Is this Website secure?
Basically, there are certain security features on a website that distinguish a trustworthy from a dangerous website. We recommend that you always follow the security tips below before entering your personal Uni-Account data on the new SSO login page of the TU Dortmund University. We would now like to take a closer look at this in the following screenshot based on the new design of the central login page:
Re 1 - Verification of the encryption and the certificate chain
Always check the security status of websites where you enter personal data. Please make sure that the web address begins with "https". In addition to the https, a lock symbol is usually an indication of secure pages that transmit data in encrypted form. Our web certificates for secure communication are issued by the "Verein zur Förderung eines Deutschen Forschungsnetzes" (DFN-Verein) or by the "GEANT Vereniging" (Internet Interconnection Network of European Research). However, even web certificates are not immune to forgery, so it is advisable here to investigate the trustworthiness of the website more closely by checking the certificate chain. Clicking on the lock icon provides initial details about the verification form.
In addition, there is the aspect that web addresses with representation-like special characters (for example https://www.tu-dortmυnd.de) can also be provided with a lock symbol (via Let's Encrypt), so that web addresses can ultimately only be identified via certificate chain.
Instructions on how to do this in the web browser of your choice are provided by the SIC on the following page:
Some browsers, such as Firefox, check the validity of the certificate against the certificate hierarchy and return a corresponding message ("Verified by ....").
Please take the time to familiarize yourself with the information and documents provided here. For further information on security through certificates, please refer to the Web pages on encryption and certificates of the German Federal Office for Information Security (BSI).
Re 2 - Checking the web address (URL)
Pay attention to the "Who section" within the URL before entering confidential data such as the password. You can learn how to recognize dangerous links faster on the page What is Phishing (“Detect dangerous links”).
Bookmark or favorite websites that you visit regularly in your browser. Do not enter confidential data on websites that you have reached via a link in an e-mail or a PDF.
Re 3 - Storing personal LogIn data
Storing personal access data in websites or in browsers basically involves the risk that this data could be extracted relatively easily by malware and thus misused by an attacker.
In this respect, the special requirements of the BSI for the integrated password management of a browser must always be observed before it is used in practice. As a minimum level of protection, it must be ensured, among other things, that the passwords stored in the password manager can only be accessed after entering a master password. The other minimum requirements placed on a web browser and a password manager can be read with pleasure in the BSI Basic Protection Compendium on the subject of "Web browsers (APP.1.2)".
On the other hand, the SIC of the ITMC points out the sensible use of the password manager KeePassXC, which includes browser integration out-of-the-box and favors the following scenario: If a user stores his or her personal password for the TU Dortmund University SSO login page in it, he or she has the certainty that it is a trusted page that has already been visited, if the stored credentials are presented when the same web page is visited again. If this does not happen, this is an indication that the visited page is not the known addressed page.
Re 4 - Pay attention to the password quality
When creating a password for the UniAccount, pay special attention to a good password quality, because with an unlocked UniAccount several and sensitive services can be used. The password length and complexity are particularly important for this:
- Passwords should be as long as possible and difficult to guess. This means strong passwords contain at least 8, better 12 characters and are composed of lowercase, uppercase letters, numbers and special characters. The longer and more complex a password is, the more difficult it is to decipher.
- Do not use words from the dictionary
- Do not use uniform passwords for multiple services.
- In case of any suspicion of password theft, change your password immediately. Likewise, in cases of doubt that your PC might be infected.