Nearly half of phishing sites now use SSL.
Google has led a big push in recent years to get all websites to use Secure Sockets Layer (SSL). You know a site uses it when it starts with https:// instead of http:// and the browser shows a padlock next to the URL.
People have been trained to look for sites that are secure but this has created a false sense of security. According to new research from PhishLabs, half of all phishing sites detected last quarter used SSL.
SSL merely means that the data sent between you and the website operator is encrypted. So if you send data to a phisher using SSL, congratulations…you just securely sent your data to a criminal.
Perhaps this false sense of security is why Google is starting to downgrade the positive designations it uses in Chrome to identify sites using SSL. It no longer shows a green padlock with “Secure” next to the URL. It’s just a gray padlock. Eventually, sites with SSL will show no designation in Chrome; sites without it will show “Not Secure”:
The issue in my opinion is they (ICANN, Registrars, Cert. providers, etc) make the process too cheap thereby making it easier for phishing sites to establish legit looking sites.
How often have we seen instances where someone can signup for unlimted domains – subdomains – shared hosting with free cPanel, SSL certification, etc?
Literally, by tomorrow I could have a URL, hosting, certificate and theme whipped up and put online for less than $10/year. No wonder scammers are hammering the internet so successfully.
In its effort to get everyone to use SSL, Google backed LetsEncrypt, which provides free certificates. The big difference in quality is between domain validated certificates and the certificates that require more validation.
Google realized having people focus on the address bar and the domain name was a mistake for their goal of eliminating direct browser type-ins.
I pay $200 per year for an EV SSL certificate specifically for the green bar and lock and now they want to hide it?
Again, it is all about the eyeballs and Google can’t have a new generation trusting a green bar AND looking at an actual domain name.
What’s next? Google just arbitrarily decides you get a website not safe if you don’t pay them for certification?
Give a person an inch and watch them take a foot. Collectively they are powerful, but individually they are made up of quite a few ass hats.