Congratulations, you now have a direct encrypted connection to a cybercriminal's website, one that is specifically designed for phishing attacks, malware delivery, or other motivations such as data harvesting. Unfortunately, cybercriminals are not dumb so most will use SSL encryption, as mentioned previously. If the user still wants to connect to the 'insecure site,' it is possible, but the warning is given, which will deter most users. The sole benefit of HTTPS is that it more or less forces encrypted connections online as, without it, many browsers will refuse to access the site and display a warning. I could end this post right here, having proven that both criteria are worthless in terms of security. Let's illustrate the necessary steps users should take when deciding whether to trust a website and, in some cases, how easy it is for cybercriminals to circumvent so-called verification processes.Īccording to PhishLabs, in the last quarter of 2019, 74% of reported phishing websites were 'secure,' being both HTTPS and with the lock symbol. It does confirm that the website owner has admin access to the webserver and has verified his/her identity in a way that varies according to the SSL cert selected. None do anything more than confirm ownership of a domain, and other than confirming encryption, do not confirm the security practices of that website in any way. As discussed in a previous article, SSL certs themselves come in many forms, from DIY efforts using OpenSSL (you can even be your own Certificate Authority) and free ones from Let's Encrypt to purchased solutions from 'recognized' certificate authorities.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
March 2023
Categories |