Why the lock in the address bar is not always a sign of site security

Why the lock in the address bar is not always a sign of site security

It is believed that the lock icon or mark “safe” in the address bar of the site indicates its security, but according to the IS experts, such visual clues should not be blindly trusted, because the attackers also use them to deceive users.

According to the results of studies of the Anti-Phishing Working Group (APWG), there was a spike in phishing attacks in the second quarter of 2020, most of which involved sites using cryptographic SSL protocol. As a rule, such sites have a lock icon indicating that the browser uses a secure, encrypted connection to the server. However, according to APWG, 80% of phishing sites detected in the second quarter used SSL certificates.

“Since large browsers added SSL alerts to the address bar, the bad guys have also started using SSL/TLS lock icons,”
– said DigiCert specialist Dean Coclin.

While earlier attackers were more likely to use SSL certificates with domain validation (Domain Validated), which can be obtained for free in services such as Let’s Encrypt, now it is not superfluous to be cautious about EV certificates that are considered more reliable, says APWG.

“The advent of phishing sites using Extended Validation certificates is a stark reminder that phishers are increasingly turning security features against users,”
– indicated in the company report.

According to PhishLabs research, 91% of the detected phishing sites used domain validated SSL certificates, 27 sites used EV certificates. According to experts, since EV-certificate is more difficult to obtain, the attackers crack sites that already use such certificates.

Experts are concerned that SSL-certificates offer the criminals an easy way to spoof the site, server, “man in the middle” attacks and bypass corporate firewalls. Although many browser manufacturers have implemented measures against such attacks, they are not enough, and in order to solve the problem, it is necessary to review the domain registration system, Coqueline believes.

“I don’t know why people are initially allowed to register fraudulent domains. The problem is that nobody wants to solve this problem, and until then you have to look outside the castle”,
– emphasized the expert.


Source: securitylab

WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: