-1

Someone just asked me:

How can I know whether a message or data is encrypted during a transaction on trading website?

I know most (maybe all) online trading sites uses encryption techniques but I couldn't find a way to check if my data is encrypted or not.

dan
  • 3,033
  • 14
  • 34
syed mohsin
  • 163
  • 3
  • 9
  • I think they're referring to HTTPS, i.e. HTTP over SSL/TLS. – Polynomial Jan 20 '14 at 12:04
  • I guess they may be referring to the padlock within the browser (here you can find a closely related question: http://security.stackexchange.com/questions/32632/does-the-padlock-on-my-browser-really-indicate-a-reasonable-assurance-against-ea ) – kiBytes Jan 20 '14 at 12:33
  • I wanted to point out that padlock is not always visible in the browser. Embedding a HTTPS website in a HTTP one using ` – d33tah Jan 21 '14 at 01:19

3 Answers3

6

Most modern web browsers give some kind of visual feedback when the current website is viewed via a secured connection, usually in form of a padlock icon or similar in the address bar. Clicking on that icon usually gives further information about the encryption algorithm used and about the cryptographic certificate of the website you are visiting.

Other, non web-browser applications which use the internet have different methods to inform the user about the encryption status of their connections, or lack such a feature.

But in general you can only rely on what the application tells you. When you are using a non open-source application and you want to know if it communicates encrypted or not, you can only use a traffic capturing tool like Wireshark and look at its network traffic. That way you can check if it communicates in clear-text or not. But even when you can't spot any clear-text in its traffic, you can't easily see how good the encryption really is (or if it is really encrypting at all and not just using a strange encoding). You can only find out through in-depth cryptoanalysis.

Philipp
  • 48,867
  • 8
  • 127
  • 157
1

You can know that your data is encrypted if your web browser displays correctly the complete URL of the web server you are connecting to. If this text URL does start with https:// then your connection toward this web server is using SSL.

But this isn't sufficient to ensure which cryptographic algorithm level was negociated then used within the SSL connection (cf. Philipp's answer).

The graphical icon representing a key or a padlock that many web browser display before the complete URL are gadgets. It is pretty easy to place something looking like a security flag in this place when your connection is in fact toward an http:// URL. Which means a clear text connection looking like an encrypted one: the "empty extinguisher" syndrom.

I advise all my users and friends not to trust any form of these graphical gadgets.

See also this fantastic answer Are address bars unphishable? from D.W..

Community
  • 1
dan
  • 3,033
  • 14
  • 34
0

You can check your data encryption by doing a packet capture using a network snifer utility and visulize those captured packets to see if you can read some information or not. If your data are encrypted you will not be abele to analyze them. For more information visit : How to verify if your VPN connection is encrypted.

Hope that can help.

Elias Missaoui
  • 1