PSA: Just because a site says it's "secure" it doesn't mean it actually is

As you browse the web these days, it's quite common to find sites that will help you to post content to various blogging/social networking/aggregation services. One of the ways that you may encounter is through a service called AddThis, through which site owners can add a single button that will allow posting/linking all over the place.

I was going to try use this service to post an article to my blog and when I clicked the AddThis button and selected Blogger as my target, I was given the screen shown here. You'll see that it wants me to log into my Blogger account so that AddThis can create a new post with the article that I was reading. Sounds good so far.

What bothered me, though, was the reassurance that AddThis is providing regarding information safety: "Absolutely. This page is secure (HTTPS)". They reenforce this message by prominently showing a picture of a shield on the screen below the sign-in button, again to show how secure the site is. However, if you take a look at the URL, AddThis is definitely NOT using an HTTPS connection. And according to the browsers status bar, there is no lock icon indicating the use of HTTPS/SSL.

So basically AddThis is just lying. They figure they can just tell you that the page is secure, show you a picture of a shield, and users will gladly enter their private user information.

This post is not intended to bash AddThis (although my confidence in their service is lacking right now) but as a warning to pay attention to site security. All major browsers include a lock icon somewhere in the status bar that indicates if you are on a secure connection. It's also very easy to look at the site url and verify that you are, in fact, visiting a secure site with an https:// url instead of http://.

So practice safe surfing and just because you see a picture of a shield don't assume you're actually on a secure site.