Tuesday, March 2, 2010

Technical Issues: Scary Browser Warnings When Accessing Databases

All internet browsers are increasingly conscious of security challenges these days. They want to warn people who use their software of any possible scams like phishing schemes (wherein a crook tries to steal sensitive information from you by creating a fake website that pretends to be a legitimate one). But in an attempt to protect internet users from cyber-thieves, browser developers have ended up frightening nice, unsuspecting library users who only want to do a bit of online research!

How? Well, many security warnings are based on the browser spotting a mismatch of a known URL (web address) or a website's recognized secure (SSL) certificate. This looks like a evil phishing masquerade to the browser software, but--in the case of library databases--is completely innocent. Libraries authenticate users by sending them through a proxy server. A proxy server redirects the user, verifying their bona fides (when they not at a campus IP) before sending them into the database. To do this, the shortcut/link is altered.

As an example, the base URL for Ebsco's Academic Search Complete is http://search.ebscohost.com/login.aspx?authtype=ip,uid&profile=asp

but if you write this for our proxy server, it looks like http://0-search.ebscohost.com.library.law.suffolk.edu/login.aspx?authtype=ip,uid&profile=asp

There are extra bits to the address. In other words, there is a mismatch. This causes warning triggers in some browsers in some situations. We at Sawyer Library see this problem most often with Firefox.

What sometimes happens is that you click on a link at our Library database lists or other resource links and all of a sudden you get a scary screen:

Understandably, when a browser offers a button that says "Get Me Out of Here!" many people are going to click it. But in the case of using our library links to get to a database, this is not the right choice. (Not if you really want to do some research!) Instead, look for the bottom option on the error message that reads "I Understand the Risks"

When you click that option, the area expands underneath the statement. It says that if "you understand what's going on," you can add an exception that gives the browser permission to make the connection. See below:

The thing to do is to click the button to add an exception for connecting to the database. This brings up yet another scary screen. The URL is indicated, and the option at the bottom is to "Confirm Security Exception."

Click that button, making sure that the little box is clicked that says "Permanently Store This Exception." (That will keep you from having to go through this procedure again for this database.)

Since most libraries use proxy servers, other libraries have experienced similar issues. For example, to see this page from Bowling Green State University's Librarie. And here's a support blog entry from Firefox on the "This Connection is Untrusted" error that has a bit more information on this message.

To state the obvious, there are times when you do not want to go to an untrusted site--like when you receive an email purporting to be from your bank, and it instructs you to verify your password! But the Sawyer Library links to our databases can be trusted. Do not fear! Confirm the exception. Login in with your name and Suffolk ID if you are off-campus. And Happy Research!

No comments: