{"id":20725,"date":"2018-01-17T11:26:49","date_gmt":"2018-01-17T16:26:49","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=20725"},"modified":"2020-02-26T11:12:04","modified_gmt":"2020-02-26T16:12:04","slug":"https-does-not-mean-safe","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/https-does-not-mean-safe\/20725\/","title":{"rendered":"HTTPS doesn’t mean safe"},"content":{"rendered":"

Let\u2019s be honest, when most people see a little green lock with the word \u201cSecure\u201d to the left of a URL, they think the site is safe. Ditto for spotting the words \u201cthis site uses a secure connection\u201d or a URL beginning with the letters \u201chttps.\u201d More and more sites these days are switching to HTTPS. Most have no choice, in fact. So what\u2019s the problem? The more secure sites there are, the better \u2014 right?<\/p>\n

We\u2019re about to let you in on a little secret: Those \u201cSecure\u201d symbols don\u2019t guarantee a website is safe from all threats. A phishing<\/a> site, for example, can legitimately display that comforting green lock next to its https address. So, what\u2019s going on? Let\u2019s find out.<\/p>\n

\u00a0<\/p>\n

A secure connection does not mean a secure site<\/h2>\n

\u00a0<\/p>\n

The green lock means that the site has been issued a certificate and that a pair of cryptographic keys<\/a> has been generated for it. Such sites encrypt information transmitted between you and the site. In this case, the page URLs begin with HTTPS, with the last \u201cS\u201d standing for \u201cSecure.\u201d<\/p>\n

Sure, encrypting transmitted data is a good thing. It means that information exchanged between your browser and the site is not accessible to third parties\u2014ISPs, network administrators, intruders, and so on. It lets you enter passwords or credit card details without worrying about prying eyes.<\/p>\n

But the problem is that the green lock and the issued certificate say nothing about the site itself. A phishing page can just as readily get a certificate and encrypt all traffic that flows between you and it.<\/p>\n

Put simply, all a green lock ensures is that no one else<\/em> can spy on the data you enter. But your password can still be stolen by the site itself, if it\u2019s fake.<\/p>\n

Phishers make active use of this: According to Phishlabs<\/a>, a quarter of all phishing attacks today are carried out on HTTPS sites (two years ago it was less than 1 percent). Moreover, more than 80 percent of users believe<\/a> that the mere presence of a little green lock and the word \u201cSecure\u201d next to the URL means the site is safe, and they don\u2019t think too hard before entering their data.<\/p>\n

\u00a0<\/p>\n

What if the lock isn\u2019t green?<\/h3>\n

\u00a0<\/p>\n

If the address bar shows no lock at all, that means the website does not use encryption, exchanging information with your browser using standard HTTP. Google Chrome has started tagging such websites as insecure. They might in fact be squeaky clean, but they don\u2019t encrypt traffic between you and the server. Most website owners don\u2019t want Google to label their websites as unsafe, so more and more are migrating to HTTPS. In any case, entering sensitive data on an HTTP site is a bad idea \u2014 anyone can spy on it.<\/p>\n

The second variant you might see is a lock icon crisscrossed with red lines and the HTTPS letters marked in red. That means the website has a certificate, but the certificate is unverified or out of date. That is, the connection between you and the server is encrypted, but no one can guarantee that the domain really belongs to the company indicated on the site. This is the most suspicious scenario; usually such certificates are used for test purposes only.<\/p>\n

Alternatively, if the certificate has expired and the owner has not gotten around to renewing it, browsers will tag the page as unsafe, but more visibly, by displaying a red lock warning. In either case, take the red as the warning it is and avoid those sites \u2014 never mind entering any personal data on them.<\/p>\n

\u00a0<\/p>\n

How not to fall for the bait<\/h3>\n

\u00a0<\/p>\n

To sum up, the presence of a certificate and the green lock means only that the data transmitted between you and the site is encrypted, and that the certificate was issued by a trusted certificate authority. But it doesn\u2019t prevent an HTTPS site from being malicious, a fact that is most skillfully manipulated by phishing scammers.<\/p>\n

So always be alert, no matter how safe the site seems at first glance.<\/p>\n