You see them every day, even if you don’t pay them any mind. The little padlock symbol in the corner of your address bar can be found on almost every website you visit. Along with the Hypertext Transfer Protocol Secure, or HTTPS, the padlock shows users that a site has secure credentials. It serves as the secure version of HTTP, which is used to load pages and transfer information using hypertext links.
While standard HTTP can transmit sensitive user data—like logins for bank accounts, emails, et cetera—there’s a bigger risk of the information becoming visible to outsiders. HTTPS displays the green padlock to indicate to users that their personal information will be encrypted. It also generally serves as an indicator that the website is legitimate and trustworthy.
But while this is widely accepted as true, cybersecurity experts warn that it’s much easier than you’d think for cyber attackers to obtain HTTPS domains. Contrary to popular belief, the little green padlock isn’t the be-all, end-all of a secure site, and it might even be turned against you.
True Lies
In December of 2017, a TV commercial for Barclays Bank in the UK advised users to check for the green padlock to make sure that “the website is genuine.” Complaints spread rapidly that it was misleading, and eventually the Advertising Standards Authority upheld the complaint, seconding that “the padlock measure alone could not ensure safety.”
According to James Lyne, CTO at SANS Institute, cybercriminals’ devotion to the scam can outdo even legitimate websites. Not only have they begun to use HTTPS to draw in unwitting victims, but the trust scores of these illegitimate sites can end up higher than that of normal sites’.
For a cybercriminal intent on feigning legitimacy, all they need to do is buy a Transport Layer Security (TLS) certificate, then use it to encrypt traffic on the malicious site. Because the traffic is encrypted, the browser mistakes it for a legitimate site, and that padlock shows up in the address bar.
For the most part, encryption on the Internet is still fairly occasional. Experts such as Scott Helme, security researcher, warn that it needs to become the standard everywhere: “We need it to become so ingrained and embedded into everything that we do that it’s boring, and we don’t need to talk about it because it shouldn’t be special,” he said.
Under Lock and Key
As cybersecurity experts fight to set a new standard for the industry, it’s important to know your organization’s risk against current threats.
BAI Security’s Red Team Assessment offers a relevant, comprehensive evaluation in one virtual assessment process that uses multiple key attack vectors, including:
- Penetration Testing (internal and external)
- Social Engineering/Phishing Attacks (by phone, email, and in-person; we take this to the next level by attempting an actual breach of your network)
- Physical Access (perimeter sweep, building access, secure interior room access)
- Black Box (planting rogue remote-access devices in the production network)
- Secure Document Disposal (secure/common waste disposal, dumpster inspection)
- Wireless (forged authentication, encryption testing, device spoofing)
Contact us today to learn more.