For years, Google, Apple, Firefox, and Microsoft tirelessly pointed out that to avoid transacting with fraudulent sites, you should make sure your browser's "padlock" is closed, green, or indicates that a site is "secure". Now, cybersecurity companies are emphasizing that those padlocks are not enough to provide trustworthiness.
"You have to look beyond the padlock," said Dean Coclin, Senior Director of Business Development at DigiCert. "Simply, you can no longer trust them."
This is because, years after all major browsers added visual security signals to their address bars, they are now removing them, leaving only the padlock that is not enough to know if a site is really safe.
The Anti-Phishing Working Group (APWG) published a study that tracked a large increase in phishing attacks in the second quarter of 2020. The increase involves fraudulent sites using the cryptographic protocol Transport Layer Security or TLS, more commonly known by its legacy name Secure Sockets Layer, or SSL.
SSL padlocks indicate that a browser is using a secure and encrypted communication protocol with the server hosting the desired website. SSL warnings are also complemented by the additional indication "HTTPS" within the browser's address bar, which means that the browser is transmitting information in an encrypted manner.
According to the APWG report, 80 percent of phishing sites used SSL certificates in the second quarter. Attacks ranged from phishing lures targeting false bank transfer sites to social media platforms like Facebook and WhatsApp receiving links to suspicious domains.
The availability of free or very low-cost TLS/SSL certificates, without validating the identity of the website owner, has harmed Internet security in recent years. But today the problem has become chronic, said Coclin. "Since the last major browser added SSL warnings to its address bar, hackers have been forced to use SSL/TLS padlocks too," he said.
Fraudulent domain certificates have been mainly limited to criminals who acquire so-called domain-validated certificates obtained for free through services like Let's Encrypt.
Domain-validated certificates are a basic solution for protecting communications between a web browser and a server through TLS encryption. Several free services have an automated system that only verifies that an applicant has control over a domain before issuing a free certificate. It is a system ready for abuse by issuing certificates without any other kind of control or validation, say experts.
Without a doubt, Extended Validation (EV) and Organizational Validation (OV) certificates are safer. These higher-level certificates used by banks, insurance companies, and e-commerce sites require thorough investigation of applicants to ensure that the sites are who they claim to be and owned by legitimate owners.
Percentage of phishing attacks hosted on HTTPS
The main concern has been that domain-validated certificates offer criminals an easy way to facilitate website spoofing, server impersonation, man-in-the-middle attacks, and a way to infiltrate malware through corporate firewalls.
Unsuspecting users may think they are communicating with trusted sites because the site's identity has been validated by a certificate authority, without realizing that these are certificates whose issuance process has only validated the domain, without checking whether its owner or administrator is a legitimate company or organization.
The remedy of browser companies, said Coclin, has been to implement new safe browsing tools such as Google Safe Browsing for Chrome and Microsoft's SmartScreen filter, which facilitates safe browsing for Internet Explorer and Edge browsers.
Coclin warns that these are temporary solutions and that what really needs to be done is a review of the domain registration system. "First of all, I don't know why people can register clearly fraudulent domains," he said. "The problem is that no one wants to own this issue. And until someone does, users need to look a little beyond the padlock."
It is very important that when browsing a Transactional Website you verify the data in the certificate to confirm who the site owner is (provided it is an Organization Validated or Extended Validation certificate, since Domain Validated ones do not have that information). This way, users can safely verify whether the site operator is indeed the company they intend to do business with. To do this, simply click on the padlock icon in the navigation bar.