Half of all Phishing Sites Now Have the Padlock

You may have heard you should look for the padlock symbol at the top of a website before entering your password or credit card information into an online form. It's well-meaning advice, but new data shows it isn't enough to keep your sensitive information secure. From a report: Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar. That's up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018. This alarming shift is notable because a majority of Internet users have taken the age-old "look for the lock" advice to heart, and still associate the lock icon with legitimate sites. A PhishLabs survey conducted last year found more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe. In reality, the https:// part of the address (also called "Secure Sockets Layer" or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and can't be read by third parties. The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

Always

Investigate sites

SSL

In reality, the https:// part of the address (also called "Secure Sockets Layer" or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and can't be read by third parties. The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

Really? What's the thing underneath me that's approaching me really fast, here up in the sky? I think I'll call it ground. I wonder if it'll be friends with me. When writing or excerpting for Slashdot, please assume at least some minimal technical knowledge.

Also, of course people believe SSL is more than it is; companies have been pointing it out for years as proof they're secure.

Re:SSL

I guess if they use SSL, then at least you can be sure only the phisher can read your data while you are submitting it...

Re:SSL

Blame "Encrypt Everywhere" and Google's obsession with ruining the performance of sites everywhere by making it so that sites become hard to find in their search engine.

The EFF and Cloudflare brought this upon us all.

What needs to happen is that the browsers need to explicitly recognize three classes of SSL certificates:
- Free certificates (eg Encrypt Anywhere, Cloudflare, and any other service that provides VPN service,) which make the site about as credible as any non-SSL site, only that data transmitted is encrypted, there is no actual trust relationship. These sites would only show a "secure connection" not a "lock icon", where as a non-SSL site should should a "non-secure connection" and no lock icon at all.
- Global Trusted certificates, which we know as "Extended Validation" certificates, and as such only Banks and Stores may have them. It's the responsibility of the SSL certificate provider and the government entity that it exists under to validate the business is a legitimate business with it's own taxpayer id. This would be displayed in the browser as a Green lock, and a green location bar.
- Locally Trusted certificates, or basically "show me anyway" which show a "secure connection with a red question mark on it". This is any site with a self-signed certificate, or a incorrectly provisioned one that lets it run in SSL mode, but the encryption may not be good enough.

Likewise any webserver that supports a downgrade attack would have "secure connection with a blue question mark on it" , eg "this site is running in secure mode but your connection might be snooped on"

Re:SSL

You do know that you can get a "Taxpayer ID" from a Web site in most places, and that incorporating an LLC is also very easy, right? You can check that those things exist, you can send a letter to the registered address, you can do whatever you like. That's not going to prove that anybody's "legitimate" (whatever that means).

A government registering a business is NOT guaranteeing that that business is legitimate. At most it's guaranteeing that it has some hope of knowing who the principals are. Try this experiment: get cheated by somebody through a corporation, and sue the government for the money you lose. Let us know how much that guarantee of legitimacy is worth.

And you also know that, regardless of the level of validation, all a certificate was EVER meant to prove was that the entity you were talking to had a claim to the NAME, right? That they were never, ever, ever meant to mean that that entity was "legitimate", right?

Right now, certs don't even prove much about the NAME, and you're asking them to solve much harder problems.

Re: SSL

Really clever, color coding, that will go well with visually impaired suffering from color blindness... No let's call a spade a spade SSL simply means encrypted traffic between you and site and lets instead ard common sense into people and perhaps teach them to use multi factor when accessing sites of "great power" i.e. finance / medical etc. and focus on the weakest link, the human in the equation making people better at not flinging out details to the first and best scammers presenting themselves on the phone trying to spread their FUD. And let us who ate IT professionals hunt those scammers fown exposing them for the human trash that they are... Follow the money trail and don't stip at the first small fish you find

Re:SSL

[DontBeAMoran]

The problem is that Google's own Chrome browser no longer displays "Extended Validation" sites with a green block in the address bar. Try going to a DV SSL website and an EV SSL website and you'll see a green padlock with the word "Secure" before the actual URL.

Same thing in Safari, in my old Safari version 9 I see a big green rectangle but in the latest versions that has also disappeared.

So while EV certificates are more secure, it's like the companies behind the browsers don't really care about helping the users identify the more secure websites from the ones that are simply using an encrypted connection.

Re: SSL

[Voyager529]

you're right; SSL certs are not ironclad proof of identity. For a while though, they *were* a barrier. Sure, $20 a domain wasn't the biggest hurdle, but spinning up 10,000 variations of googkle.com *and* giving them all $20 SSL certs got costly...and also involved a paper trail. The padlock was never a barrier to a spear phishing attempt, but it made playing with big numbers far less profitable, meaning a site with a cert was generally more trustworthy than HTTP. Aunt Google wanted to de facto mandate SSL, even for sites that really didn't need it, so we got let's encrypt. I'm appreciative to the EFF for it, but it became a whole lot easier to get The Padlock.

As far as it being cheap and easy to get an LLC, it's not cheap or easy to register 10,000 of them...and once again, there is a paper trail. Even if it doesn't take the same amount of validation to get an EV cert as a passport or military ID, EV's at least prove that the entity who has one either doesn't have 10,000 of them, or if they do, they're probably an entity with a lawyer on retainer to handle trademark infringement by the phishing sites looking to emulate them.

Re: SSL

Can't you just redirect the traffic of those that don't have SSL certs to the one that has one? That way, the phisher needs to pay only $20. Of course, not everyone would fall for it but some still would anyway.

Half of /. headlines are hyperbole

Half of /. headlines are hyperbole.

Re:Half of /. headlines are hyperbole

Which half ?

Re:Half of /. headlines are hyperbole

The first half and the second half.

Re: Half of /. headlines are hyperbole

CONGRATULATIONS! You've won the Excellence in Phishing Award. Please reply with your Slashdot username and password to claim a very valuable prize.

Good job web browsers!

