Over 90% of web traffic across Google is now over HTTPS. In other words, for every 10 websites people visit via Chrome using Windows, only one is not secure. This in itself is a remarkable achievement, since just five years ago, only half of the web had been using HTTPS.
SSL certificates have become the norm, and users have learned to associate the padlock with a trustworthy website. How can it be any other way when the “S” at the end of “HTTP” stands for “secure”? But “secure” is a generic term, and for many, it means more than what it does.
When someone fills in a payment form online, HTTPS encrypts the sensitive data while it travels from a user’s browser to a website’s server. Without an SSL certificate to protect it, all personal information remains in plain text and becomes an easy target for cyber-criminals.
The TLS protocol does a great job to secure users’ privacy, but that’s a narrow segment of the overall web security. Unfortunately, many still perceive the padlock and the “S” as the ultimate proof of an authentic website. This erroneous perception and the advent of free SSL certificates has played right into hackers’ hands.
How free SSL certificates became a double-edged sword?
Everyone loves free stuff. And, when it’s backed by Google, Mozilla, and Facebook, few question it. It was 2014 when Google announced its intention to encrypt the whole web. In the same year, the open-source certificate authority Let’s Encrypt issued its first SSL certificate. With such reputable sponsors, Let’s Encrypt became the driving force behind web encryption, signing more than 380 million certificates in the first three years.
Today, hosting companies offer Let’s Encrypt or AutoSSL (another free SSL option) as a feature of their shared hosting packages. Since free SSL certificates authenticate the domain name only, anyone can get them, including scammers and cyber-criminals. Unsurprisingly, online thieves are using free SSL certificates in their sophisticated phishing schemes, with almost 60% of the phishing sites now secure. What’s worse, this figure will increase in the coming years. You know the situation is out of control when the FBI has to intervene.
FBI issues warning about HTTPS Phishing
In an attempt to reduce the number of phishing victims (among them, even the mighty Facebook and Google), the FBI issued the following recommendations:
- Do not blindly trust the name on an email: question the intent of the email content.
- If you receive a suspicious email with a link from a known contact, ensure the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.
- Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).
- Do not trust a website just because it has a lock icon or “https” in the browser address bar.
The FBI warning is a stern reminder to Certificate Authorities and browsers to re-evaluate the security trust indicators we all look for and use. In this context, is the padlock still viable? At least one company thinks it’s useless.
Google Chrome plans to phase out the SSL padlock icon
For Google, safe websites should be the norm on the internet. The company is doing a great job so far about encryption, even if phishers also benefit from it. When something becomes common, there’s no more need to remind everyone about it. At least that’s what Google thinks.
Users should expect that the web is safe by default, and they’ll be warned when there’s an issue. Since we’ll soon start marking all HTTP pages as “not secure”, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure.
– Emily Schechter, Product Manager, Chrome Security
Google got rid of the “Secure” label in Chrome 69 and soon or later will remove the padlock as well. In n perfect environment, this move makes perfect sense, but the elephant in the room remains. Some would argue that the absence of padlock in tandem with free SSL certificates will mask even more a phishing site. The good news is we already have an efficient answer to the phishing problem, and the more companies embrace it, the safer our internet will be.
Extended Validation Certificates prevent phishing
Extended Validation, or simply EV certs, are still relatively new to the SSL industry. The CA/Browser forum ratified the first version of the EV guidelines in 2007. A decade later, EV SSL is a crucial security element of large companies and financial institutions.
The most important EV feature used to be the famous green address bar with the company’s name next to the URL. Even if the green bar is gone now, EV SSLs are still more than just a nice spot in a condensed space to display your official business name. By confirming business identity, the EV certificates also prevent phishing attacks. Customers instantly know that the website in question is safe and genuine. Moreover, since EV certs require comprehensive verification of a company’s legal status before approval, the chances of issuing a fake EV cert are none.
Free and affordable SSL certificates have improved web security. Sharing sensitive data across the web is now much safer than only a few years ago. However, the accessibility of free SSL certs has helped the dark side as well. With free SSL certs, phishers have taken their deception to another level – harder to detect and difficult to prevent. As industry experts continue to raise users’ awareness of what is encryption and why it is so important, it’s worth emphasizing that HTTPS (unless there’s an EV certificate) isn’t an indicator of a genuine website.