Afterword

ThimphuTech was the first technology blog in Bhutan. We started writing it in 2009, just as broadband and mobile internet started to take off. (Although internet in Bhutan was launched in 1999, it was either super-slow or super-expensive, and was only used by a selected few).

In the blog, we wrote about technology and food, but also about plenty of other stuff. The blog became popular and influential in Bhutan. A companion bi-weekly column -- Ask Boaz -- was published for many years in the Kuensel, Bhutan's national newspaper. (The complete Kuensel columns are available as an ebook, Blogging with Dragons).

We stopped updating the blog when we left Bhutan in 2014, but the information within the posts can still prove useful, and thus we decided to keep it online.

We thank all our readers.
Tashi Delek,
Boaz & Galit.

Saturday, June 2, 2012

Secure Surfing (K2 #38)

Question of the Week 
My father has a DrukNet email account. Whenever he signs to read his email (https://webmail.druknet.bt), Firefox displays a warning message stating that the site cannot be trusted. Please help.
-- Barun Kumar

Answer
Barun,

First, a short introduction to secure Internet surfing!

When you surf the Internet, your browser uses a communications protocol to connect to the web server. The most common protocol is HTTP. To connect to a web page using HTTP, you type http:// at the start of the web address. For example, to connect to the RMA’s website, you type http://www.rma.org.bt. With most browsers today, you don’t need to type the http:// part - it is prepended automatically.

The problem with HTTP is that it is not secure. Information sent between your computer and the server is not encrypted. Hackers can eavesdrop on the connection and see exactly what you are doing. This is a concern especially when you surf wirelessly at Internet cafes. Of course, if you just surf RMA’s website to get the latest rupee crunch circulars then this is not too troubling. But imagine that you log into your email, or your bank account... And it can get worse: HTTP cannot guarantee that you are indeed connected to the server you wanted.

That is where another protocol - HTTP Secure, or HTTPS - comes into play. HTTPS solves the above two issues. First, it encrypts the information, so that bad guys who eavesdrop on your connection cannot understand what is sent and received. Second, HTTPS can verify the identity of the server you are connected to using a certificate that is bought from a third-party certificate authority.
Back to our question. Indeed, when going to https://webmail.druknet.bt , the Firefox browser shouts “This Connection is Untrusted”. Other browsers display similar warnings. Firefox cannot verify that you are indeed connected to DrukNet’s server. Why? Most likely DrukNet did not buy a certificate from a certificate authority, but rather created its own (something that anyone can do). Unfortunately your father doesn’t have a choice - if he wants to read his DrukNet email, he’ll have to take the chance and proceed by clicking the “I Understand the Risks” button.

Using HTTPS

To use HTTPS, you need to type https:// before the web address. For example, to connect to Facebook using a secure connection, use https://www.facebook.com. In fact, you can ask Facebook to always use HTTPS by turning on the “Secure browsing” option; After logging into Facebook, go to Account Settings, then Security, then under Secure browsing click Edit and make sure that the “Browse Facebook on a secure connection (https) when possible” is checked.

When you are using HTTPS, the browser will usually let you know. For example, Google Chrome will display a small green padlock just next to the web address. Click on the padlock for more information.


Readers are encouraged to submit technology-related questions to boaz@thimphutech.com