Why is it not safe to trust browser locks

The popular browser locks are now going out of style, as most hackers use them as well.

23 March, 2023

For years, Google, Apple, Firefox and Microsoft relentlessly pointed out that, to avoid dealing with fraudulent sites, one had to make sure that the “lock” on your browser was closed, green, or that it indicated that a site was “safe.” Now, cybersecurity companies are emphasizing that those locks are not enough to provide reliability.

“You have to look beyond the lock,” said Dean Coclin, DigiCert’s Senior Director of Business Development. “They just can’t be trusted anymore.”

This is because, years after all the major browsers have added visual safety signs to their address bars, today they are removing them, leaving only the padlock that is not enough to know if a site is really safe.

The Anti-Phishing Working Group (APWG) published a study that tracked a large increase in phishing attacks in the second quarter of 2020. The increase involves fraudulent sites using the Transport Layer Security or TLS cryptographic protocol, more commonly known for its inherited name Secure Sockets Layer, or SSL.

SSL locks indicate that a browser is using a secure and encrypted communication protocol with the server hosting the desired website. The SSL warnings are also supplemented by the additional indication “HTTPS” within the address bar of the browser, which means that the browser is transmitting the information in an encrypted manner.

According to the APWG report, 80 percent of phishing sites used SSL certificates in the second quarter. The attacks ranged from phishing lures targeting fake bank transfer sites to social media platforms like Facebook and WhatsApp receiving links to suspicious domains.

The availability of free or very low cost TLS / SSL certificates, without validation of the identity of the website owner, has impaired Internet security in recent years. But today the problem has become chronic, Coclin said. “Since the last great browser added SSL warnings to its address bar, hackers have been forced to use SSL / TLS locks as well,” he said.

Fraudulent domain certificates have mainly been limited to criminals acquiring so-called domain validated certificates acquired for free through services like Let’s Encrypt.

Domain Validated Certificates are a basic solution to protect communications between a web browser and a server using TLS encryption. Several free services have an automated system that only verifies that an applicant has control over a domain before issuing a free certificate. It is a system ready for abuse by issuing the certificates without any other type of control or validation, experts say.

Without a doubt, Extended Validation (EV) and Organizational Validation (OV) certificates are more secure. These top-level certificates used by banks, insurers, and e-commerce sites require extensive research from applicants to ensure that the sites are from who they claim to be and are rightfully owned.


Percentage of phishing attacks hosted on HTTPS

The main concern has been that Extended Validated Domain Certificates offer criminals an easy way to facilitate website spoofing, server spoofing, man-in-the-middle attacks, and a way to infiltrate malware through company firewalls.

Unsuspecting users may think that they are communicating with trusted sites because the identity of the site has been validated by a certification authority, without realizing that they are certificates in whose issuance process only the domain has been validated, without checking whether its owner or manager is a legitimate business or organization.

The remedy for browser companies, Coclin said, has been to implement new safe browsing tools like Google’s Safe Browsing for Chrome and Microsoft’s SmartScreen filter, which makes safe browsing easier for Internet Explorer and Edge browsers.

Coclin cautions that these are workarounds and that what really needs to be done is a review of the domain registration system. “In the first place, I don’t know why people can register clearly fraudulent domains,” he said. “The problem is that nobody wants to own this problem. And until someone does, users have to look a little beyond the lock.”

It is very important that when browsing a Transactional Web site the data that is in the certificate is verified, to verify who is the owner of the site (as long as it is a Validated Organization or Extended Validation certificate, since the Domain Validated do not have that information). In this way, users can safely check if the site operator is indeed the company with which they intend to operate. To do this, simply click on the padlock in the navigation bar.

Contact Us

for more information about our solutions and products.