Chapter 3 – Using websites safely

Websites are used for many activities. It is important to know where they are located and that they are accessed using a web browser. We need to enter the address of the website correctly in the address bar of the web browser in order to communicate with the website we really want to communicate with.

1. Introduction

People use websites for many activities, such as reading news and blogs, communicating with friends, viewing images and videos, and of course for work. The content we see is stored on web servers in many places around the world. The content is accessed through a special application called a web browser, which displays the content at the address you type in the address bar.

Entering the address correctly is important, but it is not enough for us to communicate securely. We also do not want anyone to be able to intercept, read or even modify the communication, so we need to encrypt the data being sent. We also need to verify that we are actually communicating in encrypted form with the person we want to communicate with. Certificates are used for this purpose, where a certification authority confirms that a particular certificate belongs to a particular website or even a particular organisation.

2. Using the web

Nowadays, if you want to use email, watch videos, listen to music, send large files or use internet banking, you do not need a separate application for each activity, but you can do almost everything in a web browser, which is often pre-installed in the operating system (Internet Explorer, Edge, Google Chrome, Opera, Mozilla Firefox, Safari and others).

To use web applications, all you need to know is the Internet address and, of course, a network connection (intranet, Internet). After entering the address in the address bar and loading the page (website), the web application starts.

Often you will need to log in (authenticate), i.e. enter a name and password or prove your identity in some other way (see the chapter Who I am and what I am allowed to do).

3. What is the web

The web is made up of a number of web servers spread all over the world. A web server is a powerful computer, and each such computer always provides some data content. Some contain timetables, others the internet banking of a particular bank, news archives, TV programme archives, etc. The person requesting the data needs to know the address of the server providing the data. He/She must also be able to request and receive the data. The program that allows you to connect to and communicate with the server is generally called a client. The client sends a request to the server and waits for a response. In the case of the web, the client is a web browser and the response from the server is a web page.
The web is so large that many people have to manage the content and behaviour of websites. Different people have different responsibilities, so the quality of websites and their content varies. You can read about how to approach the credibility of information on the web in the chapter Information and the Internet.

But now let’s focus on how to find out which website we are currently on, or where a link we have received will take us. Each web server is assigned a unique domain name, which can be used to clearly distinguish it from others. As a rule, you can also specify what you want from the server by entering the appropriate parameters after the address in the web browser’s address bar. These parameters are usually generated automatically by the web application and do not need to be edited in any way, it is only necessary to understand their presence and meaning.

4. What is a web address (URL)

A web address is a precise identifier of what a web browser is supposed to display. You may also come accross the term URL (Uniform Resource Locator).

A web address is made up of several parts:

protokol://doménové_jméno/umístění_na_serveru?parametry#kotva

A web browser has several different communication methods (so-called protocols) that it can use to communicate with web servers. A protocol is a short text in the URL that precedes a colon and two slashes. If you do not specify a protocol, the browser will choose one based on the server’s settings. We will discuss protocols in more detail later.

This is followed by the domain name of the web server, which is the most important information because it allows you to identify which server the data is being displayed from. To ensure uniqueness, domain names are assigned hierarchically (similar to IP addresses – see the chapter Anonymity on the Internet). Each domain name consists of several strings of text separated by a dot, for example, www.czu.cz. As with a regular postal address, the most general information is at the end (Jan Novák, Pražská 123, Prague). The last string in the domain name is the so-called top-level domain (TLD) and often corresponds to the country where the web server is physically located (.cz, .sk, etc.) or is intended to indicate the method of use (.info, .name, .com, etc.). Other strings are named in order from the end, i.e. zcu.cz is a second-level domain, bezpecnost.czu.cz is a third-level domain, etc. Their interpretation depends on the policy of the administrator of the relevant TLD. For example, the Czech administrator CZ.NIC allows anyone to obtain a second-level domain, while in the United Kingdom, only a third-level domain is available depending on the applicant’s nature (the second-level domain is assigned, e.g. co.uk). As soon as an individual or organization obtains their domain, they can create additional subdomains themselves (e.g. the owner of czu.cz can create www.czu.cz, aktualne.czu.cz, etc.).

A web address can also contain multiple documents or web applications, which can be distinguished by the “location_on_server”. In a web address, this location is preceded by a slash and may not always be present.
The web address can also be used to pass certain parameters (for example, position on a map, pre-filled fields in a web form, etc.), which are preceded by a question mark and may not always be present.

The last part is the so-called anchor, preceded by a hash character. An anchor usually marks a place on long pages that do not fit on one screen, and tells the web browser which part of the page to display (how much to scroll).

The importance of a domain name

The accuracy of the domain name is important because if even one letter is confused, it will cause the web browser to go to a completely different web server. At best, the name in question will not exist, at worst it will be a fraudulent site trying to pass itself off as legitimate.

Example:

https://google.com
- The correct Google address
https://goog1e.com
- Number “one” instead of a lowercase “L”.
https://g00gle.com
- A zero instead of an “o”.

Note that the individual domains, whether the top-level domain, the second-level domain, or subdomains, are separated by a dot. So the dot is the only correct separator, and any other character in place of the separator will take us to a web server we did not want to go to.

