The Dangers of HTTPS: When Secure Is Not Safe

By Eric H. Perkins, Sr. Security Risk Analyst, Edelman Financial Engines

The web, as we know it, is going through a major shift to encrypt all traffic to better secure user data by fixing many serious vulnerabilities, like eavesdropping and content hijacking. In fact, you’ve probably noticed that major web browsers even warn you before connecting to a non-secure website. So, when you see that green lock icon in the URL bar that means it’s safe, right? Wrong.

Being secure, simply stated, is not the same as being safe. The term “safe” implies the site in question is free of malware and/or nefarious activity. In the context of your web browser, the term “secure” simply means that your information is being properly encrypted while connected to the site. It’s this term that is being visually represented with the green lock icon found on webpages that start with HTTPS, a secure data networking protocol. Ideally, you want to only interact with sites that are both safe and secure.

The HTTPS protocol was designed to help protect data in motion by encrypting each internet session. This encryption is what protects your data from being accessed if intercepted. However, it doesn’t ensure the site is trustworthy and it wasn’t designed to protect you from malware and/or phishing attempts.

The once coveted “green lock” that was mainly used for financial transactions is now available for free to anyone; including malicious actors. In fact, it has been reported that 58% of all phishing related websites are now hosted using HTTPS. It is for this reason that no one should assume a website is “safe” just because it’s being hosted using HTTPS. It’s still very important to visually identify the lock icon when transacting with any website but understand that it doesn’t necessarily indicate that a site is legitimate. Attackers mimic a target website by simply copying the code from a legitimate site and pasting it to their malicious site; making it nearly impossible to differentiate the good from the bad.

Therefore, you should never click on links in suspicious emails. Instead, get into the habit of using a password manager to store known good bookmarks or reputable search engines to visit sites of interest versus clicking on links provided within emails. Additionally, always verify the domain address within the URL bar as well as identifying the secure lock icon before providing any form of personally identifiable information or login credentials. For those who want extra validation, websites like VirusTotal can be leveraged to scan and verify if the URL is considered “safe”.

About the Author

Eric H. Perkins is currently the Sr. Security Risk Analyst for the largest independent investment advisory firm in the Nation. Before joining Edelman Financial Engines, Eric began his career in network security while serving as an active duty Information Security Officer in the US Army both in the country and while deployed to Afghanistan. Eric holds numerous IT certifications to include CISSP and is a relentless advocate for security awareness. Eric can be reached at eperkins21@protonmail.com or online at https://www.linkedin.com/in/erichperkins/.

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.

APPLY NOW

10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase

X