Saturday, April 15, 2017

Green PadLock is Safe?

According to Wikipedia, HTTPS is only to encrypt the communication traffic between browsers and web servers in order to prevent Man-In-The-Middle (MITM) attack. HTTPS is not indicating that the websites are bearing a green padlock being "safe".

Many people are misinterpreted that if a website is bearing a green padlock with HTTPS URL, it is a "safe" website. The "safe" here is referring to the website that not doing any malicious activities against the users.

Recently, I read an article "When the 'S' in HTTPS also stands for shady". That is also showing that even information security guys and gals may misinterpreted the purpose of the HTTPS.

Since users can revoke and regenerate the Let's Encrypt SSL certificates themselves, to revoke the SSL certificate of malicious websites by Let's Encrypt is meaningless. Without Let's Encrypt, malicious hackers can purchase SSL certificate from others sources to complete the task without any problem.

Ten odd years ago, many experts stated that if the the browser is showing a locked padlock, you are "safe" and the website is "safe". It is misleading for sure.

We should educate the users that even the websites are looking legit and bearing a valid SSL certificate, they should think more before clicking any link on the site. It is because most phishing sites are looking legit and have valid SSL certificate. They should check the URL address of the website before going further especially for banking and payment sites. Beware of the website is being redirected to other URL too.

By the way, malicious hackers can impersonate the HTTPS traffic and doing MITM attack at ease today! No system is safe!

That's all! See you.