The Difference Between “Secure” and “Safe” Is Bigger Than You Might Think

Most of the time, the terms “secure” and “safe” can be used interchangeably. You’re never going to get hung up on whether a bank tells you’re your money is “secure” or “safe” within its vault. But when it comes to your personal information on the internet, understanding the distinction between those two words can mean the difference between effectively protecting yourself and having your identity compromised.

Mozilla Firefox v70 has just been released, and one of the more significant new features that the developers have highlighted is the addition of a warning page to make users aware when a website is not secure. Ostensibly to help users better protect themselves, Firefox is following in Google Chrome’s footsteps: if you use Chrome as your primary browser, you’ve probably seen the “not secure” warning that pops up when you visit an unsecured website.

So, what does that mean, exactly? Well, the current version of Chrome’s warning reads, “Your connection to this site is not secure. You should not enter any sensitive information on this site (for example, passwords or credit cards) because it could be stolen by attackers.” This is a pretty straightforward warning, and it highlights a few of the more popular tracks on the Scammers Greatest Hits album—namely, stealing passwords and financial information. People should be aware that scammers might try to acquire this type of information, and hopefully, warnings like this will make users more mindful.

But the truth is, that warning doesn’t paint a clear picture of what it actually means for a site to be “secure” or “not secure.” If you’re the product manager for a browser, you certainly understand that “secure” doesn’t mean much more than (for example) “information on this site is encrypted using TLS v1.2 or higher.” But the average consumer doesn’t know that—the average consumer believes that “secure” means “safe,” and a warning page that pops up only when a user visits a site not properly secured by an SSL certificate runs the risk of giving them false confidence when they visit a potentially dangerous site that does use encryption.

“Secure” websites are NOT necessarily safe. Secure means nothing more than that a website is encrypted, and any information you enter into that website, whether it’s your personal account information, credit card info, your mother’s maiden name, or the street you grew up on, can’t be intercepted by anyone other than the intended recipient. But phishing sites are capable of using SSL certificates to “secure” their sites—in fact, nearly half of phishing sites now use SSL certificates. Even the FBI has taken notice of this, issuing a warning to internet users that just because a website says it is “secure” does not mean that it is safe to provide that site with your personal information. Look at it this way: the information you enter might not be able to be intercepted, but if the intended recipient is already a phisher, then it doesn’t really matter—your information is already headed into the wrong hands.

Falling for a scam like this can be surprisingly easy: you might get an email claiming to be from your bank and unwittingly click through to a very convincing facsimile of the bank’s real website. Unless you check the URL after clicking, you might not realize that the site you have been sent to is NOT “[bank].com” but “[bank].scammer.com” (or something along those lines). In fact, “[bank].scammer.com” might even have an SSL certificate telling you the site is secure. But that certificate doesn’t make it any safer to type in your password or bank account information.

Depending on which browser you use, Extended Validation (EV) SSL certificates try to address this problem—in Safari, for example, you’ll see the address bar change color to green if the EV certificate has verified that the site is who it is claiming to be through a reputable certificate authority (think of it almost like a Twitter checkmark). Unfortunately, user understanding of these EV certificates has evidently not developed quickly enough for Google or Mozilla, as both Chrome and Firefox have moved away from the green address bar and other EV indicators.

While this does remove an indicator for savvy users to look for, the situation remains much the same as it always was: internet users need to be vigilant, ensuring that they double-check both the safety AND security of a website before inputting personal information. Be aware of phishing tactics. Keep an eye on URLs. And be aware that if you see a “not secure” warning on Chrome or Firefox, your information is still potentially at risk. Even as phishers and other types of scammers become more sophisticated in their approaches, users can protect themselves by familiarizing themselves with the threat landscape and working hard to stay both secure and safe.