{"id":10994,"date":"2019-06-13T23:38:21","date_gmt":"2019-06-14T03:38:21","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=10994"},"modified":"2023-01-09T17:35:58","modified_gmt":"2023-01-09T22:35:58","slug":"fbi-issues-warning-about-https-phishing","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/fbi-issues-warning-about-https-phishing\/","title":{"rendered":"FBI issues warning about HTTPS Phishing"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-do-not-trust-a-website-just-because-it-has-a-lock-icon-or-https-in-the-browser-address-bar\">\u201cDo not trust a website just because it has a lock icon or \u201chttps\u201d in the\nbrowser address bar.\u201d<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">On Monday <a href=\"https:\/\/www.ic3.gov\/media\/2019\/190610.aspx\">the FBI issued a public warning about the rise of HTTPS phishing<\/a>. If you\u2019re a regular reader here you know that\u2019s something we talk about quite a bit. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In fact, at this point it\u2019s pretty much been talked to death. A few weeks back the Anti-Phishing Working Group issued a report that <a href=\"https:\/\/www.thesslstore.com\/blog\/58-of-phishing-websites-now-use-https\/\">58% of phishing websites they tracked in Q1 2019 used HTTPS<\/a>. Some estimates hold that number as high as 90%.<span id=\"newline\"><\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">And it\u2019s kind of hard not to attribute that to the fact that SSL certificates are free now. And again, that\u2019s great. It\u2019s intended to help and under-served segment of the internet and we applaud that, But, as the FBI points out, this is going to have to change the way people have historically viewed security.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">Websites with addresses that start with \u201chttps\u201d are supposed to provide privacy and security to visitors. After all, the \u201cs\u201d stands for \u201csecure\u201d in <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-https-what-https-stands-for\/\">HTTPS: Hypertext Transfer Protocol Secure<\/a>. In fact, cyber security training has focused on encouraging people to look for the lock icon that appears in the web browser address bar on these secure sites. The presence of \u201chttps\u201d and the lock icon are supposed to indicate the web traffic is encrypted and that visitors can share data safely. Unfortunately, cyber criminals are banking on the public\u2019s trust of \u201chttps\u201d and the lock icon. They are more frequently incorporating website certificates\u2014third-party verification that a site is secure\u2014when they send potential victims emails that imitate trustworthy companies or email contacts. These phishing schemes are used to acquire sensitive logins or other information by luring them to a malicious website that looks secure.<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Frankly, this should be enough to make us re-evaluate the trust indicators we all look for and use. We need a stronger focus on server (and client) identities. We had DigiCert\u2019s Jeff Barto in the office a few months ago and we talked about <a href=\"https:\/\/www.thesslstore.com\/blog\/is-the-green-padlock-dead\/\">whether or not the green padlock is dead<\/a>. While he\u2019s optimistic it can be saved, personally, I\u2019m not sure it can be. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If it is lost that creates a vacuum that needs to be filled\nwith certifications or some mechanism for establishing trust and identity.\nTrust is currency on the internet. Unfortunately, that\u2019s not a conversation\nthis industry is having. As Barto opined at the time, we as an industry tend to\nget hung up on the whole \u201cpurity\u201d aspect too much, rather than responding to\nthe needs of consumers and internet users.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When we say \u201cpurity\u201d we\u2019re referring to compliance and\noperational things, which are critical to ensuring that the entire ecosystem continues\nto function properly, but oftentimes don\u2019t have any direct real-world impact. And\nunfortunately, the views about that are deeply entrenched and some parties have\neven become somewhat adversarial. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We pay a lot of attention, we have our own CA partners that\nwe communicate with, we\u2019re party to the CAB Forum, we keep close tabs on the\nMozilla root program\u2019s deliberations. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s obvious to anyone \u2013 even the people who only check in\noccasionally \u2013 that there\u2019s a complete disconnect and very little is getting\ndone. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Regrettably, that means that it\u2019s more incumbent upon businesses\nand websites themselves to assert their identity. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">And ironically, a completely unintended consequence of the inaction within the relevant industry forums, is that Extended Validation is becoming one of the only ways to successfully assert it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">While Extended Validation isn\u2019t perfect, it does require\norganizations to undergo a thorough vetting by a trusted entity. That does mean\nsomething, we\u2019re just missing a huge opportunity by not educating the public on\nEV as a trust indicator.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Again, regrettably, that inaction means it\u2019s more incumbent\nupon individual organizations to make sure that their customers know to look\nfor the EV name badge in their browsers\u2019 address bars. We\u2019ve seen this done\nwith interstitials and static headers before, or a quick email to a mailing\nlist can also serve notice.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The biggest criticism of EV is that \u201cpeople don\u2019t know to\nlook for it.\u201d And it\u2019s presented as if it\u2019s an unsolvable problem. It\u2019s really\nnot. Extended Validation is the best way to assert identity and protect your\nown company from being spoofed by phishers. It\u2019s an invaluable tool.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If the status quo was working, phishing wouldn\u2019t be growing\nin prevalence at the rate that it currently is. Free SSL certificates make\nthese phishing websites, millions of them created each month, even more\nconvincing.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s no longer enough just to have HTTPS and a padlock. You\nneed to assert your identity. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">And while the options are limited, EV is and has been the best way to do it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>As always, leave any comments or questions below&#8230;<\/em><\/p>\n\n\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"267\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-1024x267.jpg\" alt=\"Hashed Out by The SSL Store is the voice of record in the SSL\/TLS industry.\" class=\"wp-image-7276\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-1024x267.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-300x78.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-768x200.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568.jpg 1559w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>\u201cDo not trust a website just because it has a lock icon or \u201chttps\u201d in the browser address bar.\u201d On Monday the FBI issued a public warning about the rise&#8230;<\/p>\n","protected":false},"author":6,"featured_media":10998,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[7387,170,10373,166],"class_list":["post-10994","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-fbi","tag-https","tag-https-phishing","tag-phishing","post-with-tags"],"views":13921,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/FBI-Feature-1.png","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/10994","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=10994"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/10994\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/10998"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=10994"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=10994"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=10994"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}