Phishing embraces HTTPS, hoping you’ll “check for the padlock”

After a slow-burning romance, HTTPS has recently bloomed into one of security’s great love affairs.

Google is a long-time admirer, and in October started plastering “not secure” labels on many sites failing to use HTTPS by default in the Chrome address bar, a tactic meant to persuade more website owners to share its enthusiasm.

Facebook, Twitter and WordPress, meanwhile, have been keen for years, which helps explain EFF figures from early in 2017 estimating that an impressive half of all web traffic was being secured using HTTPS.

So alluring has HTTPS become that it has now acquired suitors it could do without – phishing websites.

According to PhishLabs, a quarter of all phishing sites now use HTTPS, up from a few percent a year ago.

The increase has been so dramatic in 2017 that in a single quarter its popularity among phishing sites doubled. What’s causing this sudden interest?

One explanation:

As more websites obtain SSL certificates, the number of potential HTTPS websites available for compromise increases.

This is logical. As the number of sites using HTTPS increases the chances that a legitimate site compromised to host phishing attacks will have it enabled increases too.

Which means that acquiring an HTTPS certificate is an empty upgrade if other vulnerabilities are not addressed at the same time.

But there’s a second, less savoury possibility:

An analysis of Q3 HTTPS phishing attacks against PayPal and Apple, the two primary targets of these attacks, indicates that nearly three-quarters of HTTPS phishing sites targeting them were hosted on maliciously-registered domains.

We’ll call this the ‘window-dressing theory’: cybercriminals believe that web users are lulled into a false sense of security by the presence of HTTPS even though their scams might work without it.

That these certificates are obtained free of charge from services such as Let’s Encrypt, set up to spread the use of HTTPS among legitimate web makers, only adds to the painful sense of unintended consequences.

The culprit here is not really HTTPS, or Let’s Encrypt, but the green padlock symbol itself, browsing’s most misunderstood and over-rated signifier.

Too many people see its glow and think it guarantees a site’s legitimacy when, of course, no symbol can ever provide absolute certainty.

This is partly the industry’s fault, starting with Google. Visit an HTTPS site in Chrome and the browser will describe padlocked sites as “secure”, which refers to the connection, not the site itself.

Except that not everyone knows this.

Browsers also use a colour-coding system to designate the trustworthiness of a site (green padlocks being awarded to sites with an Extended Validation certificate), but these can still appear on phishing sites that have not been detected by integrated filtering.

Naked Security discussed this issue (and the problem of how sites are verified) in 2015 so it’s not a new worry.

The logical result of the trend PhishLabs has detected is that eventually all websites will use HTTPS whether they are phishing sites or not, at which point the misunderstanding of the whole padlock system will become apparent.

The dream of an entirely encrypted internet is a noble one but its ubiquity will be a pyrrhic victory if cybercriminals can find easy ways to manipulate it from the inside.