September 11, 2021

Question re: Https

In my firm they are ‘educating’ people that HTTPS is safe. my understanding was that cyber criminals could purchase SSL certificates and it’s not a fool proof way of establishing if a website is ‘safe’ or not.

Whats the score please Reddit?

Thanks.

Comments

DocSharpe

Absolutely, there are multiple ways a bad actor could obtain an SSL certificate.

All the certificate does is ensure that the connection between you and the destination is secure…it is NOT a validation of the destination’s morality. Is it more work for a bad actor to set up an site with an https address? Sure. Are some still doing it? You betcha.

So does that mean it isn’t “safe”?

Well, that depends on what you mean by safe.

* If you mean…do you have to worry that your transmission is being snooped on by a third party? Then most of the time, yes. Traffic between you and your destination is secured from prying eyes. (Although if you are on a public wifi…you should still leverage a VPN)
* If you mean…can you assume every link you get in email with “https” is safe? **Then ABSOLUTELY not.** You still have to pay attention to what you are doing…if you don’t know the sender, or the email looks weird, or it is telling you to “click here to fix a problem with your account”…you should question that.

pdept050

In brief, HTTPS secures your communication with the remote server. It does in no way provide any guarantee that the remote server is being operated by an honest person or company.

You can communicate with a reputable company over HTTP or HTTPS. You can communicate with a scam artist or criminal over HTTP or HTTPS. The security of the communication method is completely independent of the trustworthiness of the other party.

Years ago (*many* years ago) you typically only saw HTTPS being used by web services owned by large companies. Those days are long over. HTTPS is very common. The majority of phishing sites use HTTPS now ([https://www.helpnetsecurity.com/2020/02/26/phishing-ssl/](https://www.helpnetsecurity.com/2020/02/26/phishing-ssl/)) because so many people had been taught “the padlock means you’re safe”). This is also why most browsers no longer color the padlock green.

nz_kereru

For about 20 years security people have said “padlock means it’s safe”. And this has never been true.

More recently it is less true due to free TLS certs.

All the padlock means is that content is encrypted from browser to webserver. (And that not 100% true)

carmineragoo

I think terminology is important here: “safe” is not a useful security term because nothing is 100% safe. Ever. Not in physical security or cyber security.

But context is important too:

* All companies should educate employees on good infosec hygiene.
* Many employees have low technical knowledge and low interest in security
* A trainer might use the word “safe” to purposely oversimplify a concept to an audience

ESET’s free beginner employee security awareness course states it better this way:

* “No personal or sensitive information (such as your phone number, email, credit card, or social security number) should be typed into a page that is not secured with HTTPS.”
* “Even though a page is secured by HTTPS, it does not automatically mean that the page is safe. It ensures that the information you send gets to the receiving website securely. But if the receiving website is not reputable, they could use it maliciously.”
* “When in doubt, search for the name of the website in a search engine, and review the results that are unaffiliated with the website.”

Next we could talk about all the other channels of compromise like man-in-the middle attacks and hacked reputable websites that HTTPS does nothing to stop. But any corporate security trainer that takes users too far down the cybersecurity rabbit-hole of jargon and advanced concepts will turn-off and tune-out an audience faster than you can say “OMGI’msoboredwhat’sonfacebook.”

So maybe give them a break if they feel the need to oversimplify.

Krek_Tavis

It is infinitely safer than HTTP. It does not make you invulnerable tough.

You need to ensure all your certificate chain is secure, use the correct ciphers, etc…

And of course it does not protect you against attacks on the software etc…

So the question you should ask is: HTTPs is safe from what exactly?

StripedBadger

More incorrect than correct, I’d say.

HTTPS encrypts the data that you are sending. It ensures that your data can’t be stolen half-way, but it doesn’t stop the website from doing whatever they want with the info they get.

It doesn’t prove the website is a trustworthy site, or even if they’re who they say they are. It is one *part* of a security chain, not a bullet-proof vest.

Daerys82

>it’s not a fool proof way of…

It isn’t. Nothing is. There’s not such thing as fool proof or 100% secure.

Turn the computer off, remove the hard drive, lock the drive in a safe, store that safe in another safe. And it’s still not 100% secure.

CyberCrawlist

They need to understand that each green icon does not mean it is safe. They can create their own certificate without any KA signature.

Unable_Repeat8567

I always think of https as looking through a pipe, you and the person on the other end can look to see what’s in the pipe, but outside observers cannot. Although probably not a great analogy but maybe it helps.

SpongederpSquarefap

https://paypal.com is legit

https://paypai.com is not legit

Anyone can get an SSL cert these days thanks to Let’s Encrypt

evildevil90

Any dummy can get HTTPS for free. Look at cloudflare, letsencrypt, netlify. They can get you ssl without anyone verifying you.
The point in HTTPS is that it guarantees nobody is sniffing traffic between you and the server and the responses you’re getting are actually coming from the domain specified in the cert.
(And not relayed by a middleman for example)

Scammers use cyrillic characters in domain names and urls to make them look authentic

ARSamogin

HTTPS only assures that the connection between you and the site is safe, this doesn’t mean that the site owner is trustable.

For example, one of the biggest fraud schemes here in Brazil was 123Importados, an online shop that pretended to sell their wares, specially TVs, with a extremely low price compared to other sites; they took the money of 10k people and never sent the products. Their site used HTTPS as You can see [here] (https://web.archive.org/web/20200421053004/https://www.123importados.com/)

rlanthony

Think of the SSL as the HOV (High Occupancy Vehicle) lane on the highway with barriers on either side that prevent anyone from just merging into your lane. That’s what the SSL does… it keeps people from merging into your lane and learning information about you.

However, the SSL doesn’t have any idea of where the HOV lane is headed… it could be the ballpark or the end of a pier.

FunkyMonkey1360

ah man, I wanted to answer this and then I saw a whole bunch of weenies beat me to it! :P (I mean that in a joking way of course).

The boys all provided some good points

beserkernj

Thanks for coming to ask this question. Whomever is doing this educating please make sure they are certified. This stuff can give us professionals a bad name.

Shinyinteleon

I would never truly say anything is safe. That’s such a heavy word in Cyber. You could argue that HTTPS is designed to be more secure connection between host and end user, but I’d never say something like “since it’s safe, my data can never be exposed”. Still, HTTPS encrypts communication, but remember someone out there might have the appropriate skills to decrypt communications.

blackheartx

I have never seen more terrible uneducated “answers” in a thread before.

SSL certificates are registered for the domain, and can be verified by a CA (Certificate Authority) which verifies that yes, the connection and certificate that has been downloaded to encrypt the session, is indeed the correct one, and has not expired. This uses a “public key infrastructure” of the site. A criminal, unless they hacked the website, can not generate this private key to un-encrypt a data packet.

Analogy time:

You can “buy” a forged birth certificate, but it is a lot harder to go to the state registrar and register said birth certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.