Slashdot Mirror

← Back to Stories (view on slashdot.org)

Half of all Phishing Sites Now Have the Padlock (krebsonsecurity.com)

Posted by msmash on from the watch-out dept.

You may have heard you should look for the padlock symbol at the top of a website before entering your password or credit card information into an online form. It's well-meaning advice, but new data shows it isn't enough to keep your sensitive information secure. From a report: Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar. That's up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018. This alarming shift is notable because a majority of Internet users have taken the age-old "look for the lock" advice to heart, and still associate the lock icon with legitimate sites. A PhishLabs survey conducted last year found more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe. In reality, the https:// part of the address (also called "Secure Sockets Layer" or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and can't be read by third parties. The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

16 of 141 comments (clear)

  1. Good job web browsers! by Dan+East · · Score: 5, Insightful

    And this is what we get for browsers forcing websites to adopt HTTPS or else they try to scare people with warnings about pages not being secure. I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc. Just the display of information. I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

    Now users have a misguided trust that since a browser didn't warn them about a site, and since it has a secure padlock, it must be safe. Sounds like the type of solutions politicians end up creating to fix one minor problem yet causing several more severe ones. It's not the job of web browsers to force websites to be secure. Just because they can wield such power because of the technical aspects doesn't mean they should.

    --
    Better known as 318230.
    1. Re:Good job web browsers! by sinij · · Score: 3, Interesting

      To be fair, pervasive surveillance isn't a minor problem. Otherwise, spot on.

    2. Re:Good job web browsers! by Anonymous Coward · · Score: 5, Informative

      I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

      There was something wrong. Anybody could man-in-the-middle attack your site. Now they can't.

    3. Re:Good job web browsers! by hcs_$reboot · · Score: 2

      Nobody said a https site is not a phishing site. Https is said secure because it prevents communication between a client and a server to be eavesdropped. The padlock does not say "safe", it says "secure connection". Now some people could be a bit confused but I doubt unknowledgeable users make a difference between http and https in the first place.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    4. Re:Good job web browsers! by Junta · · Score: 2

      Perhaps a different icon, a padlock says 'secure', need something to suggest protected/confidential link rather than a secure link.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    5. Re:Good job web browsers! by chispito · · Score: 2

      Now users have a misguided trust that since a browser didn't warn them about a site, and since it has a secure padlock, it must be safe.

      But now your site is safer. Your site visitors are much less at risk of being man in the middled than they previously were.

      --
      The Daddy casts sleep on the Baby. The Baby resists!
    6. Re:Good job web browsers! by dissy · · Score: 3, Interesting

      That is exceptionally worrying...

      First:
      I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc.

      Then you contradict that:
      I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

      Browsers only warn on non-ssl sites if you are submitting data back to them. Not a single one warns if you don't do that.

      The terrifying part is you honestly believe your site actually doesn't require data being submitted back, when clearly it does.

      You really *really* need to look your website over page by page and through the html files.
      They no longer contain what you think they do, they have been changed, and changed to require your visitors to submit form field data back to your server.

      If you didn't set that up, your site has been hacked.

    7. Re:Good job web browsers! by sootman · · Score: 2

      > Browsers only warn on non-ssl sites if you are submitting data back to
      > them. Not a single one warns if you don't do that.

      WRONG. Go to an HTTP site in Chrome and it says (i) Not Secure in the URL bar starting with the very first visit.

      --
      Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
  2. lock AND the url by charliemerritt03 · · Score: 3, Insightful

    I give the "lock & URL" advice to people all the time - isn't that enough? You do need to be sure that its gmail.com and not gmale.com, part of being an adult netizen.

  3. Certificate Authorites are not giving us value. by jellomizer · · Score: 2

    These Certificates are often expensive, relatively complex to setup rarely ever give any real value. A self Signed Cert will offer the same level of encryption (sometimes more, because the Cert Authorities may pay more for automatically generating more bits). The original value of these Cert Authorities was so we would be sure that the site we went to was an authentic business, where you could prove you are who you say you are. But they have been giving certs to anyone without any research just as long as you pay the bill you are good to go, so you are not getting value out of these Certs except for the artificial browser scary error that you are a horrible person for using a unauthorized Cert.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Certificate Authorites are not giving us value. by Junta · · Score: 2

      There may be flaws in the CA system, but this article isn't really related.

      The problem is that users aren't even bothering to see *what* the authority validated. A CA can't reasonably out that serveirc.com is going to try to impersonate paypal.com. They can revoke that certificate upon reporting abuse and such. The CA and DNS can do things to prevent sheningans like paypa1.com or more clever unicode things, but at some point the user *has* to validate some part of the UI that *isn't* totally controlled by the site operator.

      --
      XML is like violence. If it doesn't solve the problem, use more.
  4. Re:SSL by Anonymous Coward · · Score: 3, Funny

    I guess if they use SSL, then at least you can be sure only the phisher can read your data while you are submitting it...

  5. HTTPS deters tampering by tepples · · Score: 4, Informative

    I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc. Just the display of information. I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

    In the case of a static website, the primary reason for HTTPS is to ensure that your viewers' ISPs cannot falsify the "100% publicly available information" on its way from your server to the browser. Xfinity by Comcast has been caught inserting ads into HTML documents transmitted through cleartext HTTP on multiple occasions.

    1. Re:HTTPS deters tampering by Sigma+7 · · Score: 2

      With HTTPS being prevalent, it's not difficult for ISPs to have an install disk that sets up your computer for optimal browsing (i.e. installs a root certificate that tricks browsers into accepting intercepted HTTPS content.)

      It probably already happened with SuperFish and Lenovo.

  6. Re:Pervasive surveillance v.s. censorship by Opportunist · · Score: 2

    All a certificate does is to verify that traffic that you think originated from www.whateverserver.com actually does originate from www.whateverserver.com.

    And for this you needn't register any personally identifiable information with anyone.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. It's also WRONG by raymorris · · Score: 2

    > In reality, the https:/// part of the address (also called "Secure Sockets Layer" or SSL)

    SSL was a protocol used by Netscape in the 1990s.
    For ten last decade or two we've been using TLS.