Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security The Internet Technology

Half of all Phishing Sites Now Have the Padlock (krebsonsecurity.com) 141

You may have heard you should look for the padlock symbol at the top of a website before entering your password or credit card information into an online form. It's well-meaning advice, but new data shows it isn't enough to keep your sensitive information secure. From a report: Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar. That's up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018. This alarming shift is notable because a majority of Internet users have taken the age-old "look for the lock" advice to heart, and still associate the lock icon with legitimate sites. A PhishLabs survey conducted last year found more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe. In reality, the https:// part of the address (also called "Secure Sockets Layer" or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and can't be read by third parties. The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.
This discussion has been archived. No new comments can be posted.

Half of all Phishing Sites Now Have the Padlock

Comments Filter:
  • by Anonymous Coward

    In reality, the https:// part of the address (also called "Secure Sockets Layer" or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and can't be read by third parties. The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

    Really? What's the thing underneath me that's approaching me really fast, here up in the sky? I think I'll call it ground. I wonder if it'll be friends with me. When writing or excerpting for Slashdot, please assume at least some minimal technical knowledge.

    Also, of course people believe SSL is more than it is; companies have been pointing it out for years as proof they're secure.

    • Re: (Score:3, Funny)

      by Anonymous Coward

      I guess if they use SSL, then at least you can be sure only the phisher can read your data while you are submitting it...

    • by Anonymous Coward

      Blame "Encrypt Everywhere" and Google's obsession with ruining the performance of sites everywhere by making it so that sites become hard to find in their search engine.

      The EFF and Cloudflare brought this upon us all.

      What needs to happen is that the browsers need to explicitly recognize three classes of SSL certificates:
      - Free certificates (eg Encrypt Anywhere, Cloudflare, and any other service that provides VPN service,) which make the site about as credible as any non-SSL site, only that data transmitted

      • The problem is that Google's own Chrome browser no longer displays "Extended Validation" sites with a green block in the address bar. Try going to a DV SSL website and an EV SSL website and you'll see a green padlock with the word "Secure" before the actual URL.

        Same thing in Safari, in my old Safari version 9 I see a big green rectangle but in the latest versions that has also disappeared.

        So while EV certificates are more secure, it's like the companies behind the browsers don't really care about helping th

    • > In reality, the https:/// [https] part of the address (also called "Secure Sockets Layer" or SSL)

      SSL was a protocol used by Netscape in the 1990s.
      For ten last decade or two we've been using TLS.

      • Right, which is why we have TLS web servers, TLS certificates and OpenTLS, and not SSL servers, SSL certs and OpenSSL.
        • Try using a modern certificate in an SSL server, such as Apache 1.2.

          Some people mistakenly call it SSL. That doesn't make it SSL.

          For example, you can call OpenVPN an SSL connection, but the fact is, it doesn't support SSL and it never has. It speaks TLS.

  • by Dan East ( 318230 ) on Tuesday November 27, 2018 @10:38AM (#57708016) Journal

    And this is what we get for browsers forcing websites to adopt HTTPS or else they try to scare people with warnings about pages not being secure. I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc. Just the display of information. I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

    Now users have a misguided trust that since a browser didn't warn them about a site, and since it has a secure padlock, it must be safe. Sounds like the type of solutions politicians end up creating to fix one minor problem yet causing several more severe ones. It's not the job of web browsers to force websites to be secure. Just because they can wield such power because of the technical aspects doesn't mean they should.

    • by sinij ( 911942 ) on Tuesday November 27, 2018 @10:41AM (#57708036)
      To be fair, pervasive surveillance isn't a minor problem. Otherwise, spot on.
      • by Anonymous Coward

        The purpose of HTTPS everywhere is to force everyone to register. This is Orwellian, not a good thing.

        • Huh? Who has to register what now?

          • I think he is referring to the need to provide some sort of verification to a CA to get a certificate the browsers will accept. Take this line from TFS:

            In reality, the https:/// [https] part of the address (also called "Secure Sockets Layer" or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted

            A false statement, the primary purpose of SSL/TLS is authentication not "merely" encryption. Now, how that authentication (of the site) is performed, via a list of browser approved CAs, has a lot of problems. But what it is supposed to do is assure you you Citibank.com site is actually Citibank and not a fake citibank.com hosted on some thief's server.

            • All a certificate does is to verify that traffic that you think originated from www.whateverserver.com actually does originate from www.whateverserver.com.

              And for this you needn't register any personally identifiable information with anyone.

    • by Anonymous Coward on Tuesday November 27, 2018 @10:45AM (#57708060)

      I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

      There was something wrong. Anybody could man-in-the-middle attack your site. Now they can't.

