Half of all Phishing Sites Now Have the Padlock

You may have heard you should look for the padlock symbol at the top of a website before entering your password or credit card information into an online form. It's well-meaning advice, but new data shows it isn't enough to keep your sensitive information secure. From a report: Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar. That's up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018. This alarming shift is notable because a majority of Internet users have taken the age-old "look for the lock" advice to heart, and still associate the lock icon with legitimate sites. A PhishLabs survey conducted last year found more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe. In reality, the https:// part of the address (also called "Secure Sockets Layer" or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and can't be read by third parties. The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

SSL

In reality, the https:// part of the address (also called "Secure Sockets Layer" or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and can't be read by third parties. The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

Really? What's the thing underneath me that's approaching me really fast, here up in the sky? I think I'll call it ground. I wonder if it'll be friends with me. When writing or excerpting for Slashdot, please assume at least some minimal technical knowledge.

Also, of course people believe SSL is more than it is; companies have been pointing it out for years as proof they're secure.

Re:SSL

I guess if they use SSL, then at least you can be sure only the phisher can read your data while you are submitting it...

Re:SSL

Blame "Encrypt Everywhere" and Google's obsession with ruining the performance of sites everywhere by making it so that sites become hard to find in their search engine.

The EFF and Cloudflare brought this upon us all.

What needs to happen is that the browsers need to explicitly recognize three classes of SSL certificates:
- Free certificates (eg Encrypt Anywhere, Cloudflare, and any other service that provides VPN service,) which make the site about as credible as any non-SSL site, only that data transmitted is encrypted, there is no actual trust relationship. These sites would only show a "secure connection" not a "lock icon", where as a non-SSL site should should a "non-secure connection" and no lock icon at all.
- Global Trusted certificates, which we know as "Extended Validation" certificates, and as such only Banks and Stores may have them. It's the responsibility of the SSL certificate provider and the government entity that it exists under to validate the business is a legitimate business with it's own taxpayer id. This would be displayed in the browser as a Green lock, and a green location bar.
- Locally Trusted certificates, or basically "show me anyway" which show a "secure connection with a red question mark on it". This is any site with a self-signed certificate, or a incorrectly provisioned one that lets it run in SSL mode, but the encryption may not be good enough.

Likewise any webserver that supports a downgrade attack would have "secure connection with a blue question mark on it" , eg "this site is running in secure mode but your connection might be snooped on"

Re:SSL

[DontBeAMoran]

The problem is that Google's own Chrome browser no longer displays "Extended Validation" sites with a green block in the address bar. Try going to a DV SSL website and an EV SSL website and you'll see a green padlock with the word "Secure" before the actual URL.

Same thing in Safari, in my old Safari version 9 I see a big green rectangle but in the latest versions that has also disappeared.

So while EV certificates are more secure, it's like the companies behind the browsers don't really care about helping the users identify the more secure websites from the ones that are simply using an encrypted connection.

Re: SSL

[Voyager529]

you're right; SSL certs are not ironclad proof of identity. For a while though, they *were* a barrier. Sure, $20 a domain wasn't the biggest hurdle, but spinning up 10,000 variations of googkle.com *and* giving them all $20 SSL certs got costly...and also involved a paper trail. The padlock was never a barrier to a spear phishing attempt, but it made playing with big numbers far less profitable, meaning a site with a cert was generally more trustworthy than HTTP. Aunt Google wanted to de facto mandate SSL, even for sites that really didn't need it, so we got let's encrypt. I'm appreciative to the EFF for it, but it became a whole lot easier to get The Padlock.

As far as it being cheap and easy to get an LLC, it's not cheap or easy to register 10,000 of them...and once again, there is a paper trail. Even if it doesn't take the same amount of validation to get an EV cert as a passport or military ID, EV's at least prove that the entity who has one either doesn't have 10,000 of them, or if they do, they're probably an entity with a lawyer on retainer to handle trademark infringement by the phishing sites looking to emulate them.

Good job web browsers!

