If you’ve ever taken comfort in seeing a padlock in your browser’s URL bar, you might want to rethink the trust you put in that little icon. New research shows that an increasing number of phishing sites use Secure Sockets Layer, or SSL, and therefore sport the padlock despite being illegitimate websites meant to steal information. The padlock, then, means a lot less than some people think it does.
Of course, the presence of SSL/TLS and, by extension, the padlock and the “https://” part of a URL, has never really meant anything aside from the fact that your traffic with that website is encrypted and isn’t an indication that the site you’re using is legitimate. Once upon a time, SSL may have been used mostly by reputable sites, but these days, adoption is increasing among phishing sites as well.
Krebs on Security today reported on newly-published data from PhishLabs that shows 49% of all phishing sites are sporting the padlock as of Q32018. In the previous quarter, that number was 35%, and in the year-ago quarter, it was only 25%. So, in just a year’s time, the number of phishing sites using SSL has almost doubled.
Even worse is that a separate PhishLabs poll, which was carried out last year, shows that 80% of people still consider sites that show a padlock to be safe or otherwise legitimate. The hope is that the number of people who believesthis is shrinking as time goes on, but it seems unlikely that group is getting smaller anywhere near as fast as phishing sites are adopting SSL/TLS to appear more legitimate.
So, if you’ve spent your internet-going life thinking that the green padlock meant safety, consider these findings to be your wake-up call. Unfortunately, it seems that staying safe on the internet won’t be quite as easy as checking for a simple icon.