The myth of the green padlock.
How much do you know about the green padlock?
What HTTPS really means
A lot of people still associate a green padlock in the browser address bar with a secure website. This is not so remarkable, knowing that from childhood we associate green with something that is safe. Here’s how that looks in Firefox.
In most other browsers the padlock is visualized very similar, but chrome, by far the most popular browser nowadays, even goes one step further and shows the word “Secure” behind the padlock. It’s only when you click on the green padlock in the browser that you see its true meaning:
What it really means is that the website is served over the secure HTTPS protocol. HTTPS is nothing more than a secure layer (TLS) on top of the HTTP transport layer protocol. It guarantees that the connection between your browser and the web server is secure. Or in other words, the communication between these 2 entities is private. No one can either intercept or manipulate the exchanged data. It’s very important to protect data like passwords or credit card numbers, but even websites not dealing with personal data should be served over HTTPS.
HTTPS doesn’t mean a website is secure or its intentions are good
Poor transport layer security is only one of many potential vulnerabilities that criminals can exploit. Even on HTTPS websites, there can be all sorts of security risks on the client or on the web server, resulting for instance in data being hacked out of the database or malware being injected in the website.
HTTPS doesn’t say anything about the legitimacy or intentions of a website either. The purpose of a phishing site, stealing your personal data, is the same whether it’s served over HTTP or HTTPS.
Criminals will not implement a SSL certificate, right?
A few years ago this statement was true and almost no malicious websites were served over HTTPS. The return on investment for the criminals was often not worth the effort. But thanks to certificate authorities like Let’s Encrypt, SSL certificates are free, easy to install and easy to maintain. This has caused a huge increase in HTTPS adoption. But unfortunately with the good comes the bad and a lot of malicious websites are served over HTTPS as well. Between March 2016 and February 2017 almost 15000 let’s encrypt certificates were issued to Paypal phishing sites.
Average, non-security savvy users see a green padlock and will conclude that a website is safe to use. As we have seen, a green padlock in the browser address bar only means that the data exchanged with that particular website is exchanged over an encrypted, private channel. It’s important to understand that the intents of the website owner can still be malicious. That’s why you should always run an up-to-date version of your browser and be wary about phishing sites. Verify if the domain in the URL is the valid one for the site you intend to use. Better safe than sorry!