First the good news. Starting with the release of the browser Chrome 90 by Google in mid-April, Chrome will try to load a version of a site that is secure with Transport Layer Security (TLS) by default.
These are the sites that show a lock on the Chrome address bar (URL).
The bad news is that just because a site is protected by HTTPS does not mean that it is trustworthy.
A few years ago, WordFence, a well-known WordPress security company, discovered that SSL certificates issued by certification authorities (CAs) on phishing sites pretend to be other sites.
Because the certificates are valid, even though they are running on incorrect installations, Chrome will list these sites as secure. So the data sent with this connection will not be secure.
Of course, CAs do not have to issue fake security certificates. Unfortunately, it happens.
A perfect example: it was revealed that Let's Encrypt, a free, open and automated CA, was used to create thousands of SSL certificates for phishing sites that illegally use "PayPal" as part of their name. And it's not just PayPal. Google, Microsoft and Apple had their domain as part of malicious URLs in phishing pages.
Also, the CA process cannot be abused. Paul Walsh, founder and CEO of security company MetaCert and co-founder of the World Wide Web Consortium (W3C) URL Classification Standard, says there are many other problems with our naive belief that HTTPS alone is enough to secure our internet connections.
Walsh wrote on Twitter, "When DNS-based security services first appeared, most of the web was not encrypted and attackers did not use trusted domains such as Google, Microsoft, GitHub, etc. It used to be that way in the past, but it's less effective today. " The
When the top free CA, Let's Encrypt, launched in 2015, less than a fifth of sites had HTTPS. Today, 82,2% of websites are covered.
But that was then. There are other problems today.
First, Walsh believes that what Google is doing (enforcing HTTPS) is “theoretical, but its execution sucks. I think it is immoral for a company to make people think that it is right for every website creator and every person who uses the web. ”
Walsh is not the only one who feels like this: "Enforcing https is a stupid idea."
In addition, as Walsh observed in his site security analysis, “the key [URL] padlock is designed to inform users when their link to a site is encrypted. A padlock does not represent trust or identity. They should make the site's identity more obvious - like a separate icon on the toolbar - making it completely separate from the padlock. ”
In other words, you can insure a site that pretends to be real Amazon, eBay or PayPal. Failure.
This is not just because of fake websites with real HTTPS certificates. Walsh points out that Modlishka attacks create a reverse proxy between you and the site you want to visit.
You seem to be connected to the real thing, because you are receiving genuine content from the legitimate site, but the proxy server silently reverses all your traffic to and from the Modlishka server.
Thus, your “credentials and sensitive information, such as a password or a wallet address entered by the user, are automatically passed on to attackers. The reverse proxy server also asks users for 2FA badges when prompted by the site. Intruders can then collect these 2FA tokens in real time, to access the victims' accounts. "
Apart from the above, Walsh is not at all convinced that free and easy HTTPS certificates are good:
"The volume of cyberattacks that use automatically issued free certificates has weakened the Internet's most reliable computer base (TCB) in my opinion. And free certificates pose an existential threat to the security and well-being of society. ”
The answer? According to Walsh, CCs should:
- More delimit the authentication procedures.
- Reduce costs, time and effort of obtaining identity verification.
- Sellers need to draw another authentication icon on the browser toolbar - next to the padlock.
- Browser providers need to improve the user experience so that the true identity of the sites is intuitive.
Then, and only then, will the Web be on its way to being truly secure.