Hands-On: Check a Site’s Security

These exercises teach you to read security signals that your browser shows you every day — signals most people ignore.

Exercise 1 — Inspect a Bank’s HTTPS Connection

Before You Start: Every HTTPS connection uses a certificate that identifies the server. Your browser checks this certificate every time you connect. This exercise shows you how to read what your browser already knows.

  1. Open Chrome or Firefox on your phone
  2. Go to https://sbi.co.in
  3. Look at the address bar — confirm the padlock icon is visible
  4. Tap the padlock icon (in Chrome, it may appear as a small lock or a circle with an “i”)
  5. In the popup, look for “Connection is secure” or similar wording
  6. Tap “Certificate” or “Certificate is valid” to open the certificate details
  7. Note the following:
    • Issued to: — what name appears here?
    • Issued by: — which Certificate Authority signed this?
    • Valid from / Valid until: — is the certificate currently valid?

What You’re Seeing

Your browser has verified that:

  • The server presented a certificate
  • The certificate was issued to sbi.co.in (the site you intended to visit)
  • The certificate was signed by a trusted Certificate Authority
  • The certificate has not expired

All of this happened automatically, before you loaded a single byte of the page. We will understand exactly how that verification works in Session 3.

The Padlock Doesn’t Mean Safe

A padlock means your connection to the site is encrypted. It does not mean the site itself is trustworthy. Phishing sites regularly use HTTPS — they can get free certificates from Let’s Encrypt. Always check the domain name in the address bar. sbi-update.online with a padlock is still a phishing site.

Discussion Prompt: What would happen if someone registered the domain sbi.co.in.customer-support.xyz and got an HTTPS certificate for it? Would the padlock appear? Would the average user notice?

Exercise 2 — Find a Site Without HTTPS

Before You Start: HTTP sites (without encryption) are less common than they used to be, but they still exist. Your browser has ways of warning you about them.

  1. Open your browser and try to visit http://info.cern.ch — this is the website of the first web server ever (hosted by CERN, the physics lab). It still runs on HTTP
  2. Look at the address bar — Chrome shows “Not secure” or a broken padlock; Firefox shows a lock with a line through it
  3. Now try visiting http://neverssl.com — a site specifically designed to always be HTTP (useful for testing)
  4. In Chrome, open the address bar and type http://google.com — watch it automatically redirect to https://google.com

What You’re Seeing

info.cern.ch and neverssl.com serve content over plain HTTP. Anyone on your network can see exactly what you are reading. Google’s automatic redirect from HTTP to HTTPS is called HSTS (HTTP Strict Transport Security) — a mechanism that tells your browser “always use HTTPS for this domain, even if someone types http://”.

Deepa Asks

“If HTTP is insecure, why do some sites still use it?”

Some old or low-budget sites have not been updated. Getting an HTTPS certificate used to cost money and was complicated. Today, services like Let’s Encrypt provide free certificates automatically, so there is almost no excuse — but legacy sites remain.

Discussion Prompt: If you are connected to public Wi-Fi at a café and you visit an HTTP site, what can the café owner potentially see?

Exercise 3 — Test a Site’s TLS Quality

Before You Start: Not all HTTPS connections are equally secure. The SSL Labs test tool checks exactly what encryption settings a server uses and gives it a grade.

  1. Open your browser and go to ssllabs.com/ssltest
  2. In the hostname field, type sbi.co.in and tap Submit
  3. Wait for the test to complete (it takes about 60–90 seconds)
  4. Read the grade — A, A+, B, C, etc.
  5. Scroll down to see:
    • Certificate section — who issued it, expiry date
    • Protocol Support — which TLS versions are supported
    • Cipher Strength — what encryption algorithms are offered
  6. Now run the test on badssl.com — it will show a failing grade to demonstrate what a poorly configured server looks like

What You’re Seeing

SSL Labs rates servers based on their TLS configuration. An A+ means the server uses only modern, strong encryption settings and has set up additional security features like HSTS. A lower grade means the server supports older, weaker encryption that an attacker could potentially exploit.

Rohan Goes Deeper

Look for “Protocol Support” in the SSL Labs results. A server that still supports TLS 1.0 or TLS 1.1 gets penalised — these older versions have known vulnerabilities. A well-configured modern server should support only TLS 1.2 and TLS 1.3.

Discussion Prompt: If a bank’s site gets a B grade on SSL Labs, is that acceptable? What does it mean for users?

Tying It Together

You now know how to read the security signals your browser shows every time you connect to a website:

  • The padlock = encrypted connection to this server
  • The domain name = the actual site you are on (check it carefully)
  • The certificate details = who vouches for this server’s identity
  • SSL Labs grade = how well the server is configured

These are not abstract concepts — they are tools professionals use every day. Sunita didi checks exactly these things when a customer calls her saying a site “looks suspicious.”

In Session 3, we go deeper into the certificate system — who issues them, how they are verified, and what happens when the system is abused.