After a slow-burning romance, HTTPS has recently bloomed into one of security’s great love affairs.
Google is a long-time admirer, and in October started plastering “not secure” labels on many sites failing to use HTTPS by default in the Chrome address bar, a tactic meant to persuade more website owners to share its enthusiasm.
Facebook, Twitter and WordPress, meanwhile, have been keen for years, which helps explain EFF figures from early in 2017 estimating that an impressive half of all web traffic was being secured using HTTPS.
So alluring has HTTPS become that it has now acquired suitors it could do without – phishing websites.
According to PhishLabs, a quarter of all phishing sites now use HTTPS, up from a few percent a year ago.
The increase has been so dramatic in 2017 that in a single quarter its popularity among phishing sites doubled. What’s causing this sudden interest?
One explanation:
As more websites obtain SSL certificates, the number of potential HTTPS websites available for compromise increases.
This is logical. As the number of sites using HTTPS increases the chances that a legitimate site compromised to host phishing attacks will have it enabled increases too.
Which means that acquiring an HTTPS certificate is an empty upgrade if other vulnerabilities are not addressed at the same time.
But there’s a second, less savoury possibility:
An analysis of Q3 HTTPS phishing attacks against PayPal and Apple, the two primary targets of these attacks, indicates that nearly three-quarters of HTTPS phishing sites targeting them were hosted on maliciously-registered domains.
We’ll call this the ‘window-dressing theory’: cybercriminals believe that web users are lulled into a false sense of security by the presence of HTTPS even though their scams might work without it.
That these certificates are obtained free of charge from services such as Let’s Encrypt, set up to spread the use of HTTPS among legitimate web makers, only adds to the painful sense of unintended consequences.
The culprit here is not really HTTPS, or Let’s Encrypt, but the green padlock symbol itself, browsing’s most misunderstood and over-rated signifier.
This is partly the industry’s fault, starting with Google. Visit an HTTPS site in Chrome and the browser will describe padlocked sites as “secure”, which refers to the connection, not the site itself.
Except that not everyone knows this.
Browsers also use a colour-coding system to designate the trustworthiness of a site (green padlocks being awarded to sites with an Extended Validation certificate), but these can still appear on phishing sites that have not been detected by integrated filtering.
Naked Security discussed this issue (and the problem of how sites are verified) in 2015 so it’s not a new worry.
The logical result of the trend PhishLabs has detected is that eventually all websites will use HTTPS whether they are phishing sites or not, at which point the misunderstanding of the whole padlock system will become apparent.
The dream of an entirely encrypted internet is a noble one but its ubiquity will be a pyrrhic victory if cybercriminals can find easy ways to manipulate it from the inside.
Jacque Smythe
Could you please tell me what to do about an unknown device that accessed my Google account in October and I have begged for help everywhere I could think of,was never notified about it, now I keep seeing activity from unknown device accessing all my system files and my phone is totally messed up,in my trace and log files I have with sophos,they are file wiping sophos data, the web filtering is constantly being stopped, I only have a qlink wireless Android n817 4.4.4 phone, I did lock down the IP address and the street location, please tell me what to do.
Anna Brading
Hi there, Sorry to hear you are having trouble. Might be worth taking a look at our support forum here: https://community.sophos.com/
Chipped
Do the google security checkup.
You should enable two factor authentication and it should ask you to check devices connected to your account, here you can disconnect the devices that are not yours.
If they try sign in again they will be unable because you’ve enabled a second factor authentication like the SMS or authenticator app.
Reply again if you have probs.
Good luck cuz ;-)
Daniel
Something to think about, is having sites on HTTPS making it harder for spam filters and such to detect phishing emails and such? What about my ad blocker/antivirus that has phishing protection? There also my password manager as well that would pick up on this sort of thing.
Paul Ducklin
Emails that are sent using TLS are generally only encrypted to the mail server, not to the mail client (the TLS session is from server to server). So the spam filter gets to see the whole email as a matter of routine.
As for filtering encrypted website content before it reaches the user, for example in a web gateway appliance: you can do that by decrypting the content at the gateway and re-encrypting it before passing it on.
(For this to work you need to supply all your users with a certificate that makes them trust your appliance to do the decrypt/recrypt process. This ensures that no one else can pull off a “man-in-the-middle” decrypt/recrypt on your users and modify what they see or infect what they download.)
Martins
Worryingly in the UK Barclays bank is merely urging us to “check the padlock – and make sure the vendor is genuine” in TV adverts.
Phishing security cannot be reduced to an ad length sound bite!
Bob
Privacy is long dead and security is dying. When as a user you’ve done everything humanly and perhaps technically possible to secure your data including credentials but your own government or the largest banks or credit reporting agency drops the ball all one can do is react. Our data is only as secure as the entities procurement person signing the checks. Every IT budget renewal begins with “why do we need this?”