Krebs on Security reported today that Half of all Phishing Sites Now Have the Padlock and warned: “Maybe you were once advised to “look for the padlock” as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”… The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers. “In response, security experts commented below.
Nick Bilogorskiy, Cybersecurity Strategist at Juniper Networks:
“The “green padlock” icon is a red herring as it misleads users into having a false sense of security. Many website visitors assume it means a website is safe to use but this is not the case, not by a long shot.
Attackers are always quick to adapt any innovative means to increase the click-through of their phishing sites. It does not cost them anything to get an SSL certificate from Let’s Encrypt to obtain the “green padlock”. In fact, Let’s Encrypt has become the largest certificate issuer in the world with over 380 million certificates issued on 129 million unique domains. That said, I am not surprised that attackers have doubled the number of HTTPS phishing sites in a year.”
Paul Bischoff, Privacy Advocate at Comparitech.com:
“The study goes to show that there’s no one way to identify a phishing website. Making sure the site has a valid SSL certificate indicated by HTTPS and a padlock in the URL bar is just one step. Users should also look for character replacement (“punycode”), subdomains, and other inconsistencies in a site’s real URL and webpage. You can usually find the real site by Googling the company name, then check it against the suspected phishing URL. Other means of combating phishing usually deal with emails and other means of getting victims to the phishing site.
The PhishLabs study brings up an interesting discussion about the role of certificate authorities and browser makers. Certificate authorities like Let’s Encrypt make the web safer by making it cheap and easy for websites to use HTTPS, but they also lower the barrier for criminals. HTTPS instills trust in site visitors, so some argue certificate authorities should vet who they sell SSL certificates to. On the other hand, many experts argue that browser makers misrepresent what HTTPS accomplishes: encryption and authentication. It does not necessarily verify that the website owner is a legitimate entity.”