The Green Padlock Icon in the URL Bar Is No Longer a Symbol You Can Trust
For years, you have constantly been told not to enter your private information on a website that doesn't have a green padlock in the address bar. Some of you have heeded this advice, and some of you haven't, but have you ever wondered what this green padlock stands for and how it works?
Although browsers like Google Chrome are now slowly phasing it out (the reasons for which will become apparent in a minute), the green padlock is still universally recognized as a sign that the website you're viewing has an SSL certificate and is loaded under HTTPS. This, in turn, means that all the information coming from and going to the website is encrypted and is safe from Man-in-the-Middle attacks.
Back in the day, experts had another reason to warn you not to enter your data on websites that weren't loaded through HTTPS. SSL certificates are issued by Certificate Authorities (CAs) which used to charge several hundred dollars per year for them. Predictably, scammers weren't prepared to shell out this sort of money to make their phishing pages look more like the real thing, and even if they had been, they would have failed to pass some of the manual checks that were done in those days. In other words, real Amazon login forms had green locks, and fake ones didn't. This, unfortunately, is no longer the case.
The emergence of free SSL certificates and the impact they had on the internet
Sadly, the crooks weren't the only ones failing to route their websites through HTTPS. SSL certificates were too expensive for many legitimate website owners as well which meant that quite a few online shops were leaving their customers' data exposed. Something had to be done.
In 2014, a new CA by the name of Let's Encrypt was established which started offering SSL certificates completely free of charge. The Internet liked the idea.
Let's Encrypt officially exited Beta in April 2016 when it proudly announced that the number of certificates it had issued hovered around 1.7 million. Just fourteen months later, there were more than 100 million Let's Encrypt certificates.
Free SSL certificates are now offered by other CAs as well, and because of them, HTTPS is becoming the norm rather than the exception. In August, security specialist Scott Helme said that, for the first time ever, more than half of the Alexa Top 1 Million websites were loaded under HTTPS. This shift has prompted browser vendors to ditch the green lock icon and replace it with a larger "Non-Secure" sign when a page is not loaded under HTTPS. Indeed, the padlock is nowhere near as useful as it used to be.
Nearly 50% of all phishing pages are now loaded through HTTPS
The emergence of free SSL certificates is one of the good things that happened to the world recently. Although they are not a panacea, they have enabled smaller online vendors to not only survive but thrive, and right now, even the most basic HTML websites don't have an excuse for running under HTTP.
Sadly, if SSL certificates are free and easy to set up for legitimate website owners, they are free and easy to set up for scammers as well. In fact, PhishLabs, a threat intelligence and mitigation company, told Brian Krebs that very nearly half (about 49%) of all phishing pages it detected during the third quarter of this year were loaded under HTTPS. This, PhishLabs said on Twitter, is up from 35% during Q2 and 33% during Q1.
The crooks are actively setting up SSL certificates on their scam pages partly because it's easy to do and costs them nothing and partly because of the changes that browser vendors are implementing. They realize that users are far less likely to give away their personal information to a website that is loaded under a visible "Non-Secure" warning.
What can we do about it?
Does this mean that browser vendors' decision to move away from the green padlock is a huge mistake? No, it doesn't. The simple fact of the matter is that the lock icon will never be as useful as it used to be. If it stays, it will make no impact on the current situation, because should the scammers decide that they need it, they'll just get a free SSL certificate.
Shouldn't we get rid of free SSL certificates, then? No, we shouldn't. Denying vendors the option to protect their customers' data for free will be a massive leap backward and will put millions of people's personal information under serious threat. What we need to do instead is teach as many users as possible what HTTPS is.
HTTPS is not an indicator of trustworthiness. If it's not present, you can be pretty sure that the website you're viewing shouldn't be trusted, but even if it is there, you might still be looking at a scam. There are other factors that you should pay closer attention to.