Slashdot Mirror

← Back to Stories (view on slashdot.org)

Half of all Phishing Sites Now Have the Padlock (krebsonsecurity.com)

Posted by msmash on from the watch-out dept.

You may have heard you should look for the padlock symbol at the top of a website before entering your password or credit card information into an online form. It's well-meaning advice, but new data shows it isn't enough to keep your sensitive information secure. From a report: Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar. That's up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018. This alarming shift is notable because a majority of Internet users have taken the age-old "look for the lock" advice to heart, and still associate the lock icon with legitimate sites. A PhishLabs survey conducted last year found more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe. In reality, the https:// part of the address (also called "Secure Sockets Layer" or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and can't be read by third parties. The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

2 of 141 comments (clear)

  1. Re:Good job web browsers! by Anonymous Coward · · Score: 5, Informative

    I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

    There was something wrong. Anybody could man-in-the-middle attack your site. Now they can't.

  2. HTTPS deters tampering by tepples · · Score: 4, Informative

    I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc. Just the display of information. I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

    In the case of a static website, the primary reason for HTTPS is to ensure that your viewers' ISPs cannot falsify the "100% publicly available information" on its way from your server to the browser. Xfinity by Comcast has been caught inserting ads into HTML documents transmitted through cleartext HTTP on multiple occasions.