05-22-2007, 10:51 AM
When a customer questions whether or not our site is secure, is there some certificate/statement that I could E-mail to assure them? Should I have a statement on our site? This happens about 2-3x per week and I used to think the padlock in the lower right-hand corner indicated a secure site--am I wrong?
What do other websites do when this issue arises? I always assure the customer that the site is secure--but they don't seem satisfied. Thanks in advance for any help in this regard.
I went to Siteworx to see if I could find something and I found a SSL certificate--is that it?
05-22-2007, 12:57 PM
I know that when you buy certs from (for eg) Verisign, they give you the option of generating some code to put on your pages that embeds an image from their servers. I suspect that most cert authorities offer a similar service.
Trouble is, the 'image on a webpage' approach is about as reliable an indicator of site security as client-side login scripts are a reliable method of controlling access. In fact, they're widely used in phishing attacks.
The padlock in the browser status or address bar is still, as far as I'm aware, the only reliable indication of a secure site. I'm sure that Verisign would have a page up somewhere that explains in simple terms what the padlock means in reassuring terms for the non-tech-savvy.
If you have a secure site, on a HTTPS url, that makes a closed padlock appear when you visit it, I'm not sure what else you could do to reassure visitors apart from pointing them at your certificate-issuing authority.
05-22-2007, 01:53 PM
I used to think the padlock in the lower right-hand corner indicated a secure site--am I wrong?
The padlock icon in IE browsers indicates to your users that they are on a secure page. Other browsers display a different icon or change the color of the URL text in the address/location bar. IE7 display the padlock icon at the top of the page, next to the refresh icon. Clicking on the icon gives a security report, which should be good enough for anyone.
Here's what happens when they're a problem with the security certificate:
Here's what happens when the security certificate is in order:
An SSL certificate can be purchased for $20 a year or $200 a year (and higher), depending on the use and brand, etc. Most people are fine with an inexpensive certificate like RapidSSL.
I buy mine from Dynadot (http://www.dynadot.com/ssl/about.html) because that is also where I purchase domain names, but there are thousands of places to buy them.