Posted on November 26, 2018

When a padlock is worse than no padlock

A recent article on Krebs On Security reminded me of a very common misconception that I come across – that a padlock icon in the browser when visiting a website means that site is safe. So I thought I’d explain why this isn’t the case (and then I can just give people links to this article rather than explaining it multiple times).

The short version is that the padlock symbol only means any data transmitted between your browser and the site is going over a secure connection so it should be secure while being transmitted. However what it doesn’t mean is that the site itself is safe. It could be owned by anyone, and the person running the site could be doing anything with the data you send to it. It could also contain malicious code. So if you don’t read any further at least know to check (and I mean closely check) the address of the site, and if you’re in any doubt actually type in the website to go to it directly rather than following a link from an email etc.

Here’s a bit more detail about what all this relates to. When you visit a website there are two main types of connection you can use (there’s actually more but for these purposes we’re talking about standard website addresses). These are http and https. The S in https stands for secure. If you go to a website with a url beginning http:// then any data sent to the site is just sent as plain data that could potentially be read while in transit – I won’t go into the methods for doing this but suffice to say you definitely wouldn’t want to send your card details over an http connection.

With a site starting https:// the data goes over a secure connection and should be safe while in transit. This is the only safe part of the process though – once the data arrives at the site you’re still trusting that site with the data.

Where the misconception most commonly seems to come from is likening this to the indicators on other sites like Twitter that identify a verified account for example. It’s seen by a lot of people as meaning the site is genuine which most definitely isn’t the case.

The only thing someone running a website needs to do in order to get this to appear is to obtain something called a certificate. These are very cheap and effectively a digital document they put on the web server that enables them to accept connections over https. So let’s say I create a website that looks exactly like Amazon’s homepage but at a domain called (not the best example admittedly), and then I buy a certificate for my site and install it. I then send out some spam emails (let’s say from telling people they’ve been gifted a free voucher and need to log into the site to redeem it. At first glance it might look like the genuine site, and someone clicking the link and going to my website page would see the padlock icon because it’s got an https connection. They enter their login details, and now I’ve got their Amazon account. I might also assume they use the same password for their email account, Facebook etc….

A fake site might actually redirect you to the real site after you’ve entered your details and clicked login on theirs and you’d probably assume something just went wrong, enter your details again and then it works. So it’s possible you’d never realise anything bad had happened.

Hopefully that demonstrates why it’s a bad idea to assume a a site is safe just because of the padlock symbol. This is becoming a bigger problem because, as the Krebs article states, half of all phishing sites are now doing this to make their sites look more genuine. It’s also worth looking at the excellent screenshot of an example site and the way they’ve used an alternative character in the fake domain name –


Leave a Reply

Your email address will not be published. Required fields are marked *

Tags: , , ,