[Dan+East]

And this is what we get for browsers forcing websites to adopt HTTPS or else they try to scare people with warnings about pages not being secure. I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc. Just the display of information. I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

Now users have a misguided trust that since a browser didn't warn them about a site, and since it has a secure padlock, it must be safe. Sounds like the type of solutions politicians end up creating to fix one minor problem yet causing several more severe ones. It's not the job of web browsers to force websites to be secure. Just because they can wield such power because of the technical aspects doesn't mean they should.

Re:Good job web browsers!

[sinij]

To be fair, pervasive surveillance isn't a minor problem. Otherwise, spot on.

Re:Good job web browsers!

I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

There was something wrong. Anybody could man-in-the-middle attack your site. Now they can't.

Re:Good job web browsers!

[hcs_$reboot]

Nobody said a https site is not a phishing site. Https is said secure because it prevents communication between a client and a server to be eavesdropped. The padlock does not say "safe", it says "secure connection". Now some people could be a bit confused but I doubt unknowledgeable users make a difference between http and https in the first place.

Re:Good job web browsers!

Parent AC gets it right. There WAS a problem that HTTPS addressed. That problem needed to be fixed. Miseducation around the fix is another problem, but does not imply the first problem wasn't a problem or didn't need a fix. It did.

Re:Good job web browsers!

[Junta]

Perhaps a different icon, a padlock says 'secure', need something to suggest protected/confidential link rather than a secure link.

Re:Good job web browsers!

[chispito]

Now users have a misguided trust that since a browser didn't warn them about a site, and since it has a secure padlock, it must be safe.

But now your site is safer. Your site visitors are much less at risk of being man in the middled than they previously were.

Re:Good job web browsers!

[Pascoea]

The padlock does not say "safe", it says "secure connection".

To my grandmother, the padlock doesn't "say" anything. It's an icon that is designed to indicate security. You and I know that it means "secure connection", not "safe site". I love the fact that letsencrypt allows me to get a signed certificate for my personal sites. I hate the fact that it has lowered the barrier of entry for nefarious people. Like it or not, the little padlock adds credibility to a site. And the removal of the "This site isn't secure, are you sure you want to send your credit card information." message from before doesn't help.

Re:Good job web browsers!

[Opportunist]

So... you wouldn't consider it a problem that someone MITMs the connection from the one seeking information on your page and feeds this person with garbage, while at the same time pretending that garbage comes from your page?

Re:Good job web browsers!

But if you are a good security consultant, you would realize that HTTP is necessary. If your potential client uses ShadyISP Inc. and you aren't using HTTPS, then ShadyISP can alter your webpage in transit and can inject Ads into your "info-only webpage", and that also won't look good for you, and this isn't even your fault, this is ShadyISP doing it. HTTPS also protects your info only page by not letting others alter it. You are foolish to think this won't affect you because some rather large ISPs such as Comcast or ATT have been documented to have done this before.

Re:Good job web browsers!

[thegarbz]

And this is what we get for browsers forcing websites to adopt HTTPS

No. This is what we get for attempting to educate people that an encrypted connection between two computers where the controling parties at either end are unknown is considered "safe".

It's not. It never was. We developed a whole new concept of EV certificates because of that gap. That doesn't make the idea to push sites to use HTTPS bad in the slightest.

I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner.

It's not up to you to decide if I may be persecuted for your "read only" information. It's not up to you to declare that information you send in plain text isn't modified or intercepted on route. Thank god we forced some sense into you.

Now users have a misguided trust

Nope, users have always had a misguided trust. If you have ever told a user that they are personally secure simply because they see a lock on the browser then you have contributed to misguiding them. The padlock doesn't certify *who* you are talking two, just that no one else is listening. It never has. Browsers have other ways of identifying to whom a user is talking rather than just certifying the web server on the other end is the correct one for the attempted connection.

And there's a big reason e.g. Bank of America says "Bank of America Corporation (US)" next to the padlock, whereas your crappy little website just has a plain old lock.

Re:Good job web browsers!

[dissy]

That is exceptionally worrying...

First:
I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc.

Then you contradict that:
I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

Browsers only warn on non-ssl sites if you are submitting data back to them. Not a single one warns if you don't do that.

The terrifying part is you honestly believe your site actually doesn't require data being submitted back, when clearly it does.

