Secure websites

In today’s digital age, farmers rely on technology and the internet for various aspects of their farming operations. From managing crop data, purchasing equipment and automating tasks, the digital landscape plays a significant role in farming culture. However, with the convenience of technology comes risks. Cybersecurity is essential for safeguarding your farm’s sensitive information, financial transactions and overall operations.

This educational topic will cover key concepts related to identifying security risks from websites specifically tailored for farmers. We’ll explore ways to identify secure websites, what is important when interacting with an insecure website and the tools available to help protect you from insecure websites. By understanding these essential website security aspects, farmers can navigate the online world with confidence and protect their livelihoods.

Objectives

By the end of this topic, you will be able to:

  • Understand the importance of https.
  • Identify secure websites.
  • Understand when it is important to use a secure website and when a secure website is not necessarily important.
  • Know the difference between an insecure website and an unsafe website.

What a secure website looks like

It’s not uncommon for farmers to surf the web from time to time, and doing so in a safe and secure manner is paramount to online security. Following the key points below will help protect your personal and farm-related information. However, before embarking on this journey, one key concept must be remembered.

A secure website does not mean that it can be trusted, just as an insecure website does not mean it is unsafe and can’t be trusted.

When we discuss secure websites, we are talking about the security of the data communicated through the website. Secure websites encrypt data, making it unreadable to eavesdroppers. This is important in cases such as sending your password and login details over the internet or completing transactions using credit cards. Additionally, a secure website also encrypts other personal information such as emails, name, device information, location data and other sensitive when interacting with a website. Further, many websites, particularly social networks, search engines and ecommerce websites, track your behaviour and collect your data on their website and beyond. A secure website will ensure that this data is also encrypted. It is now common for websites to display a cookie consent banner, requesting permission to collect this data. If there is no cookie consent banner and you are unsure if you are being tracked, the websites privacy policy should outline if they are collecting data and if so, how your data is collected and used. In short, secure websites encrypt data that you send to the website, including if they are tracking you. If you do not send data, then the risk of an insecure website is diminished. One such website that farmers may frequently encounter is bom.gov.au. The website of the Bureau of Meteorology is not a secure website, yet because you do not interact with the website and send it any information, you may consider it a safe and trusted website. So, what do you look for to identify secure websites?

Identifying secure websites

Look for https:// in the address bar:

HTTPS stands for Hypertext Transfer Protocol Secure. The “s” in https stands for secure. It basically means that the website is using a secure connection to encrypt and transmit data. Most modern websites use a secure connection, which means the data is protected, and it’s important to know how to identify a secure website. On Edge and Firefox look at the website URL. A secure website will have https://. Insecure websites will have http://. Chrome users can look at the top left of the address bar and look for either a warning that says “Not secure” or 2 bars in a circle that when clicked will show the secure status of the website. However, some websites may have https:// and still transmit some insecure data. In these situations, modern browsers will alert you to an insecure website. There is an important caveat to this section especially relevant to farmers. Many farmers will monitor bom.gov.au for weather forecasts, warnings, and weather radar information. The BOM does not support https:// secure connections, however, it does not collect user information or require you to engage with the website. Because you are not sending data to the BOM website, it can be considered safe.

HTTPS is located in the address bar, before the website's URL

Source: What Does the Padlock on Your Browser Really Mean? | by Pratyaksh Jain | Inheaden | Medium

Example

You visit a website to purchase new farm equipment. Because you are making a purchase you are engaging and sending sensitive information over the internet. The URL begins with https:// indicating it is secure. This means that your payment details and personal information are encrypted, reducing the risk of theft. However, a secure website does not mean it is safe, and we will cover this a little later.

Check for a padlock icon

Look at the address bar and see if you can find a padlock. The presence of a padlock indicates that the website has a Secure Socket Layer (SSL) certificate. An SSL certificate ensures that the data transmitted between you and the website is encrypted and secure. Clicking on the padlock will reveal information about the certificate, including its validity.

Example

You visit a supplier’s website to order stock feed. Before proceeding to place an order, you look for a padlock, which you notice. This means the website is secure, and your details will be encrypted.

Practical tips - Identifying if a website can be trusted

As mentioned above, a secure website does not mean that it can be trusted. Just as an insecure website doesn’t mean it can’t be trusted. Several factors must be considered before determining if a website can be trusted or not.

  1. Consider the websites reputation. Is the website well known and is it from a jurisdiction with strong privacy and consumer laws? Think of website's and apps that may be well known but originate from not very democratic countries.
  2. Is the website a trusted government website? Government websites from Australian and other typically democratic countries with strong privacy laws can usually be trusted.
  3. What is their track record on privacy protection? Do they sell or cover up privacy incidents? Do they have a history or poor data management or spreading malware? While this information isn’t always forthcoming, there are several tools available to help you make an informed decision. You can begin with a Google search of the website name and privacy and security incidents. You may encounter blog posts, government alerts and news articles about a specific website. You can also use Have I Been Pwned: Pwned websites, which will provide you with details of a security incident such as when it happened, how many accounts were impacted and the compromised data. While these tools offer you an advantage, they are not complete solutions and it will require your best judgment and care.
  4. What are the social signals like? When we mention social signals, we are referring to reviews and public feedback. Are there public reviews for the website or app? Are the reviews on a trusted platform, such as Google? Are the reviews typically positive or negative? Be aware of 100% positive reviews as that may be a signal that feedback has been manipulated. Just think of how difficult it is to please 100% of people 100% of the time.
  5. Are there government warnings about the website? Government services such as the Australian Competition and Consumer Commission (ACCC), NSW Department of Fair Trading will often issue public alerts about significant websites that cannot be trusted. While it can be difficult to find these alerts, broadcasters, particularly public broadcasters such as the ABC and SBS, may report on these alerts through their websites and news broadcasts.

