How safe is the green padlock?
TLDR; Too many chiefs, not enough cooks. Green padlock with the organization or company name also in green means the website is almost certainly legit, unless you're using Internet Explorer. But Billy, you ask, why is your website only a green padlock? Money. I don't want to spend thousands per year on an EV certificate when a DV will suffice for a personal blog. However, be cautious if your bank does not have EV.
Over the years, we've all been taught that you need to see https or the green padlock on a website to be safe and secure, especially when it comes to ecommerce or banking websites.
But are we really safe? Maybe. It depends.
Recently, major Internet companies like Google, Mozilla, and Facebook have been pushing for more HTTPS or Secure Socket Layer (SSL) proliferation across the web. It's certainly a good thing to have, it just doesn't solve all the security issues. What are some of the main issues?
-
Too many Certificate Authorities
-
Difficult to verify endpoint identity
-
Subject to determined phishing attacks
On one hand, it was easier to mitigate a rogue or compromised CA when there were less than a handful of them many Moons ago. Now that there are dozens or more, it is much harder to limit our risk against phishing attacks and man-in-the-middle attacks.
How so? Web browsers and other networking software will typically trust the CA hierarchy and therefore also trust the validity of the SSL certificates issued to an organization or company on their behalf. When it was a handful of Certificate Authorities, we only needed to monitor that handful for any suspicious certificates. As that number increases, we need to be more vigilant beacause each CA could potentially issue a valid SSL certificate for any domain name and by design, the browser would have to trust it.
Having HTTPS or SSL or Transport Layer Security (TLS) depending on who you ask, simply means that your connection is secure. This is a key point. It's like those red phones you see in the movies with a direct line to another country to discuss something extremely important in a secure manner.
But that's all it does. It almost guarantees that no one else can eavesdrop your conversation. What it doesn't do is guarantee who's at the other end of the conversation. Maybe it's the president, but maybe it's Joe Smith, there is no way to tell. We could look for Extended Validation (EV) certificates which are harder to obtain and more costly, which should discourage the average attacker, but a determined attacker will probably find a way. Steve Gibson has a nice article explaining why EV certs are ideal and in what situation they are not (https://www.grc.com/ssl/ev.htm). His weekly podcast, Security Now is a must listen show and great for keeping up with current internet security news.
Another problem is the expanded character set for domain names or an IDN Homograph Attack where similar letters in another language are used to register a domain name and/or SSL certificate, so at first glance, myínternetbank.com might look like myinternetbank.com and luckily, most browsers do look out for such things and display it in some other encoding.
And yet another problem is Subdomain Spoofing where a link looks legitimate at first glance, such as myinternetbank.us.fintek.co.tld and sometimes if the link is long enough, it may get truncated. How to mitigate this? This probably deserves its own post or maybe a section, especially around DMARC setup, but the best way to help stop a determined phishing attack is to check and double check and triple check the URLs and certificates.