a secure (https://) address. In other cases, e.g., you bank’s site the security layer should always in place. Any easy rule of thumb is that if the information you are providing is sensitive and should be secure look for the “s” at the end to the http.

The reason that https: is not used at all times has to do with performance. There is overhead with using the secure socket layer or (SSL) so, it security is not required http: is used.

Check for the “Lock” icon

There is a de facto standard among web browsers to display a “lock” icon somewhere in the window of the browser (NOT in the web page display area!) Here’s an example using Google, other site may display this information in a different location. Note the Green lock icon.

Clicking on the green lock provides the following information about the website.

In general terms, a click or double-click on the lock icon will provide the site’s security information. This is important to check this because some fraudulent web sites are often designed to imitate the lock icon of your browser! If in doubt, it is a good idea to test the functionality built into this lock icon to verify the functionality.

What does your browser say about the site?

One way is to check for the Secure Sockets Layer (SSL)-encryption. You’ll know a site is secure if it has a green padlock icon in the address bar, just before the URL.

You can also search the company’s on the Better Business Bureau’s website. You’ll be able to see reviews, complaints and even the grade the BBB has given the company.

Your Virus Protection software may help as well

Depending on the virus protection software being used there are checks that are done by many of these applications to verify the security of websites. The tool bar on the website show below has a tool (in this case provided by Norton) that helps identify the safety of the site. In this example we are using https://www.linkedin.com/company/entreda.

The browser shows that the website is safe.

Some browsers help as well…

The Site Identity Button is a Firefox security feature that gives you more information about the sites you visit. You can quickly find out if the website you are viewing is encrypted, if it is verified, who owns the website, and who verified it. This should help you avoid malicious websites that are trying to obtain your personal information. The Site Identity Button is in the Location bar to the left of the web address.

When viewing a website, the Site Identity Button will be one of five icons - a gray globe, a gray warning triangle, an orange warning triangle, a gray padlock, or a green padlock. Clicking on these icons will display identity and security information about the website.

Gray Globe

A gray globe indicates:

The website does not supply identity information.

The connection between Firefox and the website is not encrypted or only partially encrypted and should not be considered safe against eavesdropping.

Most websites will have the gray globe, because they don’t involve passing sensitive information back and forth and do not need to have verified identities or encrypted connections. It applies to websites served over HTTP (not encrypted) or HTTPS (partially encrypted).

Note: If you are sending any sort of sensitive information (bank information, credit card data, Social Security Numbers, etc.) the Site Identity Button should not be a gray globe icon.

Gray Warning Triangle

A gray warning triangle indicates:

The website does not supply identity information.

The connection to this website is not fully secure because it contains unencrypted elements (such as images).

Orange Warning Triangle

An orange warning triangle indicates:

The website does not supply identity information.

The connection between Firefox and the website is only partially encrypted and doesn’t prevent eavesdropping.

It implies that you’ve previously allowed the mixed active content served over HTTPS to be displayed for the website despite the risks.

Reloading the website will block back certain HTTP requests to lower threats, change the icon to its previous state (gray globe for mixed passive content and gray padlock otherwise) and display the content mixer shield icon. For information about the mixed content block, see How does content that isn’t secure affect my safety?.

Note: If you are sending any sort of sensitive information (bank information, credit card data, Social Security Numbers, etc.) the Site Identity Button should not be an orange warning triangle icon

Gray Padlock

A gray padlock indicates:

The website’s address has been verified.

The connection between Firefox and the website is encrypted to prevent eavesdropping.

When a domain has been verified, it means that the people who are running the site have bought a certificate proving that they own the domain and it is not being spoofed. For example, Facebook has this sort of certificate and an encrypted connection, so the Site Identity Button displays a gray padlock. When you click on the padlock, it tells you that you are actually connected to facebook.com as certified by VeriSign Inc. It also assures you that the connection is encrypted so no one can eavesdrop on the connection and steal your Facebook login information that way.

However, it is not verified who actually owns the domain in question. There is no guarantee that facebook.com is actually owned by Facebook the company. The only things that are guaranteed is that the domain is a valid domain, and that the connection to it is encrypted.

Green Padlock

A green padlock indicates:

The website’s address has been verified using an Extended Validation (EV) certificate.

The connection between Firefox and the website is encrypted to prevent eavesdropping.

A green padlock plus the name of the company or organization in green means this website is using an Extended Validation (EV) certificate. An EV certificate is a special type of site certificate that requires a significantly more rigorous identity verification process than other types of certificates. While the gray padlock indicates that a site uses a secure connection, the green padlock indicates that the connection is secure and that the owners of the domain are who you would expect them to be.

With the EV certificate, the Site Identity Button assures you that paypal.com is owned by Paypal Inc., for example. Not only does the padlock turn green on the Paypal site, it also expands and displays the name of the owner in the button itself.

Screenshots from URLVOID

Screenshots from Sucuri

Checks you can do on websites

Routine Checks:


Lock Icon

Browser Info

  • Site Identity (verified by trusted 3rd party)

  • Connect (secure/level of encryption)

  • Visit history

Hover Over Link (look in lower corner of browser for site)

If Questionable:

Use Link Scanner (URLVOID or MYQOT)

  • Safety Scan Report (check non-green items)

Check Shortened Links (Sucuri)

  • Blacklisted

  • Malware

  • Malicious Javascript

  • Drive by downloads

  • Anomaly detection

  • IE-only attacks

  • Suspicious redirections

  • Spam

12 Questions to Ask Before Accessing Any Website

1. What are your security policies?

It is very easy to promise of good security, but what are the actual policies and procedures in place to make good security a reality? How do they prevent attacks and malware? How do they handle threats? How do they mitigate actual attacks?

2. How do you monitor (privileged) access to data?

Segregation of duties and the associated accesses must provide sufficient access to the data required to allow employees to efficiently perform their duties but, they should not have access to data that they do not need. All accesses should be granted based on a need to know.

3. How do you know if sensitive data leaves your network?

This is a very important question that is difficult to answer even if data loss protection capabilities are in place. Often sensitive data is compromised careless employees having these data on a computer system, tablet, smartphone or thumb drive that is lost or stolen or sharing sensitive information without the proper safeguards. This can be through email or storing and sharing information using cloud storage applications. (e.g., Dropbox)

4. Do you offer SSL (HTTPS)?

If your site requires usernames and passwords, such as for e-commerce or for blogs, it’s vital that those communications are secured from eavesdroppers using HTTPS.

5. Do you back up?

Knowing whether and how your data is backed up, and how long it will take to restore, allows you to understand the impact of a compromise of your website.

6. How do you detect threats and report compliance across domains?

Having the capability to detect a threat and take countermeasures is extremely important. Automated detection and compliance reporting are really essential.

7. How do you handle security breaches?

In the event of a security breach of your website, the safety of your visitors depends on how and how quickly the provider notifies you. And you need to be sure you can reach the provider if you notice a breach before they do.

8. How do you regularly test your website for vulnerabilities?

Everyone with a website should be testing their website regularly to make sure that it is up to date on patches and that the website has not been subject to tampering or attack. As a minimum this should be done annually.

9. What security measures are in place?

This seems like a no-brainer, but you would be surprised to find some hosts have very little security in place. Does your host monitor for suspicious activity? What types of attacks do they have software installed to protect against?

10. Secure transactions

Uploading, downloading, and web transactions should be secure. For that, you will need a secure transfer method, such as SFTP, and the ability to secure web purchases or information submission, such as SSL. While nearly all hosts offer some form of SSL support, it may cost extra. Many, however, do not offer SFTP and still rely on the unsecured FTP.

11. How do you involve key internal and external stakeholders in security matters?

Often overlooked, it is very important to involve key stakeholders in the security strategy planning and execution. You will need their support to roll out your plan and to get everyone to attend annual refresher training sessions.

12. To what extent have you rolled out an identity program?

Multi-factor identification is rapidly becoming important as ID/password systems are increasingly found to be inadequate. Do you have a plan? Do you have a timeframe for making this happen?


Recent Posts
  • Wix Facebook page
  • LinkedIn App Icon
  • Wix Twitter page
© 2021 Entreda, Inc. All rights reserved.