FBI warns users to be wary of phishing sites abusing HTTPS
Would you trust a website simply because the connection to it is secured using HTTPS backed by the green padlock symbol?
Not if you’re informed enough to understand what HTTPS signifies (an encrypted, secure connection with a server) and doesn’t signify (that the server is therefore legitimate).
This week the FBI issued a warning that too many web users view the padlock symbol and the ‘S’ on the end of HTTP as a tacit guarantee that a site is trustworthy.
Given how easy it is to get hold of a valid TLS certificate for nothing, as well as the possibility that a legitimate site has been hijacked, this assumption has become increasingly dangerous.
They [phishing attackers] are more frequently incorporating website certificates – third-party verification that a site is secure – when they send potential victims emails that imitate trustworthy companies or email contacts.
How we got here
Today, all competently managed websites use HTTPS, a big change from even a handful of years ago when its use was limited overwhelmingly to sites either allowing password login or conducting transactions as required by the industry PCI-DSS card standard.
What supercharged the use of SSL/TLS certificates and HTTPS was Google’s insistence from 2015 that its presence would become a positive signal for its search engine algorithms.
Suddenly, not having an HTTPS site became a negative. In 2018, Google’s Chrome and many other big-name browsers including Firefox and Edge started dropping even more forthright hints by marking non-HTTPS sites as ‘not secure’ in the address bar.
Website owners got the message and so, in a mangled way, did web users – HTTPS was henceforth good and the lack of it at best lazy and perhaps even downright bad.