For years, Apple, Firefox, Google and Microsoft relentlessly made the point that in order to avoid rogue sites you must make sure your browser “padlock” is either locked, green or is otherwise indicating a site as being “secure.” Now, cybersecurity firms are stressing that those padlocks are not enough.

“You must look beyond the lock,” said Dean Coclin, senior director of business development at DigiCert. “They simply can’t be trusted anymore.”

That’s because, years after all major browsers have added visual safety cues to their address bars, the majority of bad guys are also using them.

On Monday, the Anti-Phishing Working Group (APWG) released a study (PDF) that tracked a large uptick in phishing attacks in Q2 of 2020. The surge involves rogue sites using the cryptographic protocol Transport Layer Security or TLS, most commonly referred to by its legacy name Secure Sockets Layer, or SSL.

SSL padlocks indicate that a browser is using a secure and encrypted communication pipe to the server hosting the desired website. SSL warnings are also complemented by the additional “HTTPS” indication within a browser address bar, meaning the browser is transmitting information safely using Hypertext Transfer Protocol Secure.

#cryptography #web security #anti-phishing working group #apple #business email compromise #certificate #extended validation certificates #firefox #google #https #web browser