You really *really* need to look your website over page by page and through the html files.
They no longer contain what you think they do, they have been changed, and changed to require your visitors to submit form field data back to your server.

If you didn't set that up, your site has been hacked.

Re: Good job web browsers!

[TimMD909]

At least any hacked pages can now securely send their information back to the black hat. Silver linings, and all... ;-)

Re:Good job web browsers!

Anybody could man-in-the-middle attack your site. Now they can't.

Anybody? And what could they achieve by doing so? Please elaborate.

Malware injection, misinformation, asking your users to submit information that your site doesn't actually need or use. If you can't see any scenario where delivering content other than what you served up with your own web server is wrong, then you shouldn't be on the fucking internet.

Re:Good job web browsers!

[sootman]

> Browsers only warn on non-ssl sites if you are submitting data back to
> them. Not a single one warns if you don't do that.

WRONG. Go to an HTTP site in Chrome and it says (i) Not Secure in the URL bar starting with the very first visit.

Re:Good job web browsers!

[tepples]

The difference is that the warning for a site with a certificate from an unknown issuer is displayed as an interstitial, whereas the warning for a cleartext site is not. This makes it less practical for someone who doesn't own a domain to run HTTPS on a server on the home LAN, such as a router, printer, or NAS.

Re:Good job web browsers!

[tepples]

Browsers only warn on non-ssl sites if you are submitting data back to them. Not a single one warns if you don't do that.

Several JavaScript APIs are restricted to secure contexts only, even if they do not submit data back to the site. One is Service Workers, needed for offline use. Others include Bluetooth, MIDI, and Presentation.

Re:Good job web browsers!

[AmiMoJo]

That's why Chrome is getting rid of the padlock icon (it's already tiny and grey and they removed the extra verification bit where it used to say the company name, because that was useless as well). I think I read that Mozilla are planning the same.

The new scheme is flag sites which don't have HTTPS, with encrypted being the new normal. For trust we are basically screwed, we have nothing right now that can reliably identify a public web site or its owner.

Browsers are awful in explaining X509

[sinij]

I understand X509 is complicated and most people do not want and do not need to understand how it works. However, all browsers went too far in dumbing down this aspect and we are now seeing consequences.

For example, when navigating to /. It takes me multiple clicks to determine that it currently uses certificate issued on October 23, 2018, for Slashdot.org, and it uses Letâ(TM)s Encrypt issued certificate (cheap bastards). Why is this information so hard to access?

Re:Browsers are awful in explaining X509

[Junta]

I would argue that making those details more prominent wouldn't really improve the situation. The problem is that users may barely glance for a padlock, but otherwise focus on the content area to see if it 'looks right' despite the fact the content area is totally under the control of the site operator.

User has to look at the location bar (which the operator can't control) and putting *more* information in it is going to probably make people even more likely to not bother.

Re:Browsers are awful in explaining X509

[sinij]

Well, one step toward addressing this problem is to not just blindly showing a padlock, but also showing identifier on the certificate (i.e. slashdot.org in this case). Additionally, highlighting domain in the address bar (i.e. https://it.slashdot.org/comments.pl?sid....). This way if there are shenanigans (i.e. if I navigate to a site that I think is slashdot.org, but end up at totallylegitsite.ru instead and they have Let's Encrypt certificate), it will be more obvious.

Re:Browsers are awful in explaining X509

[Junta]

Incidentally, at least in firefox, the 'slashdot.org' is in bold already.

Badly aimed education?

more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe

Really? Is that level of misunderstanding so pervasive?

How do we fix that? Can our schools start to teach things like this, instead of "how to use javascript 101" for people who'll never in their life need to write a line of javascript? Those same people WILL need to know how the internet works, so let's teach that instead.

Re:Badly aimed education?

[Pascoea]

more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe

Really? Is that level of misunderstanding so pervasive?

As with everything, it depends on the demographic. Probably gets closer to 100% when you start asking 50+ year olds.

Can our schools start to teach things like this, instead of "how to use javascript 101" for people who'll never in their life need to write a line of javascript?

I took probably 10+ semesters of math (and various "life skills" classes) throughout my educational career, but I still had to teach myself how to do my taxes.

