“Do not trust a website just because it has a lock icon or “https” in the browser address bar.”
On Monday the FBI issued a public warning about the rise of HTTPS phishing. If you’re a regular reader here you know that’s something we talk about quite a bit.
In fact, at this point it’s pretty much been talked to death. A few weeks back the Anti-Phishing Working Group issued a report that 58% of phishing websites they tracked in Q1 2019 used HTTPS. Some estimates hold that number as high as 90%.
And it’s kind of hard not to attribute that to the fact that SSL certificates are free now. And again, that’s great. It’s intended to help and under-served segment of the internet and we applaud that, But, as the FBI points out, this is going to have to change the way people have historically viewed security.
Websites with addresses that start with “https” are supposed to provide privacy and security to visitors. After all, the “s” stands for “secure” in HTTPS: Hypertext Transfer Protocol Secure. In fact, cyber security training has focused on encouraging people to look for the lock icon that appears in the web browser address bar on these secure sites. The presence of “https” and the lock icon are supposed to indicate the web traffic is encrypted and that visitors can share data safely. Unfortunately, cyber criminals are banking on the public’s trust of “https” and the lock icon. They are more frequently incorporating website certificates—third-party verification that a site is secure—when they send potential victims emails that imitate trustworthy companies or email contacts. These phishing schemes are used to acquire sensitive logins or other information by luring them to a malicious website that looks secure.
Frankly, this should be enough to make us re-evaluate the trust indicators we all look for and use. We need a stronger focus on server (and client) identities. We had DigiCert’s Jeff Barto in the office a few months ago and we talked about whether or not the green padlock is dead. While he’s optimistic it can be saved, personally, I’m not sure it can be.
If it is lost that creates a vacuum that needs to be filled with certifications or some mechanism for establishing trust and identity. Trust is currency on the internet. Unfortunately, that’s not a conversation this industry is having. As Barto opined at the time, we as an industry tend to get hung up on the whole “purity” aspect too much, rather than responding to the needs of consumers and internet users.
When we say “purity” we’re referring to compliance and operational things, which are critical to ensuring that the entire ecosystem continues to function properly, but oftentimes don’t have any direct real-world impact. And unfortunately, the views about that are deeply entrenched and some parties have even become somewhat adversarial.
We pay a lot of attention, we have our own CA partners that we communicate with, we’re party to the CAB Forum, we keep close tabs on the Mozilla root program’s deliberations.
It’s obvious to anyone – even the people who only check in occasionally – that there’s a complete disconnect and very little is getting done.
Regrettably, that means that it’s more incumbent upon businesses and websites themselves to assert their identity.
And ironically, a completely unintended consequence of the inaction within the relevant industry forums, is that Extended Validation is becoming one of the only ways to successfully assert it.
While Extended Validation isn’t perfect, it does require organizations to undergo a thorough vetting by a trusted entity. That does mean something, we’re just missing a huge opportunity by not educating the public on EV as a trust indicator.
Again, regrettably, that inaction means it’s more incumbent upon individual organizations to make sure that their customers know to look for the EV name badge in their browsers’ address bars. We’ve seen this done with interstitials and static headers before, or a quick email to a mailing list can also serve notice.
The biggest criticism of EV is that “people don’t know to look for it.” And it’s presented as if it’s an unsolvable problem. It’s really not. Extended Validation is the best way to assert identity and protect your own company from being spoofed by phishers. It’s an invaluable tool.
If the status quo was working, phishing wouldn’t be growing in prevalence at the rate that it currently is. Free SSL certificates make these phishing websites, millions of them created each month, even more convincing.
It’s no longer enough just to have HTTPS and a padlock. You need to assert your identity.
And while the options are limited, EV is and has been the best way to do it.
As always, leave any comments or questions below…