Less trustworthy methods of identifying the trustworthiness of a website are:

  • Trust seals: Some websites will display trust seals from security companies such as Norton and McAfee. Such seals may indicate that the website is secure and safe - however, because trust seals are often images, they are easy to fake! Some cybercriminals use fake seals to earn trust. Clicking on the seal should take you to the issuer’s website, however, these too can be faked. Security seals can be thought of as bank notes. The Royal Mint invests billions of dollars into security to safeguard our currency from being counterfeited, however, criminals still try, and often succeed in creating a convincing copy. Treat privacy seals as an indicator, but not a surety the website is safe and secure.
  • Website privacy policies: A legitimate website will have a privacy policy that explains how your data is collected, used, and protected. If a website does not have a privacy policy or it is vague, it may not be trustworthy. However, the inclusion of a privacy policy does not guarantee the site is trustworthy. Further, bad actors may include a privacy policy and have no intention of following it.

Case study

Temu is a popular online retailer available both over the web and through mobile applications. It has gained considerable momentum as a popular destination for cheap products shipped directly from China. However, although online reviews typically indicate that transactions through the platform as well as using the service are safe, the history of its parent company raise privacy and security concerns for users.

In 2023, the parent company of Temu had an app, Pinduoduo, removed from the Google Play store due to concerns about malware. The malware in the Pinduoduo app exploited vulnerabilities in Android phones that allowed it to bypass privacy permissions, modify settings, read private messages, view data from other apps and prevent itself from being uninstalled. While the level of access the Temu app requires is not as aggressive as Pinduoduo, its relationship to the parent company has raised concerns among cybersecurity professionals.
With this knowledge, would you consider Temu a trusted website?

Read more: Temu accused of data risks amid TikTok, Pinduoduo fears (cnbc.com)

Additional tools for identifying unsafe websites

While it can be hard navigating the web safely and securely, there are tools at your disposal to help you make informed decisions about the legitimacy, security and safety of a website. However, while these tools can detect and block unsafe websites, they are not 100% accurate and may not detect websites that are untrustworthy.

Use website safety checkers

Tools such as Google Safe Browsing site status can help you check the reputation and safety of a website. The tools can alert you to known security issues or if the website has been flagged for malicious activity. Alerts such as this can arise from the use of http instead of https as well as malicious content on the website that can cause harm to your device. Internet Service Providers (ISPs), such as Big Pond, also include safe browsing as part of their service. It is best not to rely on your ISP to identify unsafe websites as not all ISPs offer this service.

Safety checkers can warn you of visiting a deceptive website.

Source: Google Online Security Blog: Enhanced Protection - The strongest level of Safe Browsing protection Google Chrome has to offer (googleblog.com)

Use virus detectors

Services such as Norton offer subscription-based software that can identify and block unsafe websites. These tools are particularly helpful when you encounter a website that contains malware or adware.

  • Example: Before visiting a new website to order a tractor part you get an alert from Google Safe Browsing. The alert indicates that the website is a security risk, and you should not proceed. If you have previously engaged with the website without any concern, it is possible the website has been compromised by cybercriminals who have installed malicious software on it.

Encountering the unexpected – hacked websites

It is possible that you may encounter a hacked website owned by a supplier you have been conducting business with for a long time. Many small businesses don’t have the resources, funds or knowledge to secure their websites from advanced cybercriminal activity. Occasionally, some business owners may be hacked, resulting in malicious code being installed on the website. When you visit the website, it may prompt you to install malicious software or divert you to another website. In situations such as this, it’s best to notify the website owner, who may already be aware. Additionally, many farms may operate websites themselves, and the risk of being hacked is a clear and present danger. If your website is hacked it is important to stay calm and notify your hosting company for support to repair the damage.

A man saying to robot "Press Allow to verify that you are not a robot"

Example

You regularly buy stock feed online from your local ag dealer who delivers once a week to your farm. However, today you visit their website to place another order and are redirected to another website with a robot asking you to confirm you are human. These human tests are common online, and you may be tempted to think the supplier has added a check to the website. Before proceeding with any click and potentially downloading a virus, check the URL to see if it matches the website you are visiting. Common human checkers for websites should include ReCAPTCHA, Cloudflare or hCaptcha. If the page is asking you to “allow” or “confirm you are human” without branding from one of the above, it is likely a scam and may have been hacked.

Sending your data securely

As you learnt in earlier topics, having a strong and unique password is essential to securing data, however when sending data online you need to also consider again the role https plays in sending and receiving data. The key aspect from the topic is the s, which stands for “secure” in https. Modern farms that transmit data autonomously often depend on alternative methods of data transmission, and being aware of their security is paramount to securing your farm data.

When sending files, such as uploading a website or sending data between your device and the cloud or server, many systems often use File Transfer Protocol (FTP). Just as with http:// web connections, the use of FTP is unsecured, and using either Secure File Transfer Protocol (SFTP) or File Transfer Protocol (FTPS) will encrypt the data, securing it from potential cybercriminal activity. While there are a few differences between FTPS and SFTP, the main thing to ensure is that you connect using the correct protocol as described by the provider and use the “S” secure version.

Consider the following actions to improve your cybersecurity:

Continue to the next topic

Report and recover