Why Web Browser Padlocks Shouldn’t Be Trusted

web browsing safe browser padlock not enough

Popular ‘safe browsing’ padlocks are now passe as a majority of bad guys also use them.

For years, Apple, Firefox, Google and Microsoft relentlessly made the point that in order to avoid rogue sites you must make sure your browser “padlock” is either locked, green or is otherwise indicating a site as being “secure.” Now, cybersecurity firms are stressing that those padlocks are not enough.

“You must look beyond the lock,” said Dean Coclin, senior director of business development at DigiCert. “They simply can’t be trusted anymore.”

That’s because, years after all major browsers have added visual safety cues to their address bars, the majority of bad guys are also using them.

On Monday, the Anti-Phishing Working Group (APWG) released a study (PDF) that tracked a large uptick in phishing attacks in Q2 of 2020. The surge involves rogue sites using the cryptographic protocol Transport Layer Security or TLS, most commonly referred to by its legacy name Secure Sockets Layer, or SSL.

SSL padlocks indicate that a browser is using a secure and encrypted communication pipe to the server hosting the desired website. SSL warnings are also complemented by the additional “HTTPS” indication within a browser address bar, meaning the browser is transmitting information safely using Hypertext Transfer Protocol Secure.

Certificate Abuse Skyrockets

According to the APWG report, 80 percent of phishing sites used SSL certificates in Q2. Attacks ranged from phishing lures pointing to bogus wire-transfer sites, to social-media platforms Facebook and WhatsApp being pelted with links to shady domains.

Pockets of abuse of TLS/SSL certificates have nagged the industry for years. But today the problem has become chronic, Coclin said. “Ever since the last major browser added SSL warnings to its address bar the bad guys have been also been using SSL/TLS padlock,” he said.

Phishers Up the Ante 

Rogue domain certificates have been mostly limited to bad actors acquiring what are called domain-validated certificates acquired for free from services such as Let’s Encrypt.

Domain-validation certificates are a bare-bones solution for securing communications between a web browser and a server using TLS encryption. Several free services have an automated self-serve system that only checks that an applicant has control over a domain before issuing a free certificate. It’s a system ripe for abuse when issuing domain-validation certificates, experts say.

Considered more secure are extended-validation and organizational-validation certificates. These higher-level certificates used by banks, insurers and e-commerce sites require extensive vetting of applicants to ensure sites are who they say they are. But now, the APWG reports that even extended-validation certificates may not be as trustworthy as once thought.

%of Phishing Attacks Hosted on HTTPS

Percent of Phishing Attacks Hosted on HTTPS

“In addition, the observed emergence of phishing sites using extended-validation certificates in Q2 is a stark reminder that phishers are increasingly turning security features against users,” the report stated.

Of all the attacks looked at in the APWG report, 91 percent of certificates used in phishing attacks were domain-validated. “Interestingly, we found 27 web sites that were using extended-validation certificates,” according to John LaCour, founder and CTO of digital risk protection company PhishLabs.

“This use of extended-validation certificates is a serious business. The point of an extended-validation certificate is that they require verification of the requesting entity’s legal identity before the certificate is issued,” according to the report.

Hackers behind the extended-validation certificates didn’t acquire the certificates legitimately, rather they hacked the sites that already had them, the report states.

Attackers “are increasingly turning security features against users,” wrote PhishLabs, in a recent blog post on the topic.

The primary concern has been that domain- or extended-domain certificates offer criminals an easy way to facilitate website spoofing, server impersonation, man-in-the-middle attacks and a way to sneak malware through company firewalls.

Unsuspecting users might think they’re communicating with trustworthy sites because the identity of the site has been validated by a certificate authority, without realizing that these are either hijacked extended- or domain-validated certificates.

The remedy from browser firms, Coclin said, has been to roll out new safe-browsing tools such as Google’s Safe Browsing for Chrome and Microsoft’s SmartScreen filter, which facilitates safe browsing for Internet Explorer and Edge browsers.

Coclin warns these are stop-gap solutions and that what really needs to be done is overhaul of the domain-registration system. “Why people are allowed to register clearly fraudulent domains in the first place, I don’t know,” he said. “The problem is, nobody wants to own this problem. And until someone does, you must look beyond the padlock.”

On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.

Suggested articles