      • by Anonymous Coward

        Parent AC gets it right. There WAS a problem that HTTPS addressed. That problem needed to be fixed. Miseducation around the fix is another problem, but does not imply the first problem wasn't a problem or didn't need a fix. It did.

    • Nobody said a https site is not a phishing site. Https is said secure because it prevents communication between a client and a server to be eavesdropped. The padlock does not say "safe", it says "secure connection". Now some people could be a bit confused but I doubt unknowledgeable users make a difference between http and https in the first place.
      • by Junta ( 36770 )

        Perhaps a different icon, a padlock says 'secure', need something to suggest protected/confidential link rather than a secure link.

        • by AmiMoJo ( 196126 )

          That's why Chrome is getting rid of the padlock icon (it's already tiny and grey and they removed the extra verification bit where it used to say the company name, because that was useless as well). I think I read that Mozilla are planning the same.

          The new scheme is flag sites which don't have HTTPS, with encrypted being the new normal. For trust we are basically screwed, we have nothing right now that can reliably identify a public web site or its owner.

      • by Pascoea ( 968200 )

        The padlock does not say "safe", it says "secure connection".

        To my grandmother, the padlock doesn't "say" anything. It's an icon that is designed to indicate security. You and I know that it means "secure connection", not "safe site". I love the fact that letsencrypt allows me to get a signed certificate for my personal sites. I hate the fact that it has lowered the barrier of entry for nefarious people. Like it or not, the little padlock adds credibility to a site. And the removal of the "This site isn't secure, are you sure you want to send your credit card in

    • by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Tuesday November 27, 2018 @11:04AM (#57708224) Homepage Journal

      I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc. Just the display of information. I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

      In the case of a static website, the primary reason for HTTPS is to ensure that your viewers' ISPs cannot falsify the "100% publicly available information" on its way from your server to the browser. Xfinity by Comcast has been caught inserting ads into HTML documents transmitted through cleartext HTTP on multiple occasions.

      • by Sigma 7 ( 266129 )

        With HTTPS being prevalent, it's not difficult for ISPs to have an install disk that sets up your computer for optimal browsing (i.e. installs a root certificate that tricks browsers into accepting intercepted HTTPS content.)

        It probably already happened with SuperFish and Lenovo.

        • True, but at least we can watch for code modifying client machines... all it takes is one vigilant user looking at what the ISP install disk does to raise the alarm. When the insertions are happening on the ISP machines without modification of the clients, that's really hard to detect and prove. The HTTPS forces the injection to be more detectable.
        • by AmiMoJo ( 196126 )

          How do I insert the install disk into my phone? Many laptops don't even have an optical drive these days.

          I haven't seen an ISP install disc for at least a decade. People expect to plug the modem in, use the default wifi password printed on it and start surfing. The days of ISP crapware are long gone, at least around here.

    • by Anonymous Coward

      But centrally managed certificates are definitely not a help.

      What should have been done was make SSC(Self Signed Cert)s give the yellow warning icon, improper authoritative certs give the red/broken lock symbol, sites with matching authoritative info getting the green lock, and then add a pinning option that pops up certificate information only for certified+pinned websites, allowing the user to have visual notice if it is a site they normally visit or a possible phishing site.

      Honestly cert pinning needs to

    • Now users have a misguided trust that since a browser didn't warn them about a site, and since it has a secure padlock, it must be safe.

      But now your site is safer. Your site visitors are much less at risk of being man in the middled than they previously were.

    • So... you wouldn't consider it a problem that someone MITMs the connection from the one seeking information on your page and feeds this person with garbage, while at the same time pretending that garbage comes from your page?

    • And this is what we get for browsers forcing websites to adopt HTTPS

      No. This is what we get for attempting to educate people that an encrypted connection between two computers where the controling parties at either end are unknown is considered "safe".

      It's not. It never was. We developed a whole new concept of EV certificates because of that gap. That doesn't make the idea to push sites to use HTTPS bad in the slightest.

      I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner.

      It's not up to you to decide if I may be persecuted for your "read only" information. It's not up to you to declare that information you send in plain text

    • by dissy ( 172727 ) on Tuesday November 27, 2018 @12:03PM (#57708714)

      That is exceptionally worrying...

      First:
      I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc.

      Then you contradict that:
      I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

      Browsers only warn on non-ssl sites if you are submitting data back to them. Not a single one warns if you don't do that.

      The terrifying part is you honestly believe your site actually doesn't require data being submitted back, when clearly it does.

      You really *really* need to look your website over page by page and through the html files.
      They no longer contain what you think they do, they have been changed, and changed to require your visitors to submit form field data back to your server.

      If you didn't set that up, your site has been hacked.

      • Comment removed based on user account deletion
      • by sootman ( 158191 )

        > Browsers only warn on non-ssl sites if you are submitting data back to
        > them. Not a single one warns if you don't do that.