Web users need to be aware

I think we are expecting web browsers to be our net nanny these days. It has been my experience that the informed and educated user is the one who can use the web safely because they know how to do so. No feature or safety implementation in a browser can protect you when you can't recognize the obvious.

Re:Web users need to be aware

No feature or safety implementation in a browser can protect you when you can't recognize the obvious.

^ So much this.

The way to a safer internet is for people to engage and use their brains. There's no way you can ever nanny it into safety, because (1) that creates yet a dumber breed of user, who (2) can be exploited in even more ways, because they aren't thinking about what they are doing.

Consider the clusterfuck of Android malware and spyware, vs the relative safety of Linux. There is no technical reason the Linux ecosystem couldn't run malware and spyware. However it is a relatively safe ecosystem because its user base tends to think about what they are doing. Android's is a clusterfuck because its users do not, and will happily do anything you put in front of them with not a consideration about the consequences.

A safe internet comes with (1) educated users, and (2) eliminating obfuscations about what is really happening.

lock AND the url

[charliemerritt03]

I give the "lock & URL" advice to people all the time - isn't that enough? You do need to be sure that its gmail.com and not gmale.com, part of being an adult netizen.

Re: lock AND the url

[Junta]

Per the example in the article, evidently there are people that don't look at the location bar at all if they see the lock. This means users need to understand that the padlock just means the identity is verified, but they have to decide if that identity matches what they were expecting.

Re: lock AND the url

[tepples]

It is easy to tell a site that may have problems. Just hit the refresh button over and over and you maybe get a 500 error.

That might be on purpose, as a means of conserving resources for legitimate visitors in the face of a denial of service attack.

Using something other than .NET or Java indicates something may not be right.

Yet you're posting on a site that "may not be right". Slashdot is written in Perl, and Wikipedia is written in PHP.

Re: lock AND the url

[Opportunist]

U xpect ppl to b abl to reed?

Re: lock AND the url

[aaarrrgggh]

In fairness, the location bar often has very meaningless information. My credit union's login domain is (sometimes) different than their name, and is only used for login. (They appear to outsource their website and a number of other functions to some credit union pool/provider.) I complained to them about it, and they slowly improved one aspect-- but it isn't easy.

Extended Validation is about the only thing that you can try to trust now, as who the heck can keep track of which CAs they should trust and which they shouldn't?? And who really checks to see if the signing is done by their company's ATD system or the originator CA...?

Re: lock AND the url

[thegarbz]

NO!!! You're part of the problem. The lock only certifies that the machine on the other end is the correct destination typed in the URL bar and that no one else is listening. It DOES NOT AND NEVER HAS certified who owns that machine.

You do need to be sure that its gmail.com and not gmale.com, part of being an adult netizen.

This however is good advice. Good advice is to not follow links. Good advice is to manually type in addresses. If you've manually typed and checked addresses AND see the lock you're in a pretty good place. Additionally good advice would be to look for EV certifications. Google doesn't have one, but if you want to log in to Bank of America's website you shouldn't be looking for a lock, you should be looking for a bright green "Bank Of America Corporation (US)" written next to the URL.

Re: lock AND the url

[Aristos+Mazer]

I walked away from one bank that was doing that. If a bank can't do security in-house, it ain't a secure bank in this day and age.

Re: lock AND the url

[Junta]

Of course in an outsourcing SSO situation, the EV SSL would similarly indicate the provider, *not* the financial institution...

Re: lock AND the url

[aaarrrgggh]

They actually outsource all of the e-banking, but the login-failed page and one other one I would hit periodically (could have been related to the trusted computer setup) were not properly configured.

No, it doesn't bode well for their security either...

Re: lock AND the url

[DontBeAMoran]

www.13g17-b4nk.com

Re: lock AND the url

[DontBeAMoran]

omgwtfbbq reed alert
l4rn 2 wr1t3 dud3

Re: lock AND the url

[sootman]

> You do need to be sure that its gmail.com and not gmale.com,
> part of being an adult netizen.

Ah yes, blame the user. Because it's their fault if they don't have perfect eyesight and can't spot the flaw in https://www.grnail.com/ or https://www.googIe.com. I can't wait to hear you blame your parents for being stupid when they get scammed.

