We’ve heard for a long time that a padlock means a website is secure, but is it really fair dinkum?
Website security isn’t always an easy thing to get your head around.
It’s hard enough being aware of all the security issues and the frequent password changes, and so helping people understand the difference between “real” and “fake” on the internet often comes down to the simplest of lessons.
For the longest time, one of those lessons has been the padlock. The padlock lesson kind of went like this:
- Is there a padlock on the website bar? Well it’s secure, and should be real.
- No padlock? It’s not secure, and may not be real.
And that was kind of it: the padlock meant the website was real, and without it, that might not be the case.
But that lesson was never really an ironclad case of website strength, rather a note that security meant something, and as the web evolves, the padlock isn’t going to help you decide whether a website is real or fake. What’s happening?
The push for a more secure web
Security certificates were once the domain of websites with something to sell and would cost thousands of dollars, but a few years ago, the web began to change.
Instead of just getting a high price, security was embraced by many organisations, and security certificates were available free. Using “Let’s Encrypt”, a free secure layer certificate can be issued to a website — any website — with the system checking every 90 days to make sure it’s still a website valid. This means that any site can be secure, and that helps to make the web secure overall.
And when we say “any site”, we mean it. We’re not just talking shops, but also news sites, government sites… everything.
You may have noticed that Google’s Chrome web browser even reports when websites aren’t secure, highlighting them with a “Not Secure” in red in the omnibar that displays the URL, which can serve as an indicator that where you are isn’t secure, and to beware of transmitting details through the site.
This push by Google to reinforce a more secure web is better for everyone, but it comes with a catch: now that anyone can get a security certificate quickly and easily, and without paying for it, criminals can also make their websites more secure as well.
That also leads to a problem: because many of us have been using the security lock as a definitive way to check whether a website is real, it helps cybercriminals make an even more convincing play for our money with their phishing attempts and fake websites.
“A security lock merely means that the communication with a website is encrypted. However, this does not mean that the intention of the website owner is not malicious,” said Noushin Shabab, Senior Security Researcher for Kaspersky Lab in Australia, telling Pickr that the lock wasn’t necessarily indicative of actual security.
“Attackers can still obtain certificates for their malicious websites and make it look like their website has the security lock,” she said.
As such, we have to throw the old model out, and forget relating security to truth. So how do you tell if a secure website is real?
How to tell if a website is real
A security lock indicates security, but it may not indicate whether the site is real. It seems crazy, but that’s the point we’ve reached, and it’s one criminals are all too aware they’re taking advantage of.
Trend Micro’s Tim Falinski told Pickr that criminals were taking advantage of the security certificates to convey a message about safety and security.
“They are exploiting consumers’ confidence in security certificates by setting up sites that masquerade authentic sites,” he said.
“While the certificate means that no third party can see consumers’ personal details, it doesn’t mean this private information can’t be unwittingly handed over to crooks, so users should still maintain a level of caution before entering details on ‘secure’ websites.”
To make sure you won’t fall in the trap, Falinski advises looking at the website closely, and if possible, checking the security certificate to see if it is directly connected with the company implied by the website.
It’s a move you can do on a desktop with a computer’s web browser, but not one that works on the iPhone, iPad, or other mobiles, so you may want to adopt other techniques, such as really — REALLY — looking at the URL, and studying to see whether the site you’re at is legit.
Fake URLs will do what they can to convince you of their authenticity, and that may mean throwing an extra letter in where it’s not needed, resulting in something like “coommbank” or “commsbank” as opposed to “commbank”. These little spelling errors aren’t likely to be extra domains purchased by the company in question, but rather exploits in something called “typosquatting”, where someone buys a similar website name in the hopes that they convince people to come to their website with a typo in the name. It’s a technique that preys on people who don’t read the URL entirely, and it’s one that can lead to a successful phishing attempt, with details going to a criminal at the end.
Checking the URL is therefore vital, and it’s a technique agreed upon by security experts.
“Triple check the domain name. In most cases the name of a fake site might differ by only one character,” said Kaspersky’s Shabab, who added that you should “always ensure links are reliable before clicking”.
“A security lock merely means that the communication with a website is encrypted. However, this does not mean that the intention of the website owner is not. Attackers can still obtain certificates for their malicious websites and make it look like their website has the security lock,” she said.
“Your best bet is back to basic hygiene practices. Never enter personal information on the site unless you are sure 100% confident of its authenticity. These simple precautions prevent big messes from happening.”
With the risk of losing details to a cybercriminal now higher because of the suggestion of authenticity able to be asked by a lock, it’s now more important than ever to really pay attention to where you’re going. If you’re clicking on a link inside of a web browser, really look at the link, and if you’re unsure of what you’ve been sent, don’t click.
The web is more secure, and that’s a good thing, but the bolstered security is also going to result in criminals able to take advantage, and no one wants that. Pay attention to where you’re visiting and take requests for information with a grain of salt, and you just might survive the web unscathed.