[Dan+East]

And this is what we get for browsers forcing websites to adopt HTTPS or else they try to scare people with warnings about pages not being secure. I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc. Just the display of information. I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

Now users have a misguided trust that since a browser didn't warn them about a site, and since it has a secure padlock, it must be safe. Sounds like the type of solutions politicians end up creating to fix one minor problem yet causing several more severe ones. It's not the job of web browsers to force websites to be secure. Just because they can wield such power because of the technical aspects doesn't mean they should.

Re: Good job web browsers!

Great idea

Re:Good job web browsers!

[sinij]

To be fair, pervasive surveillance isn't a minor problem. Otherwise, spot on.

Re:Good job web browsers!

I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

There was something wrong. Anybody could man-in-the-middle attack your site. Now they can't.

Re:Good job web browsers!

Obviously you can only trust sites that correctly omit your passwords with asterisks like this: hunter2

Re:Good job web browsers!

"I had to switch to HTTPS"

Oh no! The horror!!!

"Now users have a misguided trust that since a browser didn't warn them about a site"

The padlock tells you your comms to the site are encrypted. Nothing more. Your post is moronic.

Re:Good job web browsers!

[hcs_$reboot]

Nobody said a https site is not a phishing site. Https is said secure because it prevents communication between a client and a server to be eavesdropped. The padlock does not say "safe", it says "secure connection". Now some people could be a bit confused but I doubt unknowledgeable users make a difference between http and https in the first place.

Re:Good job web browsers!

Parent AC gets it right. There WAS a problem that HTTPS addressed. That problem needed to be fixed. Miseducation around the fix is another problem, but does not imply the first problem wasn't a problem or didn't need a fix. It did.

Re:Good job web browsers!

[Junta]

Perhaps a different icon, a padlock says 'secure', need something to suggest protected/confidential link rather than a secure link.

Re:Good job web browsers!

"Gee, he went to midgetsbeingfuckedbyhorses.com, but because the site uses SSL, we just don't know what went on there!"

"Gosh darn it, well, I guess that's that. Wait, no, it isn't. Time to look at access logs. I know a FISA judge."

SSL is a fool's errand when it comes to protection against the surveillance you're talking about.

Re:Good job web browsers!

I am a freelance security consultant with an info-only webpage. If anything was out of place, any of my customers would know me personally and call me. I have to run HTTPS because I have learned it is not a good first conversation to try to get your potential customer to understand why HTTPS is unnecessary (and possibly a false sense of security, because I'm not taking the time to actually analyze the security, I just use the cheapest easiest way to get the padlock).

Re:Good job web browsers!

[chispito]

Now users have a misguided trust that since a browser didn't warn them about a site, and since it has a secure padlock, it must be safe.

But now your site is safer. Your site visitors are much less at risk of being man in the middled than they previously were.

Re:Good job web browsers!

[Pascoea]

The padlock does not say "safe", it says "secure connection".

To my grandmother, the padlock doesn't "say" anything. It's an icon that is designed to indicate security. You and I know that it means "secure connection", not "safe site". I love the fact that letsencrypt allows me to get a signed certificate for my personal sites. I hate the fact that it has lowered the barrier of entry for nefarious people. Like it or not, the little padlock adds credibility to a site. And the removal of the "This site isn't secure, are you sure you want to send your credit card information." message from before doesn't help.

Re:Good job web browsers!

Who, then? The users?

Bwahhahahahahahahahahahaaaa

Re:Good job web browsers!

[Opportunist]

So... you wouldn't consider it a problem that someone MITMs the connection from the one seeking information on your page and feeds this person with garbage, while at the same time pretending that garbage comes from your page?

Re:Good job web browsers!

Now users have a misguided trust that since a browser didn't warn them about a site, and since it has a secure padlock, it must be safe.

I keep hearing about these users but they're always abstract. Have any of these users actually been spotted in the wild? Are there yet any substantiated claims of someone having met one of these legendary "it had a padlock so I thought the website was secure" people?

Re:Good job web browsers!

But if you are a good security consultant, you would realize that HTTP is necessary. If your potential client uses ShadyISP Inc. and you aren't using HTTPS, then ShadyISP can alter your webpage in transit and can inject Ads into your "info-only webpage", and that also won't look good for you, and this isn't even your fault, this is ShadyISP doing it. HTTPS also protects your info only page by not letting others alter it. You are foolish to think this won't affect you because some rather large ISPs such as Comcast or ATT have been documented to have done this before.

Re:Good job web browsers!

[thegarbz]

And this is what we get for browsers forcing websites to adopt HTTPS

No. This is what we get for attempting to educate people that an encrypted connection between two computers where the controling parties at either end are unknown is considered "safe".

It's not. It never was. We developed a whole new concept of EV certificates because of that gap. That doesn't make the idea to push sites to use HTTPS bad in the slightest.

I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner.

It's not up to you to decide if I may be persecuted for your "read only" information. It's not up to you to declare that information you send in plain text isn't modified or intercepted on route. Thank god we forced some sense into you.

Now users have a misguided trust

Nope, users have always had a misguided trust. If you have ever told a user that they are personally secure simply because they see a lock on the browser then you have contributed to misguiding them. The padlock doesn't certify *who* you are talking two, just that no one else is listening. It never has. Browsers have other ways of identifying to whom a user is talking rather than just certifying the web server on the other end is the correct one for the attempted connection.

And there's a big reason e.g. Bank of America says "Bank of America Corporation (US)" next to the padlock, whereas your crappy little website just has a plain old lock.

Re:Good job web browsers!

[dissy]

That is exceptionally worrying...

First:
I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc.

Then you contradict that:
I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

Browsers only warn on non-ssl sites if you are submitting data back to them. Not a single one warns if you don't do that.

The terrifying part is you honestly believe your site actually doesn't require data being submitted back, when clearly it does.

You really *really* need to look your website over page by page and through the html files.
They no longer contain what you think they do, they have been changed, and changed to require your visitors to submit form field data back to your server.

If you didn't set that up, your site has been hacked.

Re:Good job web browsers!

