The sad thing is, these aren’t in your control.
There are lots of things we can do as individuals to improve our own security online (good password security, think before you click, etc.) but we are ultimately reliant on the underlying security of the services we use.
There have for sometime been protocols and standards on the Internet that allow us all to be that little bit more certain that we are talking to who we think we are talking to.
The UK Government has announced (back in June, 2016) that some of these technologies are about to be mandatory for all departments. From this month (October 2016) we should feel more confident in our communications to UK GOV.
He first allows recipients of emails purporting to be from government departments to confirm that it is really from the government. This is done by validating that the email came from an authorised server or that it is digitally signed in a secure fashion. The system is called DMARC but, alas, only a small number of email services support it. That will change, however. With time. Now all government emails must come from approved servers or be suitably signed to prove authenticity.
The second is easier and should be the defacto standard already. That is to utilise encryption on the web. HTTP has been around a long time but everything is sent to and from the website in plain text. That means it can be intercepted and read. HTTPS is an encrypted version of the same protocol (a simplistic but good enough description.) The new standard means that our communications to government websites will be confidential. Or at least as much as they can be by modern standards.
The third standard to be inplemented is I support of the second. This is “merely” a list of websites that that must only ever be connected to in a secure fashion. The list, called HSTS, has to be supported by your web browser but the good news is that this includes all the major browsers (IE, Edge, Chrome and, if you must, even FireFox.)
Any organisation (especially a government) taking up these options is excellent news but new we as consumers of these services must make sure we can (ahem) consume them.
- We should be resisting the use of plain text (HTTP) websites and only use HTTPS, secured websites. Chrome helps here by marking these websites with an exclamation mark and will soon even state that the websites are insecure when you try to connect! In 2017 it will warn you explicitly of the risks if you try to do anything confidential over HTTP.
- Talk to your email provider about how they check authenticity of emails. You can refer them to this article or ask me for more details on how to approach this.
- Google Security Blog, 08/Sep/2016
- UK GOV Technology Blog, 28/Jun/2016
No comments yet.