SCAMMERS ARE ASSHOLES. We need a strong, MULTI-LAYERED DEFENSE against them. Not just "you'd better know what you're doing."

Certificate Authorites are not giving us value.

[jellomizer]

These Certificates are often expensive, relatively complex to setup rarely ever give any real value. A self Signed Cert will offer the same level of encryption (sometimes more, because the Cert Authorities may pay more for automatically generating more bits). The original value of these Cert Authorities was so we would be sure that the site we went to was an authentic business, where you could prove you are who you say you are. But they have been giving certs to anyone without any research just as long as you pay the bill you are good to go, so you are not getting value out of these Certs except for the artificial browser scary error that you are a horrible person for using a unauthorized Cert.

Re:Certificate Authorites are not giving us value.

[Junta]

There may be flaws in the CA system, but this article isn't really related.

The problem is that users aren't even bothering to see *what* the authority validated. A CA can't reasonably out that serveirc.com is going to try to impersonate paypal.com. They can revoke that certificate upon reporting abuse and such. The CA and DNS can do things to prevent sheningans like paypa1.com or more clever unicode things, but at some point the user *has* to validate some part of the UI that *isn't* totally controlled by the site operator.

Re:Certificate Authorites are not giving us value.

[tepples]

A self Signed Cert will offer the same level of encryption (sometimes more, because the Cert Authorities may pay more for automatically generating more bits). The original value of these Cert Authorities was so we would be sure that the site we went to was an authentic business

I see three different levels of assurance.

1. A self-signed certificate assures to a repeat visitor that the operator of this server now is the same as the operator of this server on the previous visit. It says nothing to a first-time visitor unless the site provides a means to verify the key fingerprint out of band.
2. A domain-validated certificate assures the above plus that the operator of this server controls its domain name. It says nothing about the identity of the owner of the domain name.
3. An organization-validated certificate assures the above plus the identity of the owner of the domain name for tax purposes. It says nothing about the business practices of this owner, other than that it happens not to be organized as a sole proprietorship.

Re:Certificate Authorites are not giving us value.

[Opportunist]

The same level of encryption but not the same level of authenticity. What a CA issued cert says is that the server that you're connecting to is actually the server you're connected to and that no MITM is happening.

That doesn't make www.bankofmurrica.com any more a page that you should enter your BA-credentials at, but it certifies that you're really talking with www.bankofmurrica.com and not www.bankofmurrica.com.wallawalla.thingamajig.hackmeimcute.cn.

Re:Certificate Authorites are not giving us value.

[thegarbz]

These Certificates are often expensive, relatively complex to setup rarely ever give any real value.

Certifications are neither complex to setup nor do they not provide value. The people who claim they don't are those who do not understand what these certificates actually certify. Hint: It wasn't about the person on the other end, it was about the computer and the computer alone. Incidentally all these certifications are now able to be had for free.

On the other hand extended validation certifications are "expensive". I use quotes because frankly paying a few thousand dollars for the privilage of securing valuable data is not "expensive" as much as it is a minimum expectation.

The original value of these Cert Authorities was so we would be sure that the site we went to was an authentic business

Nope. CAs never required you to be a registered business. They used to require a basic form of ID, but that was absolutely stupid since you the person is insanely complicated to link to the endpoint of an internet address. That is precisely why DV certificates only care about the endpoint of the connection. It is not relevant who *you* are. It is only relevant that the computer at www.bob.com is actually the correct computer at www.bob.com.

Now if you want an EV certificate then you do need to be a registered business, you also need to prove you're able to speak on behalf of that business and that process is very carefully controlled. Always has been since the inception of an EV certificate.

so you are not getting value out of these Certs

Correct computer for the address, not being MITMed, no snooping, no ISP modifying packets on the go, is a shitload more than "no value" and is also obtainable cost-free so mathematically they actually provide infinite value.

Re:Certificate Authorites are not giving us value.

[Junta]

In practice, registrar and CAs and the most prominent companies are doing things so that visual inspection of the name part of the url+padlock is enough to feel somewhat good, seeing the legal entity name (EV SSL) is even better. It's unlikely that a phishing site can have a domain that visibly resembles a well-known site's name with a trusted cert in this day and age.

Yes, places bouncing around through third party servers exist. If that third party is obviously a well known payment processor (paypal, visa, etc) or a well known identity provider (google, facebook), ok (and that is unfortunately the compromise needed to support smaller businesses online where reputation is very tricky). If it is some obscure provider the site you were trying to do business with is using that you have never heard of, take your business somewhere else that you can be confident about and let them know their use of no-reputation third party service caused them to lose your business.

Re:Certificate Authorites are not giving us value.

[complete+loony]

At best certs verify that the owner of the domain name is also the owner of the server. So why not just publish cert details in dns, secured by dnssec?

Sure, if your dns records get "hacked" somehow, you're screwed. But with how easy it is to get a cert from lets encrypt, that's already true now.

Chrome

[cascadingstylesheet]

There are indeed people who would think the way the article describes.

Hmm, maybe Chrome making the lock gray now wasn't as dumb as I thought. While the absence of https (at least according to Google) is baaaaad, the mere presence of it doesn't mean all that much.

HTTPS deters tampering

[tepples]

I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc. Just the display of information. I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

In the case of a static website, the primary reason for HTTPS is to ensure that your viewers' ISPs cannot falsify the "100% publicly available information" on its way from your server to the browser. Xfinity by Comcast has been caught inserting ads into HTML documents transmitted through cleartext HTTP on multiple occasions.

Re:HTTPS deters tampering

[Sigma+7]

With HTTPS being prevalent, it's not difficult for ISPs to have an install disk that sets up your computer for optimal browsing (i.e. installs a root certificate that tricks browsers into accepting intercepted HTTPS content.)

It probably already happened with SuperFish and Lenovo.

Re:HTTPS deters tampering

[Aristos+Mazer]

True, but at least we can watch for code modifying client machines... all it takes is one vigilant user looking at what the ISP install disk does to raise the alarm. When the insertions are happening on the ISP machines without modification of the clients, that's really hard to detect and prove. The HTTPS forces the injection to be more detectable.

Re:HTTPS deters tampering

[AmiMoJo]

How do I insert the install disk into my phone? Many laptops don't even have an optical drive these days.

I haven't seen an ISP install disc for at least a decade. People expect to plug the modem in, use the default wifi password printed on it and start surfing. The days of ISP crapware are long gone, at least around here.

Pervasive surveillance v.s. censorship

The purpose of HTTPS everywhere is to force everyone to register. This is Orwellian, not a good thing.

Re:Pervasive surveillance v.s. censorship

[Opportunist]

Huh? Who has to register what now?

Re:Pervasive surveillance v.s. censorship

[jbmartin6]

I think he is referring to the need to provide some sort of verification to a CA to get a certificate the browsers will accept. Take this line from TFS:

In reality, the https:/// part of the address (also called "Secure Sockets Layer" or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted

A false statement, the primary purpose of SSL/TLS is authentication not "merely" encryption. Now, how that authentication (of the site) is performed, via a list of browser approved CAs, has a lot of problems. But what it is supposed to do is assure you you Citibank.com site is actually Citibank and not a fake citibank.com hosted on some thief's server.

Re:Pervasive surveillance v.s. censorship

[Opportunist]

All a certificate does is to verify that traffic that you think originated from www.whateverserver.com actually does originate from www.whateverserver.com.

And for this you needn't register any personally identifiable information with anyone.

HTTPS has other benefits.

But centrally managed certificates are definitely not a help.

What should have been done was make SSC(Self Signed Cert)s give the yellow warning icon, improper authoritative certs give the red/broken lock symbol, sites with matching authoritative info getting the green lock, and then add a pinning option that pops up certificate information only for certified+pinned websites, allowing the user to have visual notice if it is a site they normally visit or a possible phishing site.

Honestly cert pinning needs to become the standard, because only the end user can authorize trust in the end. If they do badly, that is on them, if they do well, then it is also on them and helps avoid both criminal and state level hacking by ensuring they know the proper certificates for the websites they frequent and authorized them at some trustworthy time in the past.

