News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • The web has a padlock problem

    Posted on November 30th, 2019 at 13:29 Kirsty Comment on the AskWoody Lounge

    Danny Palmer (ZDNet) has just written about recent changes to websites showing “security padlocks” in browser bars, in a very easy-to-digest article.

    Internet users are being taught to think about online security the wrong way, which experts warn might actually make them more vulnerable to hacking and cyberattacks.

    HTTPS encrypts that information, allowing the transmission of sensitive data such as logging into bank accounts, emails, or anything else involving personal information to be transferred securely. If this information is entered onto a website that is just using standard HTTP, there’s the risk that the information can become visible to outsiders, especially as the information is transferred in plain text.

    Websites secured with HTTPS display a green padlock in the URL bar to show that the website is secure. The aim of this is to reassure the user that the website is safe and they can enter personal information or bank details when required. Users have often been told that if they see this in the address bar, then the website is legitimate and they can trust it.

    “This is why phishers are using it on phishing sites, because they know that people who use the websites think that means its OK when it’s not,” said (Scott) Helme. “The padlock doesn’t guarantee safety, it never has, that’s just a misunderstanding of the interpretation of what this actually means.”

    …the (cybersecurity) industry needs to improve its messaging, because cybersecurity can be complicated for the average web user and changing advice all the time isn’t going to help, especially if people stick to adhering to the first thing they were told – like believing the padlock automatically means the website is safe.

    I’m sure many of us will have seen information by Troy Hunt and Scott Helme in recent months, on browser security. Changes are afoot in how browsers indicate websites’ security; e.g. Firefox’s recent changes on how padlocks work is related.

    WSJ indicate the depth of the problem here:

    The use of security certificates, once a badge of authenticity for the internet, among phishing websites has almost doubled, rising to 15% in 2019 from 8.5% in 2018

    Even CASC (Certificate Authorities Security Council) recently published, in a very interesting article:

    The padlock is putting users in danger

     
    We all need to get used to these changes, for our own safety.