Example:

http://apple.com/iphone
- Will take you to the apple.com server in the iphone directory.
http://apple.com-iphone.com
- Will take you to the com-iphone.com server, a subdomain of Apple.

URL shorteners

Often, a web address is long and difficult to remember, print or dictate, so address shorteners have been created and are available as a web service. An example is bitly.com, which can be replaced with an alias of a website.

Example:

Home page of the Information Technology Centre
- https://www.utb.cz/cvt/about/
Shortened link using bitly.com
- https://bit.ly/48VBaDh

Shorteners can also be used by attackers who want to hide the actual address from a potential victim. Before clicking on a shortened link, the real address to which the shortened link leads should be displayed, for example here: http://www.checkshorturl.com/

Protocols

The way in which a web browser and a web server communicate is called a protocol and is listed as the first item in the web address. The basic protocol is the Hypertext Transfer Protocol (HTTP), which is used to transfer hypertext HTML/XML documents and other files in general. Its disadvantage is that the data is transmitted in unencrypted form, i.e. it is readable throughout the transmission.

Since the web is distributed worldwide and the data flows through different computer networks, it can be seen or even altered along the way. That is why it is necessary to encrypt the data being transmitted.

Unencrypted communications are easy to intercept

For example, if you log on to an open public wireless network (a free wifi hotspot), the provider can insert advertisements into the pages you view. Airport Wi-Fi hotspots are notorious for this.

Encrypted communication is provided by the HTTPS (hypertext transfer protocol secure) protocol, which makes the communication readable (decryptable) only to the server and the given web browser. If confidential information, such as login details, is entered on a web page, it is always necessary to encrypt the communication, i.e., use the HTTPS protocol. The web browser tells us that HTTPS is being used by another signal – typically a padlock icon in front of the URL.

5. Web certificates

Encryption alone is not enough. We still need to be sure that we are communicating securely with the right person/party because even a fake website can be encrypted, i.e. using the HTTPS protocol. In other words, we need to have some way of verifying that the encryption keys used (see the Encryption and electronic signature chapter) belong to our target server. This verification is provided by so-called web certificates, which are issued by Certificate Authorities (hereinafter referred to as CAs), which are trustworthy institutions.

Depending on how thoroughly the CA has verified the domain owner, it will issue the type of web certificate. The basic verification is that the applicant can influence the domain’s content, but the CA no longer verifies the applicant’s identity. In this case, the CA issues what is known as a Domain Control Validation (DCV) certificate. This is the most common type of certificate. However, the CA can also verify the server’s owner, for example, by calling selected phone numbers, requesting a written statement, etc. It will issue an OV (Organization Validation) certificate for cursory verification or an EV (Extended Validation) certificate for thorough verification.

You might think you need to be an expert with years of experience to verify everything, but this is not the case. In fact, you only need to listen to your web browsers and know what to watch out for. Such a web browser will do a lot of the work for you. Just enter the correct address of the website you want to view, and it will arrange encryption keys, verify the certificate’s validity, and encrypt the communication, and warn you if something is wrong. After clicking the lock icon to indicate that the communication is encrypted, you can view the certificate, which will show the expiration date, which CA issued it, and in the case of OV and EV certificates, the owner’s identification.

When browsing websites, you may encounter a web browser warning that the certificate is invalid, usually because it has expired and the web administrator did not renew it in time. In order to say what is causing the warning message in a particular case, a more detailed understanding of the problem is required. In general, if a web browser reports a problem with a website’s certificate, you should not go to that site. The browser may also warn you that you are about to enter a password into a site that communicates unencrypted, i.e. over HTTP. If this happens, the site in question is likely to be fraudulent because, today, no reasonable administrator would run HTTP login pages.

6. Summary

In this chapter, we have learned that the web comprises many separate servers and that a web browser is used to view it. We also know that a web address (URL) determines what content the browser displays, and that the first part of the URL tells you which web server you are actually on, allowing you to spot a fraudulent web address.

We also know important information (such as login details) needs to be encrypted. Our web browser tells us that a website is using encrypted communications – usually by displaying a padlock icon and/or the HTTPS protocol used in front of the website address. To verify that we are communicating with the correct party, web certificates are used, which may have different levels of authentication from the domain owner.

In any case, a web browser is capable of handling almost all the activities needed to browse a website safely, and it will alert you if something looks suspicious or if it does not know what to do. So listen to your browser, it will help you.

Virtual tour

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
mdocs-f23d4887cc59eaf5d74998a5389151af	session	This cookie is associated with the site's document system and is used to store information needed to manage and display documents.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
pll_language	1 year	The pll _language cookie is used by Polylang to remember the language selected by the user when returning to the website, and also to get the language information when not available in another way.
qtrans_front_language	1 year	This cookie is set by qTranslate WordPress plugin. The cookie is used to manage the preferred language of the visitor.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_1HP1PTTJR4	2 years	The _ga_1HP1PTTJR4 cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
sid	1 month	The sid cookie contains digitally signed and encrypted records of a user’s Google account ID and most recent sign-in time.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	13 months	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID	13 months	This cookie is set by Microsoft to recognise unique web browsers that visit its websites. It is used for personalised advertising, web analytics and other operations.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
test_cookie	15 minutes	The test_cookie is set by Google and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	6 months	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Univerzita Tomáše Bati ve Zlíně