Hard to find a non-SSL site these days, now that Google Chrome enforces HTTPS. Also hard to find a site completely devoid of inputs, or a page which doesn't contain a keyword or link to a page which does request user input. Which makes it terribly difficult to verify your claim.

On a non-SSL/TLS secured page with no user inputs, Google Chrome warns "Not Secure" in the address bar. Clicking on "Not Secure" further warns not to send any information back to the site. When I click the link to the page with the forms, those pages are redirected to use TLS.

Admittedly the non-SSL warnings in Chrome are much milder than the warnings given when you attempt to fill out a form on a non-SSL site (and the address bar warnings might not even be noticed by some) .

Re:Good job web browsers!

Anybody could man-in-the-middle attack your site. Now they can't.

Anybody? And what could they achieve by doing so? Please elaborate.

Re:Good job web browsers!

Malware injection is pretty easy.

Re:Good job web browsers!

Who cares if someone man-in-the-middles a site like that? No accounts to take over. Only static downloadable information that anyone can get directly from the site.

Re: Good job web browsers!

[TimMD909]

At least any hacked pages can now securely send their information back to the black hat. Silver linings, and all... ;-)

Re:Good job web browsers!

Anybody could man-in-the-middle attack your site. Now they can't.

Anybody? And what could they achieve by doing so? Please elaborate.

Malware injection, misinformation, asking your users to submit information that your site doesn't actually need or use. If you can't see any scenario where delivering content other than what you served up with your own web server is wrong, then you shouldn't be on the fucking internet.

Re:Good job web browsers!

Browsers only warn on non-ssl sites if you are submitting data back to them. Not a single one warns if you don't do that.

That's a very broad generalization that implies that all browsers, all versions have the same default behaviour. If that were true we wouldn't need a running summary of which browsers follow which standards.

If you didn't set that up, your site has been hacked.

More broad generalization. Or is it armchair website analysis? This is the same kind of generalization that started web browsers down the road to labelling any website not using https as unsafe.

Re:Good job web browsers!

No, if I was a good security consultant (which I am), I would realize that all things must be a balance between risk and cost. I simply don't see that risk as worth the cost. Good security consultants know that it isn't about mitigating every last risk. It's about taking a rigorous approach and documenting WHY you mitigated what you did and a roadmap for the future. It is a perfectly reasonable choice to use bare HTTP, particularly since my "brand" isn't particularly valuable (excepting the optics of HTTP websites which the likes of Google have been slandering and which force me to choose a solution I see as subpar based on the risk-cost-assessment model).

Re:Good job web browsers!

[sootman]

> Browsers only warn on non-ssl sites if you are submitting data back to
> them. Not a single one warns if you don't do that.

WRONG. Go to an HTTP site in Chrome and it says (i) Not Secure in the URL bar starting with the very first visit.

Re:Good job web browsers!

[tepples]

The difference is that the warning for a site with a certificate from an unknown issuer is displayed as an interstitial, whereas the warning for a cleartext site is not. This makes it less practical for someone who doesn't own a domain to run HTTPS on a server on the home LAN, such as a router, printer, or NAS.

Re:Good job web browsers!

[tepples]

Browsers only warn on non-ssl sites if you are submitting data back to them. Not a single one warns if you don't do that.

Several JavaScript APIs are restricted to secure contexts only, even if they do not submit data back to the site. One is Service Workers, needed for offline use. Others include Bluetooth, MIDI, and Presentation.

Re:Good job web browsers!

[AmiMoJo]

That's why Chrome is getting rid of the padlock icon (it's already tiny and grey and they removed the extra verification bit where it used to say the company name, because that was useless as well). I think I read that Mozilla are planning the same.

The new scheme is flag sites which don't have HTTPS, with encrypted being the new normal. For trust we are basically screwed, we have nothing right now that can reliably identify a public web site or its owner.

Re:Good job web browsers!

You just provided the basis for a billion dollar idea. Put a dns layer between the https browser and the real site. So your browser history says midgetsbeinfuckedbyhorses.com but you really went to bitcoinblackmarketemporium.com

I know this is pretty much how dns mitm and spoofing attacks do their job, but why not harness the power for good instead of just evil.

Re:Good job web browsers!

If you can't see any scenario where delivering content other than what you served up with your own web server is wrong, then you shouldn't be on the fucking internet.

That seems like an odd statement. Just because they can't see the security implications means they are banned from all porn websites? Why not ban them from the rest too?

Re:Good job web browsers!

Um...so you might be retarded. You can already do this shit, but it doesn't matter what your browser history says.

Re:Good job web browsers!

>The terrifying part is you honestly believe your site actually doesn't require data being submitted back, when clearly it does.

Or maybe he doesn't have a site and barely knows what he's talking about.

Browsers are awful in explaining X509

[sinij]

I understand X509 is complicated and most people do not want and do not need to understand how it works. However, all browsers went too far in dumbing down this aspect and we are now seeing consequences.

For example, when navigating to /. It takes me multiple clicks to determine that it currently uses certificate issued on October 23, 2018, for Slashdot.org, and it uses Letâ(TM)s Encrypt issued certificate (cheap bastards). Why is this information so hard to access?

Re:Browsers are awful in explaining X509

Because the people implementing all that crap don't know what they're doing and never really understood the ideas they were building on, or what they were trying to do with them, either. In other words, a bit like the W3C and "web standards". It hasn't gotten better in the meantime. This is really quite pervasive in 'web, to the point that "webshit" is really quite accurate.

Re:Browsers are awful in explaining X509

[Junta]

I would argue that making those details more prominent wouldn't really improve the situation. The problem is that users may barely glance for a padlock, but otherwise focus on the content area to see if it 'looks right' despite the fact the content area is totally under the control of the site operator.

User has to look at the location bar (which the operator can't control) and putting *more* information in it is going to probably make people even more likely to not bother.

Re:Browsers are awful in explaining X509

[sinij]

Well, one step toward addressing this problem is to not just blindly showing a padlock, but also showing identifier on the certificate (i.e. slashdot.org in this case). Additionally, highlighting domain in the address bar (i.e. https://it.slashdot.org/comments.pl?sid....). This way if there are shenanigans (i.e. if I navigate to a site that I think is slashdot.org, but end up at totallylegitsite.ru instead and they have Let's Encrypt certificate), it will be more obvious.

Re:Browsers are awful in explaining X509

[Junta]

Incidentally, at least in firefox, the 'slashdot.org' is in bold already.

Re:Browsers are awful in explaining X509

Hey, at least it's validating certificate chain properly!
goto fail

Next exercise for you - try to see how easy it is to pull up certificate chain and manually validate that it is properly built.

Re:Browsers are awful in explaining X509

Chrome 70.0.3538.110 on Debian has the domain in black and the rest of the URI in a lighter-grey. It's not quite as striking as Firefox, but it does differentiate between host and path.

Who was giving this advice anyway?

No one ever told me to look at the padlock, and I never told anyone to look at the padlock.
All the padlock means is that they bothered to put enable https for their site and they have valid certs for the domain.
If you don't check the domain it's pointless.

Re:Who was giving this advice anyway?

[LQ]

No one ever told me to look at the padlock

No, but when you either get a padlock or "Not Secure" (Chrome), it still gives a misleading impression. Most people are not computer savvy and do not understand (or know) there is a difference between secure and safe.

Re: Who was giving this advice anyway?

Most people will never stay abreast of the latest security threats.

Re:Who was giving this advice anyway?

[Sigma+7]

No one ever told me to look at the padlock, and I never told anyone to look at the padlock.

I don't have to look at the padlock, but when I do, I've often seen the word "Secure" right next to it, even when I know it is not the case. Browsers blindly plopped that word on any HTTPS page, giving a false user impression for anyone who randomly glances in that general direction.

The "https" system was basically announced as secure since ~1995, originally via popups. This implied that it's secure in that you aren't going to get phished, have content tampered, etc. While the notification changed from a big popup over to an icon in the status bar, I still consider it a big issue when it's misrepresented as secure.

If you don't check the domain it's pointless.

Still won't help, one just needs the domains that uses unicode characters that look like English letters, or simply have a typo similar to switching "l" and "I" around. This requires going back and forth between the browser and some external program to check the text, and eventually causes the user to become bored of this excessive verification.

Or worse, a punycode domain that looked like apple.com - something that was a problem with Google Chrome previously.

Badly aimed education?

more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe

Really? Is that level of misunderstanding so pervasive?

How do we fix that? Can our schools start to teach things like this, instead of "how to use javascript 101" for people who'll never in their life need to write a line of javascript? Those same people WILL need to know how the internet works, so let's teach that instead.

Re:Badly aimed education?

[Pascoea]

more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe

Really? Is that level of misunderstanding so pervasive?

As with everything, it depends on the demographic. Probably gets closer to 100% when you start asking 50+ year olds.

Can our schools start to teach things like this, instead of "how to use javascript 101" for people who'll never in their life need to write a line of javascript?

I took probably 10+ semesters of math (and various "life skills" classes) throughout my educational career, but I still had to teach myself how to do my taxes.

Web users need to be aware

I think we are expecting web browsers to be our net nanny these days. It has been my experience that the informed and educated user is the one who can use the web safely because they know how to do so. No feature or safety implementation in a browser can protect you when you can't recognize the obvious.

Re:Web users need to be aware

No feature or safety implementation in a browser can protect you when you can't recognize the obvious.

^ So much this.

The way to a safer internet is for people to engage and use their brains. There's no way you can ever nanny it into safety, because (1) that creates yet a dumber breed of user, who (2) can be exploited in even more ways, because they aren't thinking about what they are doing.

Consider the clusterfuck of Android malware and spyware, vs the relative safety of Linux. There is no technical reason the Linux ecosystem couldn't run malware and spyware. However it is a relatively safe ecosystem because its user base tends to think about what they are doing. Android's is a clusterfuck because its users do not, and will happily do anything you put in front of them with not a consideration about the consequences.

A safe internet comes with (1) educated users, and (2) eliminating obfuscations about what is really happening.

lock AND the url

[charliemerritt03]

I give the "lock & URL" advice to people all the time - isn't that enough? You do need to be sure that its gmail.com and not gmale.com, part of being an adult netizen.

Re: lock AND the url

[Junta]

Per the example in the article, evidently there are people that don't look at the location bar at all if they see the lock. This means users need to understand that the padlock just means the identity is verified, but they have to decide if that identity matches what they were expecting.

Re: lock AND the url

It is easy to tell a site that may have problems. Just hit the refresh button over and over and you maybe get a 500 error.
The problem is that these half-assed sites never use proper technology so they start with some web pages to fool the user and then they add more pages over time in the possibly impossible quest for automated fraud.
The other thing you can do is look at the page source and it will tell you what back end it uses. Using something other than .NET or Java indicates something may not be right. Amateurs never realize you canâ(TM)t just avoid the big mature technologies

Re: lock AND the url

[tepples]

It is easy to tell a site that may have problems. Just hit the refresh button over and over and you maybe get a 500 error.

That might be on purpose, as a means of conserving resources for legitimate visitors in the face of a denial of service attack.

Using something other than .NET or Java indicates something may not be right.

Yet you're posting on a site that "may not be right". Slashdot is written in Perl, and Wikipedia is written in PHP.

Re: lock AND the url

that's fine until you start getting in to some of the utf8 fun and different characters that look identical.

Re: lock AND the url

[Opportunist]

U xpect ppl to b abl to reed?

Re: lock AND the url

[aaarrrgggh]

In fairness, the location bar often has very meaningless information. My credit union's login domain is (sometimes) different than their name, and is only used for login. (They appear to outsource their website and a number of other functions to some credit union pool/provider.) I complained to them about it, and they slowly improved one aspect-- but it isn't easy.

Extended Validation is about the only thing that you can try to trust now, as who the heck can keep track of which CAs they should trust and which they shouldn't?? And who really checks to see if the signing is done by their company's ATD system or the originator CA...?

Re: lock AND the url

There are also browsers that hide the URL from you.

Re: lock AND the url

[thegarbz]

NO!!! You're part of the problem. The lock only certifies that the machine on the other end is the correct destination typed in the URL bar and that no one else is listening. It DOES NOT AND NEVER HAS certified who owns that machine.

You do need to be sure that its gmail.com and not gmale.com, part of being an adult netizen.

This however is good advice. Good advice is to not follow links. Good advice is to manually type in addresses. If you've manually typed and checked addresses AND see the lock you're in a pretty good place. Additionally good advice would be to look for EV certifications. Google doesn't have one, but if you want to log in to Bank of America's website you shouldn't be looking for a lock, you should be looking for a bright green "Bank Of America Corporation (US)" written next to the URL.

Re: lock AND the url

[Aristos+Mazer]

I walked away from one bank that was doing that. If a bank can't do security in-house, it ain't a secure bank in this day and age.

Re: lock AND the url

Here's the problem. Stupid Fortune 500 companies want to run a new deal plan. Ok, can they get it approved by their IT? Nope, so they just register a new domain foosuperdeals.com, and blast it to their followers. So Is foosuperdeals.com really run by company foo? Who knows? How can I tell the difference between that and the new phishing site foodeals.com?

Re: lock AND the url

[Junta]

Of course in an outsourcing SSO situation, the EV SSL would similarly indicate the provider, *not* the financial institution...

Re: lock AND the url

[aaarrrgggh]

They actually outsource all of the e-banking, but the login-failed page and one other one I would hit periodically (could have been related to the trusted computer setup) were not properly configured.

No, it doesn't bode well for their security either...

Re: lock AND the url

[DontBeAMoran]

www.13g17-b4nk.com

Re: lock AND the url

[DontBeAMoran]

omgwtfbbq reed alert
l4rn 2 wr1t3 dud3

Re: lock AND the url

[sootman]

> You do need to be sure that its gmail.com and not gmale.com,
> part of being an adult netizen.

Ah yes, blame the user. Because it's their fault if they don't have perfect eyesight and can't spot the flaw in https://www.grnail.com/ or https://www.googIe.com. I can't wait to hear you blame your parents for being stupid when they get scammed.

SCAMMERS ARE ASSHOLES. We need a strong, MULTI-LAYERED DEFENSE against them. Not just "you'd better know what you're doing."

Re: lock AND the url

But for 90% of users the location/address bar might as well not even exist. They just cannot see it. There is only Google. DNS is effectively obsolete for websites.

Certificate Authorites are not giving us value.

[jellomizer]

These Certificates are often expensive, relatively complex to setup rarely ever give any real value. A self Signed Cert will offer the same level of encryption (sometimes more, because the Cert Authorities may pay more for automatically generating more bits). The original value of these Cert Authorities was so we would be sure that the site we went to was an authentic business, where you could prove you are who you say you are. But they have been giving certs to anyone without any research just as long as you pay the bill you are good to go, so you are not getting value out of these Certs except for the artificial browser scary error that you are a horrible person for using a unauthorized Cert.

Re:Certificate Authorites are not giving us value.

You can’t pay a CA for more bits of encryption. It all comes down to the key, and you get to generate the key.

Re:Certificate Authorites are not giving us value.

[Junta]

There may be flaws in the CA system, but this article isn't really related.

The problem is that users aren't even bothering to see *what* the authority validated. A CA can't reasonably out that serveirc.com is going to try to impersonate paypal.com. They can revoke that certificate upon reporting abuse and such. The CA and DNS can do things to prevent sheningans like paypa1.com or more clever unicode things, but at some point the user *has* to validate some part of the UI that *isn't* totally controlled by the site operator.

Re:Certificate Authorites are not giving us value.

[tepples]

A self Signed Cert will offer the same level of encryption (sometimes more, because the Cert Authorities may pay more for automatically generating more bits). The original value of these Cert Authorities was so we would be sure that the site we went to was an authentic business

I see three different levels of assurance.

1. A self-signed certificate assures to a repeat visitor that the operator of this server now is the same as the operator of this server on the previous visit. It says nothing to a first-time visitor unless the site provides a means to verify the key fingerprint out of band.
2. A domain-validated certificate assures the above plus that the operator of this server controls its domain name. It says nothing about the identity of the owner of the domain name.
3. An organization-validated certificate assures the above plus the identity of the owner of the domain name for tax purposes. It says nothing about the business practices of this owner, other than that it happens not to be organized as a sole proprietorship.

Re:Certificate Authorites are not giving us value.

[Opportunist]

The same level of encryption but not the same level of authenticity. What a CA issued cert says is that the server that you're connecting to is actually the server you're connected to and that no MITM is happening.

That doesn't make www.bankofmurrica.com any more a page that you should enter your BA-credentials at, but it certifies that you're really talking with www.bankofmurrica.com and not www.bankofmurrica.com.wallawalla.thingamajig.hackmeimcute.cn.

Re:Certificate Authorites are not giving us value.

[thegarbz]

These Certificates are often expensive, relatively complex to setup rarely ever give any real value.

Certifications are neither complex to setup nor do they not provide value. The people who claim they don't are those who do not understand what these certificates actually certify. Hint: It wasn't about the person on the other end, it was about the computer and the computer alone. Incidentally all these certifications are now able to be had for free.

On the other hand extended validation certifications are "expensive". I use quotes because frankly paying a few thousand dollars for the privilage of securing valuable data is not "expensive" as much as it is a minimum expectation.

The original value of these Cert Authorities was so we would be sure that the site we went to was an authentic business

Nope. CAs never required you to be a registered business. They used to require a basic form of ID, but that was absolutely stupid since you the person is insanely complicated to link to the endpoint of an internet address. That is precisely why DV certificates only care about the endpoint of the connection. It is not relevant who *you* are. It is only relevant that the computer at www.bob.com is actually the correct computer at www.bob.com.

Now if you want an EV certificate then you do need to be a registered business, you also need to prove you're able to speak on behalf of that business and that process is very carefully controlled. Always has been since the inception of an EV certificate.

so you are not getting value out of these Certs

Correct computer for the address, not being MITMed, no snooping, no ISP modifying packets on the go, is a shitload more than "no value" and is also obtainable cost-free so mathematically they actually provide infinite value.

Re:Certificate Authorites are not giving us value.

That is pretty much impossible in real word.
If I have to enter website name in url bar - sure. But that is not the case in real world. You go to site1.com it redirect you to some shithole.com for authentication, that redirects you back to site2.com, etc. At some point it asks you for credentials and it is no longer the website that you entered in urlbar. How do you validate that it is not some phishing site at that point? Copy-paste urlbar content into your favorite string comparison tool?

Re:Certificate Authorites are not giving us value.

[Junta]

In practice, registrar and CAs and the most prominent companies are doing things so that visual inspection of the name part of the url+padlock is enough to feel somewhat good, seeing the legal entity name (EV SSL) is even better. It's unlikely that a phishing site can have a domain that visibly resembles a well-known site's name with a trusted cert in this day and age.

Yes, places bouncing around through third party servers exist. If that third party is obviously a well known payment processor (paypal, visa, etc) or a well known identity provider (google, facebook), ok (and that is unfortunately the compromise needed to support smaller businesses online where reputation is very tricky). If it is some obscure provider the site you were trying to do business with is using that you have never heard of, take your business somewhere else that you can be confident about and let them know their use of no-reputation third party service caused them to lose your business.

Re:Certificate Authorites are not giving us value.

I agree with what you have said.
The CA's need to be held accountable for a rise in corrupted "secure" domains. I bet one could correlate the rise in profits, too... The trend lines must be quite steep/
Ultimately, the CA's are now kowtowing the malicious actors.

Tinfoil hat time, the CA's colluded with the browser giants to get this enforced so they could effectively "tax/capture" the illegal activities of which are a HUGE market share globally.

Re:Certificate Authorites are not giving us value.

[complete+loony]

At best certs verify that the owner of the domain name is also the owner of the server. So why not just publish cert details in dns, secured by dnssec?

Sure, if your dns records get "hacked" somehow, you're screwed. But with how easy it is to get a cert from lets encrypt, that's already true now.

Re:Certificate Authorites are not giving us value.

That problem has been solved: https://letsencrypt.org/

Re:Certificate Authorites are not giving us value.

Because of letsencrypt.org, the certificates are free and generally unverified. But the traffic is now encrypted with no browser warnings. This was a predicted side effect of the push to the "HTTPS everywhere" movement, which was itself a response to wide reporting of government snooping. We effectively verified destinations for privacy from government snooping.

Lock != Legit.

It never has. It JUST means that encryption is on, and you're talking to the site that appears in the address bar. That's it.

This idea that the website is "legitimate" has never been true AFAIK.

Re:Lock != Legit.

[Opportunist]

And how should it? Who'd know what you WANT to connect to but you yourself? Maybe you do want to connect to https://www.comparethemeerkat.... and not https://www.comparethemarket.c...

(and yes, they both exist and the former is an advertising gimmick for the latter)

True Issue

I would say the issue isn't that the websites are using certificates. The issue is, why are their certificates being trusted? If issuer is obviously not doing their job properly prior to issuing the certificate, then their certificates should not be trusted by the OS and the browser... If the certificate chain is not trusted by the machine, then the browser prompts with a certificate warning...

Re:True Issue

Sadly there are about a hundred CAs in the default distributed list.

Some of these CAs have been caught giving out certs to non-owners of websites and when those CAs are big enough they won't get removed from the list.

Re:True Issue

[tepples]

Some of these CAs have been caught giving out certs to non-owners of websites and when those CAs are big enough they won't get removed from the list.

You mean like WoSign and Symantec, whose roots browser publishers have phased out?

Re:True Issue

[Opportunist]

The issuer is doing its job. The job of the issuer is to verify that the domain name is properly pointed at the right IP-Address. What else would you consider the issuer's job?

That you think www.mybank.com.cn is www.mybank.com is YOUR problem. Not the CA's.

Yea no shit

And buying bread from a restaurant doesn't ensure you that it doesn't have fiberglass dust in it.

BUT

There is a trail of ownership and a connection to a bank.

Chrome

[cascadingstylesheet]

There are indeed people who would think the way the article describes.

Hmm, maybe Chrome making the lock gray now wasn't as dumb as I thought. While the absence of https (at least according to Google) is baaaaad, the mere presence of it doesn't mean all that much.

HTTPS deters tampering

[tepples]

I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc. Just the display of information. I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

In the case of a static website, the primary reason for HTTPS is to ensure that your viewers' ISPs cannot falsify the "100% publicly available information" on its way from your server to the browser. Xfinity by Comcast has been caught inserting ads into HTML documents transmitted through cleartext HTTP on multiple occasions.

Re:HTTPS deters tampering

[Sigma+7]

With HTTPS being prevalent, it's not difficult for ISPs to have an install disk that sets up your computer for optimal browsing (i.e. installs a root certificate that tricks browsers into accepting intercepted HTTPS content.)

It probably already happened with SuperFish and Lenovo.

Re:HTTPS deters tampering

[Aristos+Mazer]

True, but at least we can watch for code modifying client machines... all it takes is one vigilant user looking at what the ISP install disk does to raise the alarm. When the insertions are happening on the ISP machines without modification of the clients, that's really hard to detect and prove. The HTTPS forces the injection to be more detectable.

Re:HTTPS deters tampering

What install disk? Is this a thing? Real question.

Re:HTTPS deters tampering

[AmiMoJo]

How do I insert the install disk into my phone? Many laptops don't even have an optical drive these days.

I haven't seen an ISP install disc for at least a decade. People expect to plug the modem in, use the default wifi password printed on it and start surfing. The days of ISP crapware are long gone, at least around here.

Once again buzzwords prevail over usefulness

Look for the lock must be on par with terrible password conventions for the amount of potential damage they've caused. Fixating on one small aspect of your online security and turning it in to an easily repeatable buzzword is well intended, but ultimately flawed. Looking for a lock is not enough just like replacing some letters with numbers in a single, often short word is not a good enough password.

A little knowledge is a dangerous thing.

Pervasive surveillance v.s. censorship

The purpose of HTTPS everywhere is to force everyone to register. This is Orwellian, not a good thing.

Re:Pervasive surveillance v.s. censorship

[Opportunist]

Huh? Who has to register what now?

Re:Pervasive surveillance v.s. censorship

[jbmartin6]

I think he is referring to the need to provide some sort of verification to a CA to get a certificate the browsers will accept. Take this line from TFS:

In reality, the https:/// part of the address (also called "Secure Sockets Layer" or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted

A false statement, the primary purpose of SSL/TLS is authentication not "merely" encryption. Now, how that authentication (of the site) is performed, via a list of browser approved CAs, has a lot of problems. But what it is supposed to do is assure you you Citibank.com site is actually Citibank and not a fake citibank.com hosted on some thief's server.

Re:Pervasive surveillance v.s. censorship

[Opportunist]

All a certificate does is to verify that traffic that you think originated from www.whateverserver.com actually does originate from www.whateverserver.com.

And for this you needn't register any personally identifiable information with anyone.

Re:Pervasive surveillance v.s. censorship

Which is why the smart thief register something like "citybank.com" or "citibank.org" in order to phish. Sufficiently similar to "citibank.com" that it fools the dyslectics. They have an approved CA for their dubious domain - because that is easy. Not free, but cheap enough.

Phishing a handful of accounts yields enough money that the investment in a CA is well worth it.

HTTPS has other benefits.

But centrally managed certificates are definitely not a help.

What should have been done was make SSC(Self Signed Cert)s give the yellow warning icon, improper authoritative certs give the red/broken lock symbol, sites with matching authoritative info getting the green lock, and then add a pinning option that pops up certificate information only for certified+pinned websites, allowing the user to have visual notice if it is a site they normally visit or a possible phishing site.

Honestly cert pinning needs to become the standard, because only the end user can authorize trust in the end. If they do badly, that is on them, if they do well, then it is also on them and helps avoid both criminal and state level hacking by ensuring they know the proper certificates for the websites they frequent and authorized them at some trustworthy time in the past.

Re:HTTPS has other benefits.

i think you are overestimating the ability of normal users to judge such things. your suggestion is not a realistic solution. i think it has been proven with all the click to accept boxes that used to pop up in windows that users know absolutely nothing about protecting their computer. so throwing them off the deep end and expecting them to know when they can accept a cert is not reasonable.

"Their job" according to DV and OV CAs

[tepples]

If issuer is obviously not doing their job properly prior to issuing the certificate, then their certificates should not be trusted by the OS and the browser

I think it has something to do with a misconception of what "their job" means. Let's Encrypt, SSLS.com, and other CAs specializing in "domain validation" think the job of a TLS certificate authority is to ensure that only the entity that controls a hostname can act as that hostname. The "organization validation" camp, which includes the "Extended Validation" camp, thinks a certificate also ought to identify the real-world business behind a particular hostname. They use as an example bankofarnerica.com belonging to someone other than Bank of America Corporation.

Re:"Their job" according to DV and OV CAs

[Junta]

Of course, other than financial companies themselves, not a whole lot of EV SSL sites. For example, not even Amazon bothers to do EVSSL.

Re:"Their job" according to DV and OV CAs

For extra fun: Twitter sometimes uses an EV certificate. Is the EV information gone because they just aren't using it right now, or is there a problem with the connection? Who knows!

Re:"Their job" according to DV and OV CAs

[DontBeAMoran]

Well they are called Twitter, after all.

Proxy

[Thelasko]

This is why proxy re-encryption has become popular.

Re:Proxy

[Opportunist]

How's this relevant?

The ACTUAL meaning of the padlock

The green padlock by and large indicates two things:

a) The site uses HTTPS to encrypt the traffic traveling back and forth between your Browser and the Server. Passive eavesdroppers can't read the contents of your communication.
b) The site REALLY IS the site it claims to be. You aren't talking to a fraudster (aka Man in the Middle [https://en.wikipedia.org/wiki/Man-in-the-middle_attack]) pretending to be the site you ACTUALLY want to talk to.

DV allegedly enables typosquatting

[tepples]

The site REALLY IS the site it claims to be

I guess it depends on how you define "the site it claims to be". If you write "snadze" in Cyrillic,* it'll resemble "chase" except that the "h" will be a small capital. The Punycode form of this name part is xn--80akwp6h. If you then go register xn--80akwp6h.com , you then prove to a domain-validating certificate authority that you own xn--80akwp6h.com, which a browser will display as "{snadze}.com" except with the actual Cyrillic letters. At this point, you can fool people who don't check the URL bar very closely into thinking they're on JPMorgan Chase N.A.'s website when they're not.

Or even staying inside Latin script: "bankofarnerica" isn't Bank of America.

* The letter dze comes from Macedonian Cyrillic. I can't show the real name because anti-vandalism measures implemented on Slashdot after the "(5:erocS)" incident disabled Cyrillic.

So, educate people on PK

How do we fix that? .. Those same people WILL need to know how the internet works, so let's teach that instead.

Make students submit their homework assignments by email. PGP-encrypted email. Oh, and to do the work they also have to receive an encrypted email too, so they basically have to have a key exchange with the instructor, unless they know someone who has already done that and instead, use a trusted introducer. Get 'em familiar with the concepts.

And then watch 'em finally realize how horrible the web is. "WTF, this e-commerce company is only signed by one 'somebody' and this 'somebody' signer isn't even someone that I know or have the slightest reason to trust?"

Put that point on the Final Exam, as a question. If they aren't able to explain how badly HTTPS is broken and fails to live up to even early-1990s-level basic security practices, then there is virtually no chance they understand HTTPS or how to use a web browser. So, it really would be a good test for whether or not someone is ready to graduate middle school.