"Their job" according to DV and OV CAs

[tepples]

If issuer is obviously not doing their job properly prior to issuing the certificate, then their certificates should not be trusted by the OS and the browser

I think it has something to do with a misconception of what "their job" means. Let's Encrypt, SSLS.com, and other CAs specializing in "domain validation" think the job of a TLS certificate authority is to ensure that only the entity that controls a hostname can act as that hostname. The "organization validation" camp, which includes the "Extended Validation" camp, thinks a certificate also ought to identify the real-world business behind a particular hostname. They use as an example bankofarnerica.com belonging to someone other than Bank of America Corporation.

Re:"Their job" according to DV and OV CAs

[Junta]

Of course, other than financial companies themselves, not a whole lot of EV SSL sites. For example, not even Amazon bothers to do EVSSL.

Re:"Their job" according to DV and OV CAs

[DontBeAMoran]

Well they are called Twitter, after all.

Proxy

[Thelasko]

This is why proxy re-encryption has become popular.

Re:Proxy

[Opportunist]

How's this relevant?

Re:Who was giving this advice anyway?

[LQ]

No one ever told me to look at the padlock

No, but when you either get a padlock or "Not Secure" (Chrome), it still gives a misleading impression. Most people are not computer savvy and do not understand (or know) there is a difference between secure and safe.

Re:True Issue

[tepples]

Some of these CAs have been caught giving out certs to non-owners of websites and when those CAs are big enough they won't get removed from the list.

You mean like WoSign and Symantec, whose roots browser publishers have phased out?

Re:Lock != Legit.

[Opportunist]

And how should it? Who'd know what you WANT to connect to but you yourself? Maybe you do want to connect to https://www.comparethemeerkat.... and not https://www.comparethemarket.c...

(and yes, they both exist and the former is an advertising gimmick for the latter)

Re:True Issue

[Opportunist]

The issuer is doing its job. The job of the issuer is to verify that the domain name is properly pointed at the right IP-Address. What else would you consider the issuer's job?

That you think www.mybank.com.cn is www.mybank.com is YOUR problem. Not the CA's.

DV allegedly enables typosquatting

[tepples]

The site REALLY IS the site it claims to be

I guess it depends on how you define "the site it claims to be". If you write "snadze" in Cyrillic,* it'll resemble "chase" except that the "h" will be a small capital. The Punycode form of this name part is xn--80akwp6h. If you then go register xn--80akwp6h.com , you then prove to a domain-validating certificate authority that you own xn--80akwp6h.com, which a browser will display as "{snadze}.com" except with the actual Cyrillic letters. At this point, you can fool people who don't check the URL bar very closely into thinking they're on JPMorgan Chase N.A.'s website when they're not.

Or even staying inside Latin script: "bankofarnerica" isn't Bank of America.

* The letter dze comes from Macedonian Cyrillic. I can't show the real name because anti-vandalism measures implemented on Slashdot after the "(5:erocS)" incident disabled Cyrillic.

Not a new problem

[CastrTroy]

HTTPS was never designed to verify if a website is trustworthy or validate that they will do good things with the data you send to them. The only thing is does is ensure that you can be sure you're talking to the actual website you asked for based on the URL and that nobody else read or changed the data sent by the server as it traversed over the network.

If we really want to protect things like user credit card numbers we should have a system where we don't have to send our credit card details to a website that we want to do business with. This would work similar to PayPal in which you can do a payment to a third party website without actually giving them your credit card number, except PayPal would be replaced by a Visa/MC/AMEX service.

Re:Not a new problem

[Opportunist]

Not even that. And even if, what does it help you that Mr. Ali Ben Gali from Generistan paid for the certificate of the server that just ripped you off? You can bet good money that Mr. Gali doesn't even know anything about the transaction, since it takes about a month for a credit card fraud to get detected and shady pages are up for maybe a few days.

It's also WRONG

[raymorris]

> In reality, the https:/// part of the address (also called "Secure Sockets Layer" or SSL)

SSL was a protocol used by Netscape in the 1990s.
For ten last decade or two we've been using TLS.

Re:It's also WRONG

[arglebargle_xiv]

Right, which is why we have TLS web servers, TLS certificates and OpenTLS, and not SSL servers, SSL certs and OpenSSL.

Re:Who was giving this advice anyway?

