CERTIFICATES provide authentication for a website and enable encryption between you and the website you’re visiting.

While this works well, there are times when an attacker can view your data by installing custom root certificates on their attacking device. These can be utilised to intercept, read, and modify sensitive information, even if the website is using HTTPS. These attacks result in a compromise of sensitive information, potentially resulting in account takeover.

Sounds scary, right? Fortunately, the countermeasure for this is known as “certificate pinning”. This method specifies a certificate that should be used when users visit your website with a secure connection. If a malicious actor attempts to use a different certificate to the “pinned” one, the connection would be aborted, and no sensitive information can be retrieved.

READ MORE: Hackers attacking smart thermostats

Implementing certificate pinning substantially reduces the risk of so-called 'man in the middle' attacks as the certificate installed on the device will not be the same as the one the website is expecting, meaning the traffic cannot be captured.

Another vector used for obtaining sensitive information is when connecting a public network (e.g. coffee shops or restaurants). A malicious actor may attempt to trick the user into installing a profile on their device to access the free Wi-Fi. If or when installed, a malicious certificate is added to the device, subsequently allowing all the information to be captured while using that specific Wi-Fi access point.

Regardless of how urgently internet access is required, take caution when browsing the internet on a public access point or connecting to a new network for the first time.

If in doubt, tether to a mobile device or talk to a member of staff to verify the network is authentic.