Zentraler Informatikdienst

Confidentiality on the web with https

Securing connections in the browser with https is probably the most common and simplest area of application for cryptography. Nevertheless, it is necessary to know and observe a few rules.

Confidential and unaltered

When you enter a password in the browser, you rightly expect that it will not be intercepted on its way through the internet. You also want to be sure that the data arrives as it was sent. All this is ensured by the secure hypertext transfer protocol, https for short.

However, this only makes sense if the browser does not send your secrets to the wrong person in encrypted form. To avoid this, a server identifies itself with a certificate. But how can you be sure that everything is in order?

Lock closed, all good?

Many people believe: “If the lock in the address bar of the browser is closed, everything is fine.” That’s a little too short-sighted. Please note the following if you want to send confidential information (such as a password) to a website:

  • Clarify which domain name the service uses. At the University of Vienna, for example, this is .univie.ac.at. Only enter your u:account password on pages with .univie.ac.at.
  • Preferably call up the page via the bookmarks or your start page, then you cannot be misled by similar addresses.
  • Pay attention to the lock symbol. It must be closed. In some browsers you have to click on the symbol to the left of the address to display the lock.
  • Pay attention to the URL (the address). The part between https:// and the next slash must end with the domain name (e.g. .univie.ac.at). Some browsers do not display https://. If there is nothing after it, the final slash is also omitted.
  • Only the URL is decisive. Fake pages do not look deceptively similar to the original, they look completely the same.
  • You should take certificate warnings seriously. Ideally, you should leave the site. In any case, do not enter a password or any sensitive data on the site.

Examples

URL (address)Good?Reason
https://www.univie.ac.at/xyz/abc.htmlYeshttps, domain ends with .univie.ac.at
http://www.univie.ac.at/xyz/abc.htmlNohttp without s
https://www.univie.at/xyz/abc.htmlNoDomain is .univie.at instead of .univie.ac.at
https://abc@sthg.univie.ac.at/xyz/abc.htmlYeshttps, domain ends with .univie.ac.at
https://sght.univie.ac.at@abc.def.com/xyz/abc.htmlNoDomain ends with abc.def.com
https://www.unvie.ac.atNoDomain is .unvie.ac.at instead of .univie.ac.at

To top