Look for the small padlock, not the big one
Tim Anderson details how one site misdirected some users to an insecure website but asked for credit card details:
A friend drew my attention to a security issue on thetrainline.com, a UK website for purchasing train tickets.
She planned her journey and then entered her credit card details, noting that the browser confirmed that she was on a secure page:
In this case, Internet Explorer shows the url in green, which means it uses an Extended Validation (EV) SSL certificate, giving extra confidence that all is well. Indeed, in normal circumstances it would have been.
Unfortunately she made a small error with the card details. The site then bounced her to an insecure page, inviting her to re-submit her details but this time over HTTP. The image below shows part of the web page, including the credit card details (albeit with whatever errors caused the validation to fail) and the IE property dialog confirming that the page is not encrypted:
Now the comforting green url is gone, replaced by plain black on white:
This demonstrates some of the problems with how a user is notified of a secure connection in the browser. In this case, an EV SSL Certificate was used.
Paying on the web? Look for the small padlock, not the big one - [Tech Writing Blog]
Originally posted on Sun Oct 14, 2007