HTTPS & Website Security

What You'll Learn

• Inspect a website's TLS certificate to verify the issuing authority and domain match
• Recognize the difference between an encrypted connection and a trustworthy website
• Identify expired, self-signed, and mismatched certificates through browser warning indicators
• Make correct decisions when browsers display certificate warning interstitial pages
• Understand why the presence of a padlock icon alone is insufficient proof of website legitimacy

Training Steps

1. Working from a Coffee Shop

   It's Thursday afternoon at Meridian Financial Group. You are Alice, a client services specialist. Your home internet has been down since this morning, and you need to complete an urgent payroll task before end of day. You've headed to a nearby coffee shop and connected to their free WiFi network - 'CafeConnect Free WiFi' - an open network with no password required.

2. Email from HR

   A new email arrives from the HR department about the annual direct deposit verification.

3. Navigating to the Payroll Portal

   Alice clicks the link in the HR email to open the payroll portal. She's done this before - it's a routine annual task. Unknown to Alice, an attacker on the same coffee shop WiFi network is running an SSL strip attack. The attacker intercepted Alice's request and silently downgraded the connection from HTTPS to HTTP. The page loads normally, but without encryption.

4. Logging In

   The payroll portal looks exactly as Alice remembers - the Meridian logo, the familiar blue color scheme, the standard login form. She enters her work credentials without hesitation. Alice doesn't notice that her password manager didn't offer to autofill - the portal URL doesn't match any saved entry.

5. Confirming Bank Details

   After logging in, the portal asks Alice to confirm her bank account details for direct deposit. The form requests her routing number and account number - standard information for the annual verification.

6. Accessing Another System

   Before heading home, Alice decides to quickly check the internal project dashboard to review tomorrow's schedule.

7. Heeding the Warning

   Instead of the dashboard, Alice sees a stark warning: 'Your connection is not private.' She's not sure what caused it, but the warning looks serious. The certificate warning appeared because the MITM attacker tried to intercept this HTTPS connection too, but the browser detected the invalid certificate and blocked the page. Alice decides not to proceed.

8. Bank Fraud Alert

   Two days later, Alice sits down at her desk to start the day. An urgent email from her bank is waiting in her inbox.

9. IT Security Alert

   Before Alice can even process the bank fraud alert, another email arrives - this time from Meridian's IT Security team.

10. Connecting the Dots

    Alice's stomach drops. The unauthorized bank withdrawal. The suspicious login from Ukraine. Both happened right after she used the coffee shop WiFi two days ago. She reads the IT Security alert again, this time with growing dread.