[Sigma+7]

No one ever told me to look at the padlock, and I never told anyone to look at the padlock.

I don't have to look at the padlock, but when I do, I've often seen the word "Secure" right next to it, even when I know it is not the case. Browsers blindly plopped that word on any HTTPS page, giving a false user impression for anyone who randomly glances in that general direction.

The "https" system was basically announced as secure since ~1995, originally via popups. This implied that it's secure in that you aren't going to get phished, have content tampered, etc. While the notification changed from a big popup over to an icon in the status bar, I still consider it a big issue when it's misrepresented as secure.

If you don't check the domain it's pointless.

Still won't help, one just needs the domains that uses unicode characters that look like English letters, or simply have a typo similar to switching "l" and "I" around. This requires going back and forth between the browser and some external program to check the text, and eventually causes the user to become bored of this excessive verification.

Or worse, a punycode domain that looked like apple.com - something that was a problem with Google Chrome previously.

be careful here!

[AndyKron]

So there's a 49% chance that /. is a phishing site. Yikes!

Re:Thanks Let's Encrypt

[DontBeAMoran]

All these problems could have been avoided if Let's Encrypt had know about RFC 3514.

Totally flawed system really only for $$$

[bussdriver]

Governments issue corporation documents and reasonably track that information. I remember needing a state ID along with paperwork to incorporate.

The government can relatively CHEAPLY use open source tools and some existing servers to digitally sign things.... SSL should be using MULTIPLE signing parties with the government incorporation data and it's "stamp of approval" for the corporation behind the site existing. At least then you can trace it back to the government and then to the business owners.

3rd parties signing off on network security, storage security, malware security, privacy or BBB or whatever they do to approve. These should involve classes of approval: a simple string indicating the class of approval, start with a standard list that the browsers can react appropriately to. Such as warning users if a credit card is entered into a site that lacks a certification for that purpose; address info, etc.

Re:Totally flawed system really only for $$$

[tepples]

Under your proposal, how would it be practical for an individual writer to sell subscriptions to read her writing on her website? Or would you prefer that all subscriptions go through a single point of failure such as Patreon?

Did HTTPS upgrade popups mention phishing?

[tepples]

[Early notices about navigating to an HTTPS site] implied that it's secure in that you aren't going to get phished, have content tampered, etc.

I seem to remember the notices being phrased to the effect "Information you submit cannot be seen or changed by others while in transit". That covers the case of tampering and MITM phishing but not typosquat phishing.

Online college; K-12 students with poor parents

[tepples]

Oh, and to do the work they also have to receive an encrypted email too, so they basically have to have a key exchange with the instructor, unless they know someone who has already done that and instead, use a trusted introducer.

In the case of face-to-face instruction, a key signing party at freshman orientation is practical. But in the case of an online university, how would trusted introduction be accomplished?

So, it really would be a good test for whether or not someone is ready to graduate middle school.

Now you mention that you meant middle school, not college. In the case of middle school, how would a student with underprivileged parents afford a computer and Internet access in the first place with which to complete and submit homework? I don't see how it would be practical to expect every student to work to afford his or her own computer, as the child labor laws of the several U.S. states tend to prohibit any sort of non-farm employment until age 14, and most entry-level employers include in the job description at least one duty that states prohibit until 16.

Re:ummm

[Opportunist]

Unfortunately it's been peddled in "computer magazines" where writers who, at the most, know that TCP ain't the abbreviation for the Chinese secret service hand out advice to their even less computer literate audience.

Re:Thanks Let's Encrypt

[Opportunist]

Let's Encrypt does exactly what the certificate issued can do: Verify that the webpage the traffic originates at is the webpage in the URL line. Nothing more, nothing less.

And no CA can actually guarantee anything else.

Try using a modern cert for SSL

[raymorris]

Try using a modern certificate in an SSL server, such as Apache 1.2.

Some people mistakenly call it SSL. That doesn't make it SSL.

For example, you can call OpenVPN an SSL connection, but the fact is, it doesn't support SSL and it never has. It speaks TLS.

Re: Certificate Authorites are not giving us value

[hakioawa]

Actually they are the problem. The majority, and yes I mean that, of these phishing sites are using letâ(TM)s encrypt certs.