Shulou(Shulou.com)06/01 Report--

"Don't trust a website just because it has a lock logo or" https "in the browser's address bar."

On June 10th the Federal Bureau of investigation (FBI) issued a public warning about the rise in HTTPS phishing cases.

A few weeks ago, Anti-Phishing Working Group released a report saying that 58% of the phishing sites it tracked in the first quarter of 2019 used HTTPS, and some estimates put the figure as high as 90%.

It's hard not to attribute it to a free SSL certificate. We appreciate that providing free certificates is a good thing, and it is designed to help the underserved parts of the Internet, but as FBI pointed out, the existence of phishing has forced people to change the way they used to look at security.

Websites that start with "https" should provide privacy and security for visitors. After all, the "S" in HTTPS stands for "Secure". In fact, the focus of network security training is to encourage people to look for lock logos in the browser address bars of these secure websites. The existence of "https" and lock graphics should indicate that web traffic is encrypted and that visitors can share data securely. Unfortunately, cyber criminals take advantage of public trust in "https" and lock icons. They apply for certificates, create third-party security-certified websites, carefully design websites, and imitate trusted companies or email contacts to send emails to potential victims. lure users to a malicious website that looks secure to get sensitive login or other information.

Frankly, this should be enough for us to re-evaluate the trust indicators we are all looking for and using. We need to pay more attention to the server (and client) identity. Enterprises and websites themselves have more responsibility to maintain their identity. Ironically, due to the inaction of the relevant industry forums, a completely unintended result is that EV certificates are becoming one of the only ways to successfully prove identity.

Although the EV certificate is not perfect, it does require the organization to undergo a comprehensive review by a trusted entity. It does mean something that we missed a huge opportunity without educating the public to use EV as an indicator of trust.

Once again, make sure that customers know that it is more important for a single organization to look up EV identities in the browser's address bar. We have seen this done before using inserts and static header files, or notifications can be provided by quickly sending mail to the mailing list.

The biggest view of EV is that "people don't know to look for it." And it acts as if it is an insurmountable problem. It's really not. EV is the best way to prove your identity and protect your own company from online anglers. This is a very valuable tool.

If EV is playing a role, the incidence of phishing will not increase at the current rate. Free SSL certificates make these phishing sites more and more convincing, and millions of phishing sites are created almost every month.

It is no longer enough to have HTTPS and green padlocks, you need to prove your identity. Although the method is limited, the TrustAsia EV certificate has always been one of the best.

[from SSL China]

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.