Slashdot Mirror

← Back to Stories (view on slashdot.org)

Half of all Phishing Sites Now Have the Padlock (krebsonsecurity.com)

Posted by msmash on from the watch-out dept.

You may have heard you should look for the padlock symbol at the top of a website before entering your password or credit card information into an online form. It's well-meaning advice, but new data shows it isn't enough to keep your sensitive information secure. From a report: Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar. That's up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018. This alarming shift is notable because a majority of Internet users have taken the age-old "look for the lock" advice to heart, and still associate the lock icon with legitimate sites. A PhishLabs survey conducted last year found more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe. In reality, the https:// part of the address (also called "Secure Sockets Layer" or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and can't be read by third parties. The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

7 of 141 comments (clear)

  1. Good job web browsers! by Dan+East · · Score: 5, Insightful

    And this is what we get for browsers forcing websites to adopt HTTPS or else they try to scare people with warnings about pages not being secure. I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc. Just the display of information. I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

    Now users have a misguided trust that since a browser didn't warn them about a site, and since it has a secure padlock, it must be safe. Sounds like the type of solutions politicians end up creating to fix one minor problem yet causing several more severe ones. It's not the job of web browsers to force websites to be secure. Just because they can wield such power because of the technical aspects doesn't mean they should.

    --
    Better known as 318230.
    1. Re:Good job web browsers! by sinij · · Score: 3, Interesting

      To be fair, pervasive surveillance isn't a minor problem. Otherwise, spot on.

    2. Re:Good job web browsers! by Anonymous Coward · · Score: 5, Informative

      I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

      There was something wrong. Anybody could man-in-the-middle attack your site. Now they can't.

    3. Re:Good job web browsers! by dissy · · Score: 3, Interesting

      That is exceptionally worrying...

      First:
      I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc.

      Then you contradict that:
      I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

      Browsers only warn on non-ssl sites if you are submitting data back to them. Not a single one warns if you don't do that.

      The terrifying part is you honestly believe your site actually doesn't require data being submitted back, when clearly it does.

      You really *really* need to look your website over page by page and through the html files.
      They no longer contain what you think they do, they have been changed, and changed to require your visitors to submit form field data back to your server.

      If you didn't set that up, your site has been hacked.

  2. lock AND the url by charliemerritt03 · · Score: 3, Insightful

    I give the "lock & URL" advice to people all the time - isn't that enough? You do need to be sure that its gmail.com and not gmale.com, part of being an adult netizen.

  3. Re:SSL by Anonymous Coward · · Score: 3, Funny

    I guess if they use SSL, then at least you can be sure only the phisher can read your data while you are submitting it...

  4. HTTPS deters tampering by tepples · · Score: 4, Informative

    I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc. Just the display of information. I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

    In the case of a static website, the primary reason for HTTPS is to ensure that your viewers' ISPs cannot falsify the "100% publicly available information" on its way from your server to the browser. Xfinity by Comcast has been caught inserting ads into HTML documents transmitted through cleartext HTTP on multiple occasions.