        WRONG. Go to an HTTP site in Chrome and it says (i) Not Secure in the URL bar starting with the very first visit.

        • by tepples ( 727027 )

          The difference is that the warning for a site with a certificate from an unknown issuer is displayed as an interstitial, whereas the warning for a cleartext site is not. This makes it less practical for someone who doesn't own a domain to run HTTPS on a server on the home LAN, such as a router, printer, or NAS.

      • by tepples ( 727027 )

        Browsers only warn on non-ssl sites if you are submitting data back to them. Not a single one warns if you don't do that.

        Several JavaScript APIs are restricted to secure contexts only [mozilla.org], even if they do not submit data back to the site. One is Service Workers, needed for offline use. Others include Bluetooth, MIDI, and Presentation.

  • I understand X509 is complicated and most people do not want and do not need to understand how it works. However, all browsers went too far in dumbing down this aspect and we are now seeing consequences.

    For example, when navigating to /. It takes me multiple clicks to determine that it currently uses certificate issued on October 23, 2018, for Slashdot.org, and it uses Letâ(TM)s Encrypt issued certificate (cheap bastards). Why is this information so hard to access?
    • by Junta ( 36770 )

      I would argue that making those details more prominent wouldn't really improve the situation. The problem is that users may barely glance for a padlock, but otherwise focus on the content area to see if it 'looks right' despite the fact the content area is totally under the control of the site operator.

      User has to look at the location bar (which the operator can't control) and putting *more* information in it is going to probably make people even more likely to not bother.

      • by sinij ( 911942 )

        Well, one step toward addressing this problem is to not just blindly showing a padlock, but also showing identifier on the certificate (i.e. slashdot.org in this case). Additionally, highlighting domain in the address bar (i.e. https://it.slashdot.org/comments.pl?sid....). This way if there are shenanigans (i.e. if I navigate to a site that I think is slashdot.org, but end up at totallylegitsite.ru instead and they have Let's Encrypt certificate), it will be more obvious.

  • by Anonymous Coward

    more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe

    Really? Is that level of misunderstanding so pervasive?

    How do we fix that? Can our schools start to teach things like this, instead of "how to use javascript 101" for people who'll never in their life need to write a line of javascript? Those same people WILL need to know how the internet works, so let's teach that instead.

    • by Pascoea ( 968200 )

      more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe

      Really? Is that level of misunderstanding so pervasive?

      As with everything, it depends on the demographic. Probably gets closer to 100% when you start asking 50+ year olds.

      Can our schools start to teach things like this, instead of "how to use javascript 101" for people who'll never in their life need to write a line of javascript?

      I took probably 10+ semesters of math (and various "life skills" classes) throughout my educational career, but I still had to teach myself how to do my taxes.

  • by Anonymous Coward

    I think we are expecting web browsers to be our net nanny these days. It has been my experience that the informed and educated user is the one who can use the web safely because they know how to do so. No feature or safety implementation in a browser can protect you when you can't recognize the obvious.

    • by Anonymous Coward

      No feature or safety implementation in a browser can protect you when you can't recognize the obvious.

      ^ So much this.

      The way to a safer internet is for people to engage and use their brains. There's no way you can ever nanny it into safety, because (1) that creates yet a dumber breed of user, who (2) can be exploited in even more ways, because they aren't thinking about what they are doing.

      Consider the clusterfuck of Android malware and spyware, vs the relative safety of Linux. There is no technical reason the Linux ecosystem couldn't run malware and spyware. However it is a relatively safe ecosystem bec

  • lock AND the url (Score:4, Insightful)

    by charlie merritt ( 4684639 ) on Tuesday November 27, 2018 @10:56AM (#57708148)

    I give the "lock & URL" advice to people all the time - isn't that enough? You do need to be sure that its gmail.com and not gmale.com, part of being an adult netizen.

    • by Junta ( 36770 )

      Per the example in the article, evidently there are people that don't look at the location bar at all if they see the lock. This means users need to understand that the padlock just means the identity is verified, but they have to decide if that identity matches what they were expecting.

      • In fairness, the location bar often has very meaningless information. My credit union's login domain is (sometimes) different than their name, and is only used for login. (They appear to outsource their website and a number of other functions to some credit union pool/provider.) I complained to them about it, and they slowly improved one aspect-- but it isn't easy.

        Extended Validation is about the only thing that you can try to trust now, as who the heck can keep track of which CAs they should trust and w

        • I walked away from one bank that was doing that. If a bank can't do security in-house, it ain't a secure bank in this day and age.
        • by Junta ( 36770 )

          Of course in an outsourcing SSO situation, the EV SSL would similarly indicate the provider, *not* the financial institution...

