Poor Symbolism: HTTPS and Lock Icons
Have you ever been told to look for the lock icon or https in your browser address bar while surfing online? That this means the website you are visiting is secure and can be trusted? That is, if the lock or https is visible, go ahead and use the website—safely enter in private information like a login, birthdate, social security number, or other sensitive information.
Did you know that this advice is misleading, especially for phishing awareness?
Nowadays, the ability for a website—ANY website—to have a lock icon symbolizing a valid encryption certificate is simple. In fact, it’s free with a service like Let’s Encrypt. Thanks to recent widespread privacy concerns (perhaps over government agencies collecting our information), there has been a movement to encrypt every website online. Notice I didn’t say, “thanks to the recent widespread phishing scams affecting corporations and individuals alike, there has been a movement to encrypt every website online.” That’s because the lock icon and https in the browser bar DO NOT protect against phishing scams.
Recently, I was listening to a popular information security podcast: RiskyBiz #444. The symbolism of the lock icon and how browsers portray them was a topic of discussion. Some people assume that this “certificate” means the website has undergone a security review and is somehow more secure than other websites.
Here’s what the lock icon and https in the browser bar mean: It simply means that the communication between yourself and the website are private. It does not in any way guarantee that the website is the legitimate website of the brand or service it appears to be or that the website has top-notch security in place.
Imagine you are in a crowded room.
This room is the internet. You want to talk to Sheila because she’s an articulate, smart, and fun person to be around. BUT you don’t want everyone else to hear your conversation because you’re going to share your private thoughts about politics. Fortunately, Sheila has a TLS certificate (lock icon), so when you talk to her, your conversation can’t be overheard by anyone else in the room. Now, you want to talk to Dave. Dave is pretty loud and very funny, and you don’t mind anyone overhearing this conversation because it’s about your March Madness bracket. He does NOT have a TLS certificate (no lock icon) so any conversation you have with him is overheard by others around you. Sheila and Dave are both websites. Sheila is one that uses a TLS certificate to encrypt communications with you. When you visit Sheila, you’ll see a lock icon and https at the beginning of the web address in the browser bar. When you go to Dave, you won’t see the lock icon or https. He doesn’t use a certificate to encrypt communications with you. Your browser may even show a lock icon with a slash through it or warn you that your communications aren’t “secure.” Like the podcast mentioned above, this is somewhat of a misnomer. Describing it as “private” is more accurate.
On the internet, your communication passes many points before reaching its final destination (the website), which is why the analogy of a crowded room is used. Think about it, first the communication passes through your company firewall or at home, perhaps your ISP. If that communication is not encrypted (think scrambled), anyone at any point along the way has the ability to see and understand your communication. When it is encrypted, the communication is seen but not understood because it’s scrambled.
How to apply this:
When you visit your banking website or healthcare portal and there is NO lock icon, this is a red flag that you are not at your service provider’s real website.
HOWEVER, the opposite is NOT true, especially if visiting your service provider from an e-mail or text message link. You still need to validate the website by looking at its address, but that’s probably a topic for another post.
Websites who want to keep communications private will use a TLS certificate to do so. When this is properly set up, you’ll see a lock icon and “https://” at the beginning of the web address in your browser. It’s simple to get a TLS certificate for free using a service like Let’s Encrypt. If it’s easy for you, it’s also easy for a scammer to setup a fake website and get a TLS certificate. IF you see indicators in the web browser of a lock icon and https, remember, it only means your communication is private and not readable by third-parties. It does not mean it’s a “secure” connection. If there is no lock icon or https, information sent back and forth CAN be read by third-parties. When viewing or sending private information, make sure the website has https:// at the beginning of the web address.
To make sure a website is legitimate, you’ll have to learn how to recognize web addresses just like you recognize physical/mailing addresses in the real world.
More on that later.