Web Users Warned Over Browser Green Padlock Trickery

Security researchers have warned that nearly half of all phishing sites falsely display the browser padlock symbol commonly associated with secure websites. It's a reminder that the browser padlock symbol only covers one aspect of security.

Most major browsers display the padlock symbol when a website uses a technology, most commonly Secure Sockets Layer (SSL), to encrypt data as it passes between the user's computer and the website, or vice versa. Such sites have an address starting "https://" rather than "http://".

The purpose of the padlock symbol is to indicate to the user that the website carries a valid SSL security certificate. The SSL certificate contains code known as a public key, which is then transmitted to the user's browser. The browser then combines this with a private key, which is a code that relates to the specific user.

Padlock Shows Connection Secure

The data that goes back and forth is encrypted in a way that means it can only be read with both the private and public keys. As a result, anyone who intercepts the data will find it practically impossible to read. Naturally, that's good news when transferring passwords or card numbers, or retrieving personal data such as bank records.

A company called "PhishLabs" has now revealed the results of its study of phishing websites. These are scam sites that try to trick users into handing over personal details - for example, by pretending to be the real website of an organization. In the past three years, the proportion of phishing websites that carry the security certificate and the padlock has gone from half a percent in 2015 to 49 percent in the third quarter of 2018.

It's important to note that the padlock symbols are genuine: they are generated by the browser rather than displayed by the website itself. The phishing sites are in fact using security certificates and encrypting the data, regardless of their other deception.

No Guarantee All Above Board

The dramatic rise is down to several factors. First, scammers decided having the padlock would make their sites look more legitimate. Secondly, changes in the way security certificates are issued mean its easier to get them without revealing the identity of the site owners, which naturally tends to be kept as secret as possible with phishing sites. Thirdly, browsers now give clear warnings when websites don't use encryption but still ask for personal details. (Source: krebsonsecurity.com)

PhishLabs notes that in some ways this is good news for phishing victims: if they do get scammed into handing over personal details, there's at least less risk of a third party intercepting them. However, it points out that the padlock is no guarantee that a site is legitimate. (Source: cnet.com)

What's Your Opinion?

What did you understand the padlock symbol to mean? Should browser developers or legitimate sites such as online banks do more to explain the symbol to users? What measures do you take to check websites are legitimate?