With the release of Chrome v62 in less than 3 months, Google will begin marking non-HTTPS pages with text input fields—like contact forms and search bars—and all HTTP websites viewed in Incognito mode as “NOT SECURE” in the address bar. The company has started sending out warning emails to web owners in August as a follow-up to an announcement by Emily Schechter, Product Manager of Chrome Security Team, back in April.
Google began marking sites in Chrome v56, which was issued in January of this year. They targeted HTTP sites that collect user passwords and credit card details.
For owners to secure the information being shared among their visitors and their web server, they must start incorporating an SSL certificate. Failing to do this is risky for both parties: sites that allow the sending of information in clear text may also allow its exposure through the Internet.
Ms. Schechter also provided website owners with a handy guide on how to enable HTTPS on their servers. An additional guideline on how to avoid the “NOT SECURE” warning on Chrome is also available for web developers.
Looking at the way things are panning out, we can be confident that HTTPS will be the norm in no time. However, this doesn’t mean that all sites using SSL certificates can and should be trusted.
Google intended to separate phishing sites from legitimate ones with the marking of insecure sites, as Help Net Security noted in an article. Unfortunately, the introduction of new browser versions capable of flagging sites also promptly introduced more phishing sites using HTTPS. We’ve been seeing examples of this in the wild, as well, the latest of which was an Apple phishing campaign.
Discerning phishing pages from the real ones has become more challenging than ever. This is why it’s important for users to familiarize themselves with other signs that they might be on a phishing page apart from the lack of SSL certificates. Fortunately, users don’t have to look far from the address bar when they want to double-check that they’re on the right page before entering their credentials or banking details. Keep in mind the following when scrutinizing URLs and other elements around it:
- Look for letters in the URL that may have been made to look like another letter or number, or there may be additional letters or numbers in the URL. For example, examplewebsite.com may appear as examplevvebsite.com—Catch that? The double ‘v’ together makes it look like the letter ‘w.’ This is an example of typosquatting. Here’s another example: examp1ewebsite.com—the ‘l’ in “example” is actually the number one.
- Look for an Extended Validation Certificate (EV SSL). You know that a trusted website has this when you see a company name beside the URL, as you can see from the below UK Paypal address. Not all sites with SSL have this, unfortunately, but some of the trusted brands online already use EV SSL, such as Bank of America, eBay, Apple, and Microsoft.
Lastly, be aware that phishers may use a free SSL certificate in their campaign to make it appear legitimate. They may also hijack sites that already have SSL in place, adding more to the veil of legitimacy they want to attain.
Other related posts:
- Phishing 101: Part 1, Part 2, and Part 3
- The growing threat of phishing
- Something’s phishy: How to detect phishing attempts
The Malwarebytes Labs
This is a Security Bloggers Network syndicated blog post authored by Malwarebytes Labs. Read the original post at: Malwarebytes Labs