Phraudsters put the lock on phishing. Is it Google's fault?

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

[ Webinar: Get Started with Seamless App Sec in a Single Day (Jan. 23) ]

How do you protect your users against phishing? Do you teach them how to avoid phake sites?

Make sure you’re not still giving old-skool advice like “look for the lock.” Research out this week shows half of phishing sites now have a legit-looking TLS cert.

Some say it’s Google’s fault, for mucking around with how the browser displays unencrypted sites. In this week’s Security Blogwatch, we suffer the unintended consequences.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Seth Everman (kinda) 

State of Security Operations 2018: Go Inside World SOCs

Hook, line, and stinker

What’s the craic? Brian Krebs pedals this news—Half of all Phishing Sites Now Have the Padlock:

Maybe you were once advised to “look for the padlock” as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice.

49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon … in a browser address bar. That’s up from 25 percent just one year ago.

The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened.

Seems legit. Here’s Lily Hay Newman—Phishing Schemes Are Using HTTPS Encrypted Sites to Seem Legit:

A massive effort to encrypt web traffic over the last few years has made green padlocks and "https" addresses increasingly common. … But as with any sweeping reform, the progress also comes with some new opportunities for fraud.

Some phishing sites come by HTTPS only incidentally. … Phishers often hijack legitimate sites for their own uses, so the more HTTPS is deployed around the web overall, the more likely that a phisher might compromise a site that implements it. But … phishers create their own sites almost as often as they steal those of others. In those cases, phishers actively chose to implement web encryption.

Google … led a big push over the last few years to promote and even require HTTPS. And the … Internet Security Research Group has been offering free verification certificates … through its Let's Encrypt initiative since last year.

These collective efforts have been paying off. … But advocates have long known that the privacy and security gains would come with some detrimental side effects.

Don't assume that any page that has HTTPS contains legitimate and authentic content. It's a green padlock, not a silver bullet.

Have we been giving users bad advice? Michael Argast—@michaelargast—is aghast: [You’re fired—Ed.]

There’s always been a long term trend of security professionals (myself included) providing advice only to be deprecated by changes in the wild:

“The Good Times virus is a hoax, you can’t get a virus from email...”

Oopsy. Andrew Allemann is all man:

Perhaps this false sense of security is why Google is starting to downgrade the positive designations it uses in Chrome to identify sites using SSL. It no longer shows a green padlock with “Secure” next to the URL. It’s just a gray padlock. Eventually, sites with SSL will show no designation in Chrome; sites without it will show “Not Secure”

Let’s Encrypt … provides free certificates. The big difference in quality is between domain validated certificates and the certificates that require more validation.

But hang on—TLS also provides authentication of the site, right? Not anymore, says @sk1773lz:

TLS provides:
- identification
- authentication
- confidentiality
- integrity
 
The problem is that major browsers have made these aspects opaque to the user while CAs like Let's Encrypt only ensure some aspects but not all.

Can we find someone to blame? Dare Obasanjo—@Carnage4Life—dares to try:

Basically, Chrome's push to force every website to use SSL to make the web "safer" is inadvertently making phishing sites look more legit. Unintended consequences are a mother.

So Dan East sarcastically cheers Good job web browsers:

And this is what we get for browsers forcing websites to adopt HTTPS or else they try to scare people with warnings about pages not being secure. I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. … I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.

Sounds like the type of solutions politicians end up creating to fix one minor problem yet causing several more severe ones. It's not the job of web browsers to force websites to be secure. Just because they can wield such power because of the technical aspects doesn't mean they should.

Or perhaps it’s the ISRG’s fault? Here’s JohnPent’s pent-up emotion:

We have to get rid of Let's Encrypt and other services that do shared ssl certificates on the fly.

If I set up malware sites or fraud sites, I could easily get them https. For a few bucks I can get them a green lock verifying nothing.

Meanwhile, AsParallel asks for some individual care online:

At some point it just comes down to paying attention, and assuming the smallest margin of responsibility for your own safety. We can't bubble wrap the internet.

The moral of the story? Teach your users well. Their admins’ hell did slowly go by.

And finally …

hih hi ha he hew hew who


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Hivint (cc:by)

Topics: Security