The Dangers of HTTPS: When Secure Is Not Safe

By Eric H. Perkins, Sr. Security Risk Analyst, Edelman Financial Engines

The web, as we know it, is going through a major shift to encrypt all traffic to better secure user data by fixing many serious vulnerabilities, like eavesdropping and content hijacking. In fact, you’ve probably noticed that major web browsers even warn you before connecting to a non-secure website. So, when you see that green lock icon in the URL bar that means it’s safe, right? Wrong.

Being secure, simply stated, is not the same as being safe. The term “safe” implies the site in question is free of malware and/or nefarious activity. In the context of your web browser, the term “secure” simply means that your information is being properly encrypted while connected to the site. It’s this term that is being visually represented with the green lock icon found on webpages that start with HTTPS, a secure data networking protocol. Ideally, you want to only interact with sites that are both safe and secure.

The HTTPS protocol was designed to help protect data in motion by encrypting each internet session. This encryption is what protects your data from being accessed if intercepted. However, it doesn’t ensure the site is trustworthy and it wasn’t designed to protect you from malware and/or phishing attempts.

The once coveted “green lock” that was mainly used for financial transactions is now available for free to anyone; including malicious actors. In fact, it has been reported that 58% of all phishing related websites are now hosted using HTTPS. It is for this reason that no one should assume a website is “safe” just because it’s being hosted using HTTPS. It’s still very important to visually identify the lock icon when transacting with any website but understand that it doesn’t necessarily indicate that a site is legitimate. Attackers mimic a target website by simply copying the code from a legitimate site and pasting it to their malicious site; making it nearly impossible to differentiate the good from the bad.

Therefore, you should never click on links in suspicious emails. Instead, get into the habit of using a password manager to store known good bookmarks or reputable search engines to visit sites of interest versus clicking on links provided within emails. Additionally, always verify the domain address within the URL bar as well as identifying the secure lock icon before providing any form of personally identifiable information or login credentials. For those who want extra validation, websites like VirusTotal can be leveraged to scan and verify if the URL is considered “safe”.

About the Author

Eric H. Perkins is currently the Sr. Security Risk Analyst for the largest independent investment advisory firm in the Nation. Before joining Edelman Financial Engines, Eric began his career in network security while serving as an active duty Information Security Officer in the US Army both in the country and while deployed to Afghanistan. Eric holds numerous IT certifications to include CISSP and is a relentless advocate for security awareness. Eric can be reached at [email protected] or online at https://www.linkedin.com/in/erichperkins/.