HTTPS doesn’t mean safe

Many people assume that an HTTPS connection means that the site is secure. In fact, HTTPS is increasingly being used by malicious sites, especially phishing ones.

Let’s be honest, when most people see a little green lock with the word “Secure” to the left of a URL, they think the site is safe. Ditto for spotting the words “this site uses a secure connection” or a URL beginning with the letters “https.” More and more sites these days are switching to HTTPS. Most have no choice, in fact. So what’s the problem? The more secure sites there are, the better — right?

We’re about to let you in on a little secret: Those “Secure” symbols don’t guarantee a website is safe from all threats. A phishing site, for example, can legitimately display that comforting green lock next to its https address. So, what’s going on? Let’s find out.

 

A secure connection does not mean a secure site

 

The green lock means that the site has been issued a certificate and that a pair of cryptographic keys has been generated for it. Such sites encrypt information transmitted between you and the site. In this case, the page URLs begin with HTTPS, with the last “S” standing for “Secure.”

Sure, encrypting transmitted data is a good thing. It means that information exchanged between your browser and the site is not accessible to third parties—ISPs, network administrators, intruders, and so on. It lets you enter passwords or credit card details without worrying about prying eyes.

But the problem is that the green lock and the issued certificate say nothing about the site itself. A phishing page can just as readily get a certificate and encrypt all traffic that flows between you and it.

Put simply, all a green lock ensures is that no one else can spy on the data you enter. But your password can still be stolen by the site itself, if it’s fake.

Phishers make active use of this: According to Phishlabs, a quarter of all phishing attacks today are carried out on HTTPS sites (two years ago it was less than 1 percent). Moreover, more than 80 percent of users believe that the mere presence of a little green lock and the word “Secure” next to the URL means the site is safe, and they don’t think too hard before entering their data.

 

What if the lock isn’t green?

 

If the address bar shows no lock at all, that means the website does not use encryption, exchanging information with your browser using standard HTTP. Google Chrome has started tagging such websites as insecure. They might in fact be squeaky clean, but they don’t encrypt traffic between you and the server. Most website owners don’t want Google to label their websites as unsafe, so more and more are migrating to HTTPS. In any case, entering sensitive data on an HTTP site is a bad idea — anyone can spy on it.

The second variant you might see is a lock icon crisscrossed with red lines and the HTTPS letters marked in red. That means the website has a certificate, but the certificate is unverified or out of date. That is, the connection between you and the server is encrypted, but no one can guarantee that the domain really belongs to the company indicated on the site. This is the most suspicious scenario; usually such certificates are used for test purposes only.

Alternatively, if the certificate has expired and the owner has not gotten around to renewing it, browsers will tag the page as unsafe, but more visibly, by displaying a red lock warning. In either case, take the red as the warning it is and avoid those sites — never mind entering any personal data on them.

 

How not to fall for the bait

 

To sum up, the presence of a certificate and the green lock means only that the data transmitted between you and the site is encrypted, and that the certificate was issued by a trusted certificate authority. But it doesn’t prevent an HTTPS site from being malicious, a fact that is most skillfully manipulated by phishing scammers.

So always be alert, no matter how safe the site seems at first glance.

  • Never enter logins, passwords, banking credentials, or any other personal information on the site unless you are sure of its authenticity. To do so, always check the domain name — and very carefully; the name of a fake site might differ by only one character. And ensure links are reliable before clicking.
  • Always consider what a particular site is offering, whether it looks suspicious, and whether you really need to register on it.
  • Make sure your devices are well protected: Kaspersky Internet Security checks URLs against an extensive database of phishing sites, and it detects scams regardless of how “safe” the resource looks.
Tips