          • They actually outsource all of the e-banking, but the login-failed page and one other one I would hit periodically (could have been related to the trusted computer setup) were not properly configured.

            No, it doesn't bode well for their security either...

    • U xpect ppl to b abl to reed?

    • NO!!! You're part of the problem. The lock only certifies that the machine on the other end is the correct destination typed in the URL bar and that no one else is listening. It DOES NOT AND NEVER HAS certified who owns that machine.

      You do need to be sure that its gmail.com and not gmale.com, part of being an adult netizen.

      This however is good advice. Good advice is to not follow links. Good advice is to manually type in addresses. If you've manually typed and checked addresses AND see the lock you're in a pretty good place. Additionally good advice would be to look for EV certifications. Google d

    • by sootman ( 158191 )

      > You do need to be sure that its gmail.com and not gmale.com,
      > part of being an adult netizen.

      Ah yes, blame the user. Because it's their fault if they don't have perfect eyesight and can't spot the flaw in https://www.grnail.com/ [grnail.com] or https://www.googIe.com [googie.com]. I can't wait to hear you blame your parents for being stupid when they get scammed.

      SCAMMERS ARE ASSHOLES. We need a strong, MULTI-LAYERED DEFENSE against them. Not just "you'd better know what you're doing."

  • by jellomizer ( 103300 ) on Tuesday November 27, 2018 @10:57AM (#57708164)

    These Certificates are often expensive, relatively complex to setup rarely ever give any real value. A self Signed Cert will offer the same level of encryption (sometimes more, because the Cert Authorities may pay more for automatically generating more bits). The original value of these Cert Authorities was so we would be sure that the site we went to was an authentic business, where you could prove you are who you say you are. But they have been giving certs to anyone without any research just as long as you pay the bill you are good to go, so you are not getting value out of these Certs except for the artificial browser scary error that you are a horrible person for using a unauthorized Cert.

    • by Junta ( 36770 )

      There may be flaws in the CA system, but this article isn't really related.

      The problem is that users aren't even bothering to see *what* the authority validated. A CA can't reasonably out that serveirc.com is going to try to impersonate paypal.com. They can revoke that certificate upon reporting abuse and such. The CA and DNS can do things to prevent sheningans like paypa1.com or more clever unicode things, but at some point the user *has* to validate some part of the UI that *isn't* totally controlled b

    • by tepples ( 727027 )

      A self Signed Cert will offer the same level of encryption (sometimes more, because the Cert Authorities may pay more for automatically generating more bits). The original value of these Cert Authorities was so we would be sure that the site we went to was an authentic business

      I see three different levels of assurance.

      1. A self-signed certificate assures to a repeat visitor that the operator of this server now is the same as the operator of this server on the previous visit. It says nothing to a first-time visitor unless the site provides a means to verify the key fingerprint out of band.
      2. A domain-validated certificate assures the above plus that the operator of this server controls its domain name. It says nothing about the identity of the owner of the domain name.
      3. An organi

    • The same level of encryption but not the same level of authenticity. What a CA issued cert says is that the server that you're connecting to is actually the server you're connected to and that no MITM is happening.

      That doesn't make www.bankofmurrica.com any more a page that you should enter your BA-credentials at, but it certifies that you're really talking with www.bankofmurrica.com and not www.bankofmurrica.com.wallawalla.thingamajig.hackmeimcute.cn.

    • These Certificates are often expensive, relatively complex to setup rarely ever give any real value.

      Certifications are neither complex to setup nor do they not provide value. The people who claim they don't are those who do not understand what these certificates actually certify. Hint: It wasn't about the person on the other end, it was about the computer and the computer alone. Incidentally all these certifications are now able to be had for free.

      On the other hand extended validation certifications are "expensive". I use quotes because frankly paying a few thousand dollars for the privilage of securing v

    • At best certs verify that the owner of the domain name is also the owner of the server. So why not just publish cert details in dns, secured by dnssec?

      Sure, if your dns records get "hacked" somehow, you're screwed. But with how easy it is to get a cert from lets encrypt, that's already true now.

  • There are indeed people who would think the way the article describes.

    Hmm, maybe Chrome making the lock gray now wasn't as dumb as I thought. While the absence of https (at least according to Google) is baaaaad, the mere presence of it doesn't mean all that much.

  • This is why proxy re-encryption has become popular.
  • HTTPS was never designed to verify if a website is trustworthy or validate that they will do good things with the data you send to them. The only thing is does is ensure that you can be sure you're talking to the actual website you asked for based on the URL and that nobody else read or changed the data sent by the server as it traversed over the network.

    If we really want to protect things like user credit card numbers we should have a system where we don't have to send our credit card details to a website

  • So there's a 49% chance that /. is a phishing site. Yikes!

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...