Cybersecurity: The web has a padlock problem - and your internet safety is at risk

We've been taught to look out for that little padlock to ensure a website is secure. But it's dangerous to rely on just one detail.
Written by Danny Palmer, Senior Writer

Internet users are being taught to think about online security the wrong way, which experts warn might actually make them more vulnerable to hacking and cyberattacks. 

Websites that want to demonstrate their secure credentials will usually do so by displaying a padlock sign in the address bar that aims to show the website is using HTTPS encryption.

The Hypertext Transfer Protocol Secure (HTTPS) is the more secure version of the Hypertext Transfer Protocol (HTTP) used across the web to load pages using hypertext links – it's there to transfer information between devices, allowing users to enter and receive information.

SEE: 10 tips for new cybersecurity pros (free PDF)

HTTPS encrypts that information, allowing the transmission of sensitive data such as logging into bank accounts, emails, or anything else involving personal information to be transferred securely. If this information is entered onto a website that is just using standard HTTP, there's the risk that the information can become visible to outsiders, especially as the information is transferred in plain text.

Websites secured with HTTPS display a green padlock in the URL bar to show that the website is secure. The aim of this is to reassure the user that the website is safe and they can enter personal information or bank details when required. Users have often been told that if they see this in the address bar, then the website is legitimate and they can trust it.

However, as security researcher Scott Helme warned in his keynote address at the SANS Institute and National Cyber Security Centre (NCSC) Cyber Threat 19 conference in London, this information is potentially misleading, because it isn't difficult for cyber attackers to register HTTPs domains for use in phishing attacks and other hacking campaigns.

But because web users have been told the padlock is a sign of safety, they're potentially vulnerable to falling victims to attacks.

"This is why phishers are using it on phishing sites, because they know that people who use the websites think that means its OK when it's not," said Helme. "The padlock doesn't guarantee safety, it never has, that's just a misunderstanding of the interpretation of what this actually means."

In December 2017, a television advert for Barclays Bank in the UK warned users to check for a green padlock to ensure that the website is genuine. There were complaints that this advice was misleading, because it would be possible for attackers to exploit HTTPS for their own ends.

The complaint was upheld by the Advertising Standards Authority, which concluded that the advice from Barclays was inaccurate because "the padlock measure alone could not ensure safety".

Because it turns out, it's actually relatively easy for a criminal to acquire HTTPS for malicious websites to help them look entirely legitimate. By buying a Transport Layer Security (TLS) certificate, attackers can encrypt traffic on their fake website and make it look legitimate. And because the traffic is encrypted, the browser can be fooled into believing that website is safe. 

"Cyber criminals started to use HTTPS and their trust scores can be higher than normal websites, they really care about this stuff," said James Lyne, CTO at SANS Institute.

So by asking the user to notice when something is wrong, it's putting unfair pressure on them, especially, as Helme argued, as it doesn't happen in other aspects of life.

He pointed to cars and how there isn't a warning light that tells the driver everything is OK. That light only comes on when the driver needs to be aware of an issue, there's no light or alert that appears just to show that things are working as expected – and that model should also be applied to the internet.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

"We should only be bugging the user with new information when there's a problem, not when everything is OK, not when the connection is secure. It should be that all connections are secure and that's the default and a non-encrypted connection is the exception," Helme explained.

"We need to flip the model around, we need encryption to become the default and non-encrypted HTTP to become the exception, the thing that we warn about – like the warning light on your car, indicating there is a problem," he added.

Even now, encryption is sometimes discussed as if it's a bonus when using the internet, when it needs to become the standard way of doing things everywhere on the internet, Helme explained.

"We need it to become so ingrained and embedded into everything that we do that it's boring and we don't need to talk about it because it shouldn't be special. Encryption should be the boring default that we don't need to talk about," he said.

The security industry therefore needs to step up and help fix the issue, Helme argued, because by doing this, it takes the responsibility for deciding if a website is safe or not away from the user – something that will help make the internet safer for everyone.

"We need to take encryption and make it the default, universal – it needs to be everywhere," he said, adding: "The lack of encryption on the web is actually a bug. And what we're doing now isn't adding a new feature for an improvement or a new thing: we're going back and fixing a mistake we made in the beginning."

In the mean time, it's going to remain difficult to convince internet users that something they've been told means that a website can be trusted can't actually be used as an indicator of whether the page is safe or not.

"We've beaten into people that's safe, only go to websites with a padlock. But now it turns out that a cyber criminal can go out and buy a padlock for a dollar. That turns it around, so how do you unwire all of that?" said Paul Chichester, director of operations at the NCSC.

"Cybersecurity is a really challenging discipline to operate in. If you think about driving a car and, over many years of driving, you learn certain things and it doesn't generally change, the practices keep you safe. Nobody tells you not to use the brakes any more," he added.

SEE: 10 great gifts for the hacker in your life

To fix that, the industry needs to improve its messaging, because cybersecurity can be complicated for the average web user and changing advice all the time isn't going to help, especially if people stick to adhering to the first thing they were told – like believing the padlock automatically means the website is safe.

"We're pivoting in much shorter periods of time and, even within our community, sharing practices can be tough, particularly when a new practice isn't as simple to convey as the original because those ideas stick," said Lyne. "That's where the average person has lost reasonable expectation – it's genuinely hard".


Editorial standards