Question: What does thepadlock icon tell you?
Your site addressed http versus https, but I'm still a little nervous about something. When I go to my bank's site for example, I immediately see https in the URL window (& get a little locked padlock image on my browser frame), but they still ask me to log-in with a user ID and a password. That is what I'm used to with sites asking for my financial information to place an order.
However, a yarn site I am interested in ordering from (***), while having the https appearing in the address and asking for me to create an account with a password, does not trigger that little padlock icon on my browser frame. They have some security company related links on their site making it appear as if they are taking security measures, but having worked at a large insurance company and having seen viruses make their way across monumental security efforts and proliferate in that network, I'm still nervous about doing business on-line at a personal level.
I sent an email query about this and received the following response:
Our site is very secure. I put a lot of effort into making sure and I am audited by my merchant bank and an independent agency (***) to insure security. Both my internet connections (broadband and router) and my site (***) are scrutinized. If you see "https://" in your browser address bar, the page (site) is secure. The "lock" icon on the page is window dressing. It is the address bar that tells the true story.
Why doesn't their site trigger the icon and would you say that it is still reasonably safe to do business with an https site that doesn't trigger the icon?
You have a good eye and a good instinct, Beverly. You're right; this site doesn't behave exactly as you expect most secure websites to behave.
And unfortunately, John's comment that the lock is just window dressing is not 100% accurate.
On my web browser (firefox) the padlock icon does appear, but it has a warning message attached to it. What is the warning? The warning is that even though the page itself is on a secure server, it draws resources from non-secure servers: "Parts of the page you are viewing were not encrypted before being transmitted over the internet. Information sent over the internet without encryption can be seen by other people while it is in transit." What sorts of resources might those be? Well, the most likely culprit is image files that exist elsewhere, in non-secure locations, and are called up as components of this secure page.
What does that mean? It means that when you are loading up that page, it's possible for people to "eavesdrop" on some (but not all of the content) being loaded.
Is it going to cause problems? Mmm...probably not. It doesn't mean that your financial information is unsecure. But, honestly, the fact that they haven't bothered to secure all
of the content on that page would make me think very long and hard about giving them my credit card information, and I would choose against. But of course, you need to make your own choice on that matter.
Hope that is helpful!