Online shoppers are often encouraged to ensure that their chosen online stores are 'secure', that the 's' in HTTPS is visible, and that the web browser displays a lock symbol. Propagating these visible indicators as confirmation of website security is not only irresponsible; it's also dangerous.
As Brian Krebs recently pointed out on Krebs on Security, even U.S. government and Federal websites are guilty of this practice, as if the padlock guarantees the official and secure nature of the site. It's not the case. The lock symbol and related URL containing 'https' simply mean that the connection between your web browser and the website server is encrypted. That's good, right? Yes, an encrypted connection is a positive, at least on the surface, and implies an elevated level of trust that's supposedly achieved by the use of an SSL certificate.
As discussed in a previous article, SSL certs themselves come in many forms, from DIY efforts using OpenSSL (you can even be your own Certificate Authority) and free ones from Let's Encrypt to purchased solutions from 'recognized' certificate authorities. None do anything more than confirm ownership of a domain, and other than confirming encryption, do not confirm the security practices of that website in any way. It does confirm that the website owner has admin access to the webserver and has verified his/her identity in a way that varies according to the SSL cert selected.
Let's illustrate the necessary steps users should take when deciding whether to trust a website and, in some cases, how easy it is for cybercriminals to circumvent so-called verification processes.
According to PhishLabs, in the last quarter of 2019, 74% of reported phishing websites were 'secure,' being both HTTPS and with the lock symbol. I could end this post right here, having proven that both criteria are worthless in terms of security. But I won't…
HTTPS Means Nothing
The sole benefit of HTTPS is that it more or less forces encrypted connections online as, without it, many browsers will refuse to access the site and display a warning. If the user still wants to connect to the 'insecure site,' it is possible, but the warning is given, which will deter most users. Unfortunately, cybercriminals are not dumb so most will use SSL encryption, as mentioned previously. Congratulations, you now have a direct encrypted connection to a cybercriminal's website, one that is specifically designed for phishing attacks, malware delivery, or other motivations such as data harvesting.
Domains Cannot Be Trusted
Anyone can set up a website with hosting costs ranging from free (whether legitimate or hacked subdomains) and budget to dedicated servers. Some domains are trusted more than others, but as Brian Krebs demonstrated (yes, I'm a regular reader) once again, even .gov domains (reserved for government organizations in the U.S.) can easily be spoofed when those seeking the domain for scams are prepared to use illegal methods. The level of research required was minimal. I'm assuming that .mil and .edu domains are more robust, but who knows, right? One of my own domains uses .com.hk and is only available to Hong Kong-registered companies. It was a pain to set up – requiring several emails, copies of my business registration cert, company bank account, my passport, and residency details. But at least I know that the process is a good one, involving a cross-check with several government departments. The same is not true of .com and other top-level domains, regardless of location. If anyone can get one, how can it add trust to a website?
Whois Verification Is Mostly Worthless
To prevent spam, most websites hide website contact information or, at best, provide general contacts only. Also, the hosting provider can be located anywhere and rarely reflects the physical location of the business.
Due Diligence Is Always Necessary
As mentioned in prior articles, I own and maintain a few low-traffic websites. I went with free Let's Encrypt SSL certs (courtesy of my hosting provider) for convenience. I have no e-commerce in place at the moment and use payment gateways and direct lodgment to company accounts as preferred payment options. Therefore, I have no PCI-DSS requirements, leaving others to handle that nightmare.
The Risks Of Relying On HTTPS As A Primary Indication of Security
Cybercriminals use HTTPS for the most part, and the websites themselves are often linked to phishing or malware campaigns. You can arrive there from an email link, as a result of a search engine query or referral from another site. Yes, they are aware of SEO as well. The thing is, of course, they own the websites so they can install anything they wish to make their objectives succeed.
A free download could wreak havoc on your system or launch keylogging tools, clicking a link could launch a program or edit the registry in the background as notification windows are often deliberately avoided. Clicking anything on these sites could cause issues. In fact, even loading a web page could do so as there are many plugins available to harvest visitor data once they connect to the site. If your OS or web browser has a vulnerability (even basic visitor tracking tools can obtain browser and OS specifics), then you're open to an attack. They will have your IP address (unless you use a VPN) to launch the appropriate hacking tool.
Some Tips And Warning Signs To Protect Yourself Online
The following (not an exhaustive list) tips will reduce risk while web browsing:
Security Updates and Patches for Browsers, OS and Software
Install them promptly as hackers and penetration testers alike have access to publicly available data on the latest vulnerabilities and can use tools to scan for specific ones.
Use Secure Browsers (with inbuilt security options)
Your selection is a personal preference. I use five or six different browsers, including Brave, Firefox, and Tor.
Use Addons and Extensions to Protect Browsing
Adding to the security of your Web browser is a good idea. Anything from the Electronic Frontier Foundation is a worthy addition, as is DuckDuckGo's Privacy Essentials.
Use a VPN to hide your actual IP address and cycle it every 30 minutes or so. Even free ones will hide you from cybercriminals. Make your selection wisely as some VPNs merely harvest data for marketers and are themselves later targeted by hackers. I use a commercial solution.
Using a tool such as SEO Quake can provide some clues on the legitimacy of a website, including the age, number of external and internal links, and much more.
In conclusion, when you visit new websites, don't rely on the lock symbol or HTTPS. Take this site and consider why you are here. Progress is a well-known brand with a global reach. Most of us stick to established brands, but a search could lead you to a new product or service provider. Do your due diligence before making a purchase or even exploring a new site. Search for the domain name in quotes and add 'review' or 'scam' to aid verification (bearing in mind that fake reviews and related sites are also possible). Yes, scammers do think of everything. Best of luck…