Not a new problem

[CastrTroy]

HTTPS was never designed to verify if a website is trustworthy or validate that they will do good things with the data you send to them. The only thing is does is ensure that you can be sure you're talking to the actual website you asked for based on the URL and that nobody else read or changed the data sent by the server as it traversed over the network.

If we really want to protect things like user credit card numbers we should have a system where we don't have to send our credit card details to a website that we want to do business with. This would work similar to PayPal in which you can do a payment to a third party website without actually giving them your credit card number, except PayPal would be replaced by a Visa/MC/AMEX service.

Re:Not a new problem

If a paid-for CA is used, it also proves that you're connecting to whoever paid for the certificate. Which of course may or may not be who you intend to be connecting to.

Re:Not a new problem

[Opportunist]

Not even that. And even if, what does it help you that Mr. Ali Ben Gali from Generistan paid for the certificate of the server that just ripped you off? You can bet good money that Mr. Gali doesn't even know anything about the transaction, since it takes about a month for a credit card fraud to get detected and shady pages are up for maybe a few days.

Thanks Let's Encrypt

Let's Encrypt provides us the advantage of free SSL certs so that the requirement imposed by Google and other browser vendors to use HTTPS isn't so egregiously expensive.

The down side is that Let's Encrypt also makes it easy and free for the scammers to have SSL certs as well. This doesn't only give them a padlock. It also shields the scam activity from firewall/traffic scanners. Yes, many firewalls can do deep SSL inspection(MITM), but this is expensive, difficult, complicated, and has its own issues as well, so most people don't implement it.

Let's Encrypt is a boon for those that need SSL certs. But, like always, the benefit comes with the cost of unintended consequences.

Re:Thanks Let's Encrypt

[DontBeAMoran]

All these problems could have been avoided if Let's Encrypt had know about RFC 3514.

Re:Thanks Let's Encrypt

[Opportunist]

Let's Encrypt does exactly what the certificate issued can do: Verify that the webpage the traffic originates at is the webpage in the URL line. Nothing more, nothing less.

And no CA can actually guarantee anything else.

It's also WRONG

[raymorris]

> In reality, the https:/// part of the address (also called "Secure Sockets Layer" or SSL)

SSL was a protocol used by Netscape in the 1990s.
For ten last decade or two we've been using TLS.

Re:It's also WRONG

[arglebargle_xiv]

Right, which is why we have TLS web servers, TLS certificates and OpenTLS, and not SSL servers, SSL certs and OpenSSL.

be careful here!

[AndyKron]

So there's a 49% chance that /. is a phishing site. Yikes!

Meaning of padlock

Is that what people thought the padlock meant? You can trust the website?

ummm

I don't know who or where this advice came from that "the lock means this is a legitimate business". That was never the case, and it has never been good advice, and the only time I've ever seen this viewpoint floated is in these reaction articles. I've worked in IT since the early 2000s, and the advice passed on to non-techies has always been "the lock means your data is protected on its way to the website". It doesn't tell you anything about whether the website is who they say they are, or what they do. Stop pushing this false advice to people. It's akin to thinking "oh it's a .org so it must be a legitimate source for my paper because non-profits can't lie". A teacher said that to me in 2008. Had to register a long .org explaining how she was wrong to prove her wrong.

Re:ummm

[Opportunist]

Unfortunately it's been peddled in "computer magazines" where writers who, at the most, know that TCP ain't the abbreviation for the Chinese secret service hand out advice to their even less computer literate audience.

Totally flawed system really only for $$$

[bussdriver]

Governments issue corporation documents and reasonably track that information. I remember needing a state ID along with paperwork to incorporate.

The government can relatively CHEAPLY use open source tools and some existing servers to digitally sign things.... SSL should be using MULTIPLE signing parties with the government incorporation data and it's "stamp of approval" for the corporation behind the site existing. At least then you can trace it back to the government and then to the business owners.

3rd parties signing off on network security, storage security, malware security, privacy or BBB or whatever they do to approve. These should involve classes of approval: a simple string indicating the class of approval, start with a standard list that the browsers can react appropriately to. Such as warning users if a credit card is entered into a site that lacks a certification for that purpose; address info, etc.

Re:Totally flawed system really only for $$$

[tepples]

Under your proposal, how would it be practical for an individual writer to sell subscriptions to read her writing on her website? Or would you prefer that all subscriptions go through a single point of failure such as Patreon?

Did HTTPS upgrade popups mention phishing?

[tepples]

[Early notices about navigating to an HTTPS site] implied that it's secure in that you aren't going to get phished, have content tampered, etc.

I seem to remember the notices being phrased to the effect "Information you submit cannot be seen or changed by others while in transit". That covers the case of tampering and MITM phishing but not typosquat phishing.

Online college; K-12 students with poor parents

[tepples]

Oh, and to do the work they also have to receive an encrypted email too, so they basically have to have a key exchange with the instructor, unless they know someone who has already done that and instead, use a trusted introducer.

In the case of face-to-face instruction, a key signing party at freshman orientation is practical. But in the case of an online university, how would trusted introduction be accomplished?

So, it really would be a good test for whether or not someone is ready to graduate middle school.

Now you mention that you meant middle school, not college. In the case of middle school, how would a student with underprivileged parents afford a computer and Internet access in the first place with which to complete and submit homework? I don't see how it would be practical to expect every student to work to afford his or her own computer, as the child labor laws of the several U.S. states tend to prohibit any sort of non-farm employment until age 14, and most entry-level employers include in the job description at least one duty that states prohibit until 16.

Try using a modern cert for SSL

[raymorris]

Try using a modern certificate in an SSL server, such as Apache 1.2.

Some people mistakenly call it SSL. That doesn't make it SSL.

For example, you can call OpenVPN an SSL connection, but the fact is, it doesn't support SSL and it never has. It speaks TLS.

Re: Certificate Authorites are not giving us value

[hakioawa]

Actually they are the problem. The majority, and yes I mean that, of these phishing sites are using letâ(TM)s encrypt certs.