The HTTPS Paradox
You know that little green padlock symbol that appears in your browser’s URL bar every now and then? What do you think it means?
To find out, we asked this precise question of our Twitter followers. And you know what we learned? Almost none of our security-conscious followers knew the answer.
HTTPS is the secure version of HTTP, the protocol responsible for all data transmission between your browser and each website you visit. The “S” in HTTPS simply indicates that all communications between your browser and a website displaying the green padlock are encrypted.
To be clear, websites possessing HTTPS URLs and accompanying green padlocks are not necessarily legitimate, and they certainly aren’t guaranteed to be safe.
Need more information on how to protect your organization from phishing attacks and other cyber threats?
But as you can see from the screenshot above, only 18 percent of respondents correctly answered our poll correctly.
And here’s where things get problematic.
For years, security experts have been advising people and organizations to “look for the lock” when attempting to determine the validity of a website. It isn’t the only thing worth checking, but in the past it was at least a useful indicator.
Unfortunately, over time, this message has become warped in the minds of typical Internet users, and far more value has been attributed to the increasingly-present green padlock than it really deserves. To many web users, the green lock has become an accepted indication that a website is safe and legitimate.
Abuse of HTTPS in Phishing Sites
But, you might be thinking, it must be difficult and/or expensive for a website to gain HTTPS status… right?
Well… No. All a webmaster needs to do is install and active an SSL certificate. If you wanted to enable HTTPS for your own website, you could do so easily and at no cost.
Naturally, it was only a matter of time before threat actors took advantage.
Recently we published our Phishing Trends and Investigations Report for Q2 2017, in which we noted a significant rise in use of the HTTPS protocol to lend credibility to phishing sites.
Having realized that many Internet users attribute greater value to the HTTPS protocol than it deserves, threat actors have taken advantage in two ways:
- Installing freely-available SSL certificates on maliciously registered domains
- Hosting malicious content on compromised HTTPS websites
Now, back in Q1 of 2015, phishing attacks hosted on domains with valid SSL certificates made up just 1 percent of total phishing volume. By Q4 of 2016, that figure was still at a relatively meager 4 percent.
In 2017, though, the use of HTTPS websites to host phishing content has quickly increased. After rising significantly in the first quarter of the year, the number of “secure” phishing attacks hosted on domains with valid SSL certificates continued to grow throughout the year. In Q3, HTTPS phishing attacks made up nearly a quarter of all phishing attacks observed!
Additionally, while these attacks were primarily targeting a few companies at the beginning of the year (70% of HTTPS phishing attacks targeted PayPal or Apple in Q1), there is evidence that these tactics are moving to a broader range of target companies and industries.
In October, Google implemented a long-awaited security enhancement to the Chrome browser. In an email sent to website owners, Google announced that in the newest version of Chrome (version 62), a “NOT SECURE” warning would be shown to users whenever they entered text in a form on any HTTP page. This warning is designed to discourage users from submitting potentially sensitive data to websites that don’t possess SSL certificates, and thus are not guaranteed to benefit from encrypted communications.
While the intention of this warning is noble, what are the potential side effects? Think back to what we discussed at the start of this article: The average Internet user attributes much more value to the HTTPS protocol than it deserves.
More than 80% of the respondants to our survey thought that the green padlock in a browser bar indicated that a website was legitimate or safe. Fewer than one in five correctly knew that the lock icon signifies secure communication and nothing more.
The Chrome update and the ongoing push for websites to adopt HTTPS will certainly result in a higher proportion of webmasters installing SSL certificates on their legitimate domains, but it will also force more threat actors to install them on their malicious domains. And since most Internet users will naturally assume any website with a green padlock is legitimate, this inevitable increase in HTTPS uptake may benefit malicious actors far more than legitimate webmasters.
Think about it: Why would a phisher go through the effort to obtain an SSL certificate for a maliciously-registered phishing site? It certainly isn’t to ensure the secure transmission of compromised credentials. The reason phishing threat actors are hosting more and more phishing content on HTTPS websites is because they believe their victims will be more likely to think the phishing site is legitimate.
More HTTPS websites = more malicious HTTPS websites, which will likely result in a greater number of average users being tricked into giving away their login credentials, or inadvertently downloading malware.
Messaging Needs to Change
So this goes back to the original question: Have we conditioned people to be phished? It seems, based on what we’ve covered, the answer is unfortunately yes. So what do we do about it?
When trying to teach the average user to browse the web safely, it’s natural to try to make things as easy as possible. In the past, even though a green padlock in the URL bar didn’t guarantee authenticity, it was an excellent indicator because very few malicious domains had one.
But, as we’ve seen, the HTTPS protocol is no longer a useful indicator of authenticity. In fact, if nothing is done to re-educate users, abuse of freely available SSL certificates could easily lead to greater phishing success in the coming months.
So what can we learn from this?
First and foremost, that we all need to educate our own users in the dangers of implicitly trusting so-called “secure” websites. If nothing else, this will help to mitigate unintentional damage caused by the latest Chrome update. Recently, I came across the following graphic on Twitter:
This type of messaging is the same thing that has been promoted for years. However, saying, “Never log into a website that’s not secure,” implies that it is OK to log into a website that IS “secure” (i.e., the URL path is preceded by HTTPS). To most Internet users, “secure” is synonymous with “safe” and the issue of secure communication is not being received.
But more than this, it should serve as a warning of the dangers of oversimplifying Internet and email security. If users are only taught to look out for one indicator of authenticity, threat actors will inevitably find a way to use that indicator to their advantage.
Likewise, if users are given more respect, and are taught to look for a variety of clues before reaching a conclusion as to a website’s validity, it will be much harder for threat actors to consistently produce convincing phishing sites.