Here’s why you shouldn’t automatically trust a green padlock on websites

28 Nov 2018

Image: © Andrey Popov/Stock.adobe.com

Malware is becoming increasingly sophisticated and even when you think a website you visit is safe, it might not actually be.

While Black Friday and Cyber Monday have passed, online shopping will remain popular in the run-up to Christmas. But while millions are searching for the perfect gift online, so too are countless scammers, ready to trick unsuspecting people into handing over their financial details.

One of the latest tricks was highlighted by Krebs on Security, which warned that while we once thought the green padlock icon on a browser’s website address bar was the sign of a legitimate website, that can no longer be taken as fact. Recent research has shown that almost half of all phishing sites in the third quarter of 2018 had a green padlock in the address bar, up from 35pc earlier this year and 25pc from more than a year ago.

The findings, compiled by PhishLabs, showed that customer trust in the green padlock is strong, with 80pc of respondents in a survey saying they trust a website when they see it. In reality, the secure sockets layer – or SSL – only tells the user that the data sent between the browser and the site is encrypted, not that it is protected from hackers.

Real big phish

Explaining how scammers are gaming the SSL system, John LaCour, chief technology officer of PhishLabs, said: “PhishLabs believes that this can be attributed to both the continued use of SSL certificates by phishers who register their own domain names and create certificates for them, as well as a general increase in SSL due to the Google Chrome browser now displaying ‘Not secure’ for websites that do not use SSL.

“The bottom line is that the presence or lack of SSL doesn’t tell you anything about a site’s legitimacy.”

Browser developers work with security organisations to find and flag any phishing sites with users – represented by the red warning signs that a site being visited is not safe – but the sheer number of them makes it difficult to remove all quickly.

In one instance, a website changed the letter ‘I’ on one website’s landing page to the Vietnamese character for ‘I’, which looks indistinguishable at a quick glance, due in part to the formatting of the internationalised domain names (IDN) system.

As Brian Krebs explained, the Firefox browser is currently the most affected by IDN ambiguity in the address bar, whereas Chrome, Internet Explorer and Edge display addresses in the somewhat clunkier punycode state.

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com