How Secure Is SSL? Why A Lock Icon Doesn’t Equal Safe
by Serena Raymond on Jun 21, 2020 12:00:00 AM
You think you know how to stay safe online:
- Be careful what you download ✅
- Choose strong passwords ✅
- Ignore the Nigerian prince who keeps emailing you ✅
- Only visit sites with an SSL certificate ✅
If you follow these guidelines, you might feel safe. But wait! While these are good practices, they don’t necessarily ensure that you are safe.
True, you can’t guarantee that 100 percent of your downloads are safe. Even strong passwords can be hacked! But the important question to ask yourself is this: how secure is SSL, really?
Did you know that more than half of all known phishing websites have valid SSL certification? This is proof that an SSL certificate does not make a website legitimate. It makes the site secure, but SSLs aren’t magic. They don’t filter out malicious actors who own the domain you visit. They only guarantee your information won’t leak to someone posing as the domain owner.
What does SSL mean?
You’ve heard the term before, but what exactly does SSL mean? SSL stands for Secure Sockets Layer, and it is technology that essentially encrypts any line of communication between an internet user and the website on which the SSL is installed. It locks out any other party from the communication of information, so hackers are unable to view (or modify) the information you share.
How secure is SSL? A valid SSL certificate on a website simply means that if you send any information to the site, it remains private. SSL establishes a secure connection between your browser and the website or server that you visit. Third parties cannot hack this connection to see what is being shared.
How do you know when a website has SSL enabled? There are two simple ways to verify this:
- You’ll see a padlock icon to the left of the URL
- The URL will begin with “HTTPS” instead of “HTTP” (The “S” denotes the secure version of HTTP)
If SSL is present, it’s proof that you’re communicating with the owner of the domain, instead of someone posing as the owner.
What else does SSL do?
SSL guarantees that the data being shared on a particular site is protected. The main function of SSL technology is to reduce risk for internet users. Major search engines, including Google, have pushed for widespread adoption of this technology for years. As a result, websites that don’t utilize SSL are penalized in search engine results, and they experience much lower web traffic than secure sites.
SSL, therefore, is an important factor in web visibility and visits. Furthermore, most browsers now issue warnings to users when they come across an unprotected site. People are quick to abandon web pages that carry the “(!) Not Secure” warning, and an SSL certificate eliminates this label.
Why isn’t SSL always safe?
While sites should have SSL — it’s important — it’s not always a clear indicator that you should trust a site.
Imagine that you’re shopping for a charcoal grill. You find a website: newgrills.com. There’s a padlock in the left hand corner of your browser bar. “Connection is secure.” The landing page asks for personal information. Is it safe?
Secure, yes. Safe? To answer that, let’s pull back the curtain on a hypothetical situation.
Say that someone, somewhere in the world got the idea to steal personal information from unsuspecting victims. But how to do it? They found an available domain, “newgrills.com,” and purchased it. They built a few pages with pictures of outdoor parties, sizzling steaks, and even set up a small inventory of grills (that don’t exist). To pass cursory browser and visitor security tests, the criminal buys an SSL certificate.
There are many websites where one can do this, including GoDaddy or Namecheap, and the costs are quite low. Some SSL certificates are even free, while others cost $20; it depends upon the type. A standard SSL can be issued in under five minutes. This person simply has to prove that they own newgrills.com. Easy enough – they do! Deluxe SSLs would take several days because the issuer must validate not only domain ownership but also the existence of the organization on the SSL application.
In this case, the SSL issuer would have to ensure that New Grills is a valid business. It’s not a legitimate company, so the cyber criminal opts for the standard SSL. Five minutes and a few dollars later, the padlock icon is visible on the fake grill site, “HTTPS” anchors the URL, and the site looks legitimate. Visitors can “buy” these nonexistent grills by handing over their very real banking information with no fear that the data can be intercepted.
The site really is secure. The information you submit on newgrills.com can only be viewed by the domain owner. Hackers can’t intercept the data. But your sensitive information is being securely sent to a malicious actor. The padlock can’t save you now.
It’s a hypothetical situation, but these things happen all the time — more and more frequently. Cyber criminals take advantage of SSL certificates to create a false impression of legitimacy on malicious websites. In 2016, less than 3 percent of phishing websites used SSL certificates. In 2018? Over 49 percent. And in Q1 2019, a full 58 percent of malicious sites used them.
How can you tell if a site is malicious?
You can’t depend upon an SSL certificate to tell you if a website is legitimate or not, only that your communication will be encrypted while on the page. To determine if a site is trustworthy, look for the following:
- Suspicious typos
- Incomplete pages
- Broken links
- Requests to download software
So, how secure is SSL? In a nutshell, secure* with a big asterisk. SSL protects you from entering into unencrypted communication, but *it can’t protect you from a site being malicious in the first place.
It can feel overwhelming, but just as there are ingenious methods of scamming internet users, so too are the methods of protecting users. DNSFilter uses artificial intelligence to filter online content, analyze domains in real-time, prevent unauthorized communication, and protect users from phishing scams, malware, ransomware, and more.
You can educate yourself, be on the lookout for warning signs, and remain hypervigilant with your internet communications. But since even HTTPS and SSL padlock icons don’t give you the full picture, it’s worth your while to team up in the fight for online protection and get DNS protection.
When researchers talk about DNS security, they often refer to anything that protects DNS infrastructure. Although protective DNS and DNS security fall under the cybersecurity umbrella, protective DNS takes a different approach to cybersecurity than standard DNS security. Both security strategies are important for the stability of your business, but protective DNS reduces risks from your weakest link–human error. Protective DNS is critical for you...
The impending Cisco Umbrella RC End-of-Life has many Umbrella users concerned about their next steps and questioning which protective DNS solution might be able to fill the gap for their organization.
Industry State of the Art
This month there was a high level of focus on compliance issues spanning several focus areas from governments and oversight agencies around the world. And while there were actions taken with regard to specific vulnerabilities, a larger spotlight was placed on bigger picture security considerations in a more general context.