The ability to register a site for free with an HTTPS protocol could lead to malicious sites appearing to be secure.
Sebastian Bortnik, security analyst at ESET Latin America, claimed in a recent blog post that while advice on checking in the address bar for the presence of the HTTPS protocol still holds true, it is very frequently misinterpreted as meaning that ‘whenever a site has HTPPS, it is safe'.
Bortnik explained that HTTPS (HyperText Transfer Protocol Secure) is intended to ensure that the information transmitted from a user's computer to a remote website is encrypted during transmission. Bortnik said: “An analogy might be that if you were sending a letter, the protocol would be like a sealed envelope that guarantees that the contents can't be read by anyone until it reaches the recipient.
"However, once information reaches the web server, it is no longer encrypted. Therefore, if the server belongs to an attacker rather than the legitimate individual or organisation you think you're sending information to, it's easy for him to read this information.”
He claimed that malicious web servers have generally had to work directly with the HTTP protocol, where information in transit is not encrypted. However, while it doesn't commonly happen, an attacker can use the HTTPS protocol on a false (spoofed) or malicious website.
Recent news announced that Microsoft's Internet Explorer is to support free certificates following the addition of StartCom as a valid certifying authority to the Internet Explorer browser. This will mean that Internet Explorer now accepts StartCom certificates ‘without prompting the user or requiring any special configurations for the certificates. Third-party programs that use the operating system's certificate memory will also accept the certificates without asking further questions', according to H-online.
Bortnik said: “The opportunity of getting certificates for free provides a significant potential opportunity for attackers. They can now register a domain, create an email account and set up malicious servers to work with the HTTPS protocol (and a valid certificate).
“Thus, if potential victims see the all-important letter ‘S' (HTTPS), and this persuades them that the website is safe, this will provide attackers with a great opportunity to commit some form of malicious act.”
Commenting, Tim Callan, vice president of SSL product marketing at VeriSign, said: “The https in a web browser means that the information entered by the end-user will be encrypted for its journey to a website's server; it does not mean that the site has undergone any level of authentication.
“This means that impostor sites can secure a transaction, but the transaction details would still fall into the wrong hands. With Extended Validation SSL, organisations undergo a rigorous verification process. If an extended validation certificate is issued, the address bar of the website turns green to easily show that the website is who it claims to be. Users seeing the green address bar can be confident that they are on the site they intended to be on and not an impostor site.”
Callan also claimed that there are numerous other ways to check whether a site is safe or not, including checking for spelling mistakes and overly long URLs among a variety of telltale signs.