Security News HTTPS: why the green padlock is not enough

LASER_oneXM · May 9, 2018

When goods get sold in large quantities, the price goes down. This might not be the first law of economics, but it’s applicable. An extrapolation of this is that if there are practically no production costs and no raw materials involved, prices of such goods will drop to zero. Usually, they will be offered as free gifts to promote the sale of other, more costly goods.

Something like this has happened to SSL certificates. They are offered for free with web hosting packages by several companies, including those that don’t do a thorough check into the identity of the buyer. Better said: They couldn’t care less who buys the package as long as they pay the bills.

So, while users can now expect to see the green padlock on every site, especially the ones where they make financial transactions, the trust that we can put into the underlying certificates is going down.

Definitions

To clarify what we are talking about, let’s have a look at the definitions of the protocols we are about to discuss.

Hypertext Transfer Protocol Secure (HTTPS) is a variant of the standard web transfer protocol (HTTP) that adds a layer of security on the data in transit through a secure socket layer (SSL) or transport layer security (TLS) protocol connection.
Secure Sockets Layer (SSL) is a computer networking protocol for securing connections between network application clients and servers over an insecure network, such as the Internet.
Transport Layer Security (TLS) replaced SSL when it was deprecated, but TLS is backwards-compatible with SSL 3.0.

So, basically TLS is a computer networking protocol that provides privacy and data integrity between two communicating applications. It’s used for web browsers and other applications that require data to be securely exchanged over a network.

The green padlock

So, where does the green padlock come into play? The green padlock simply means that traffic to and from the website is encrypted. A certificate, provided by a certificate provider (Certificate Authority or CA), is used to set up this encryption. Sounds good, right? But the only thing you can actually be sure of when you see such a padlock is that your computer is connected to the site that you see in the address bar.

It is easy to see, from the browser address bar alone, that we are not connected to paypal.com. And in the additional information, we can see that the phishers used a free certificate from the CA Let’s Encrypt.
I do realize that in this example it was easy to see the wrong address in the browser’s address bar, but typosquatted domains can be a lot harder to spot, as they purposely use domain names that look similar to the legitimate site. PayPal has registered many such typosquatted domains to protect their customers.

So, we’ve established that the green padlock alone is not enough. In fact, over a million new phishing sites surface every month. Given how many new sites—not just phishing sites—are created every day, and knowing that hosting deals include free certificates and are cheap as dirt, we can easily assume that hosting providers do not have the resources to check each and every new site. Even if they did perform these checks, who is going to check whether the site does not get changed once it has gone live?

So, since the visitor is the one facing the consequences of entering his credentials on a phishing site, it looks like the ball is in his court.

HarborFront · May 9, 2018

So, do you have any proposals to protect the user?

Hamxa · May 9, 2018

HarborFront said:
So, do you have any proposals to protect the user?

Don't be a happy clicker & bookmark your Financial URLs or all login pages.

shmu26 · May 9, 2018

Using a password manager also helps. If your password manager doesn't recognize a site that you have used before with a password, it is a sign that you might have been directed to the wrong site.

HarborFront · May 10, 2018

I thought Chrome browser by default already addressed this issue and FF Quantum has an extension to handle this, see below?

IDN Safe – Add-ons for Firefox

tim one · May 10, 2018

Exactly, the presence of a certificate and a green padlock only indicates that the data transmitted between the user and the site are encrypted and the certificate has been issued by a trusted certification authority. But it doesn't prevent that it may be a malicious site ( phishing ).

You can mitigate the danger not typing username, password, banking credentials, and any other personal information unless you are completely sure of its authenticity. In this regard, always check the domain name (and with a lot of attention, sometimes the difference between a real name and a false one is really minimal).
Always ask yourself if a website could be suspicious.
Of course, a good security plan is essential.

shmu26 · May 10, 2018

Good browsers sometimes block you from entering info, if they detect a problem.
A few days ago, I was blocked on both Chrome and Edge from entering info for a purchase from a well-known shopping site with a green padlock. I checked the address carefully, and it looked legit. I honestly don't know what the problem was.
I did not try with other browsers.

Weebarra · May 10, 2018

For me (who doesn't know much) this is worrying as i thought that by checking the padlock and then the certificate validity that everything was good, now i have to do more work. I don't keep my banking log ins on a password manager as i don't have full faith in storing them there, i suppose i will have to be even more vigilant.

shmu26 · May 10, 2018

Weebarra said:
For me (who doesn't know much) this is worrying as i thought that by checking the padlock and then the certificate validity that everything was good, now i have to do more work. I don't keep my banking log ins on a password manager as i don't have full faith in storing them there, i suppose i will have to be even more vigilant.

You can bookmark your banks etc, that way you know you are going back to the same trusted site.

upnorth · May 10, 2018

Weebarra said:
this is worrying as i thought that by checking the padlock and then the certificate validity that everything was good

Check the post below if you like as it covers a bit of the certificate issue and what can happen but it also have a tool and tips that perhaps could help one get less worried :

Signed Malware

Weebarra · May 10, 2018

shmu26 said:
You can bookmark your banks etc, that way you know you are going back to the same trusted site.

Thanks for that, i just need to make sure it's the correct site to start with ............. knowing my luck, i would bookmark a dodgy one and then i would be out on the streets, a pauper because i gave some scammer full access to my wealth (which incidentally doesn't amount to much

)

upnorth said:
Check the post below if you like as it covers a bit of the certificate issue and what can happen but it also have a tool and tips that perhaps could help one get less worried :

Signed Malware

Thanks buddy, i will have a good read at that later and hopefully i'll be able to understand it.

shmu26 · May 10, 2018

Weebarra said:
For me (who doesn't know much) this is worrying as i thought that by checking the padlock and then the certificate validity that everything was good, now i have to do more work. I don't keep my banking log ins on a password manager as i don't have full faith in storing them there, i suppose i will have to be even more vigilant.

The first time, just put on your reading glasses and take a good, hard look at the address -- look for mispellings, and for funny-looking characters, and for thin, extra characters.

LASER_oneXM · May 10, 2018

im always checking sites with the VIRUS TOTAL URL scanner before signing up by entering my email adress and password. I'm also bookmarking sites that i've checked with Virus Total to prevent typos in the future.

shmu26 said:
Using a password manager also helps. If your password manager doesn't recognize a site that you have used before with a password, it is a sign that you might have been directed to the wrong site.

i also think that a password manager is very helpful (im currently using LastPass).

Daljeet · May 29, 2018

1.Under HTTPS looks like everything is okay but HTTPS response is cachable
2.From one point we have secure with HTTPS but on the other hand the password that is returned in HTTPS response will be cached in plain text
. Anti caching headers : Cache control & Pragma are not implemented

upnorth · May 30, 2018

How's My SSL?

Search

Security News HTTPS: why the green padlock is not enough

LASER_oneXM

Level 37

HarborFront

Level 71

Hamxa

Level 1

shmu26

Level 85

HarborFront

Level 71

tim one

Level 21

shmu26

Level 85

Weebarra

Level 17

shmu26

Level 85

upnorth

Moderator

Weebarra

Level 17

shmu26

Level 85

LASER_oneXM

Level 37

Daljeet

Level 6

upnorth

Moderator

Similar threads