Phishing Websites Can Exploit the HTTPS Protocol, FBI Warns

On Monday, the Internet Crime and Complain Center (IC3) issued a warning which is supposed to make you more vigilant and help you avoid falling victim to a phishing attack. It says that the decision on whether or not you want to trust a particular page should no longer be based on the green padlock icon in the address bar.

IC3 is a part of the Federal Bureau of Investigation, and people tend to listen to what organizations of this type tend to say. We should point out that everything IC3 wrote in the warning is completely true. The alert probably should have come out earlier, though.

Experts from PhishLabs, a company that specializes in analyzing the phishing landscape and trends, have been tracking the number of scam pages that carry the green padlock, and late last year, they noted that very nearly half of all phishing pages are served with the all-important symbol. The first fake login forms of this kind appeared way back in 2015, which goes to show that the green lock's reliability as an indicator of security diminished a very long while ago.

The problem

For years, people were taught that the green padlock is a symbol of a trustworthy page. In reality, this is not (and will never be) the case. The lock actually indicates that the page you're viewing is served via an HTTPS connection. HTTPS stands for Hypertext Transfer Protocol Secure and the difference between it and the regular HTTP protocol is that the communicated information is encrypted.

HTTPS is a communication protocol, and while it can guarantee that your data is better protected, it can't do anything to assure you that the information isn't going to end up in the wrong place. The misconception comes from the fact that to serve your website over HTTPS, you must have an SSL certificate. In the past, setting up an SSL certificate cost quite a lot of time, effort, and money, and for the crooks, it just wasn't economically feasible. Only legitimate organizations would bother to install SSL certificates on their website with the hope of gaining people's trust and, of course, protecting their data. Unfortunately, the cost was too high for some of the smaller businesses who wanted to secure their websites but didn't have the resources. Soon enough, the problems of sending and receiving information (which included login credentials and credit card details) in unencrypted format became painfully apparent.

These problems gave rise to Let's Encrypt – the first non-profit Certificate Authority (CA) which issues SSL certificates for free. Let's Encrypt not only removed the need for a hefty financial investment, but it also simplified the installation and renewal processes, which meant that everyone had the chance to secure their websites.

Unfortunately, it quickly became apparent that phishers will also take advantage of the free certificates. The criminals realized that making their scam pages look legitimate required no financial investment, and sure enough, they didn't need a second invitation.

The solution

Given all that information, many people might be tempted to say that eliminating the problem of phishing pages served over HTTPS is easy. They might argue that we just need to remove CAs that offer free SSL certificates and turn HTTPS into a luxury the crooks can't afford. There is one very good reason why this is not the solution.

Free SSL certificates are essential in this day and age. As security researcher Scott Helme knows only too well, they have had a profound effect on the percentage of content that is served securely, and they have played a significant role in making the internet a safer place overall.

Browser vendors are trying to encourage even more website operators to serve their content over HTTPS, which is why the much-discussed green padlock icon might actually be on its way out. Secure pages will bear smaller or no visual indicators, and websites that are served via HTTP will be labeled as "Not Secure". This will also contribute to eliminating the notion that a green lock is an indicator of a trustworthy page.

The browser developers have rightly realized that this is what we should be focusing on. When they land on a page, people shouldn't view HTTPS as a security feature. They must start accepting it as the norm. And as for avoiding phishing attacks, you need to rely on other techniques like double-checking the URL before you enter any login credentials and being a bit less click-happy with the links you receive via email or other communication channels.