Green padlock symbol doesn't guarantee security. So what does?
Recently, the NOS reported the results of an analysis of thousands of websites from four blacklists. One finding was that 4,300 of the sites were using 'green padlocks' to show that they had valid SSL certificates. According to the NOS, the green padlock symbol suggests that a site is secure, when that isn't necessarily the case. The analysed websites were already blacklisted, but would previously have been trusted by many consumers. So, if you can't put your trust in the padlock, where do you look for reassurance? And what can a website manager or webshop proprietor do to promote confidence?
Crooks abuse green padlocks
Internet users are often advised to look for the green padlock, because it supposedly shows that a website is secure. After all, installing an SSL certificate has traditionally been expensive and time-consuming, and therefore unattractive to crooks. Nowadays, however, certification is a cinch with a free tool such as LetsEncrypt. The downside of that convenience is that internet scammers have started using green padlocks to make themselves look trustworthy. Visitors see the familiar icon, drop their guard and assume that it's safe to use the site or shop.
Extended validation is best
"It's important to change the way people view the green padlock," says Pim Pastoors, Product Manager at SIDN. "It doesn't guarantee that the website content is secure. Only that the connection is secure. So, for example, you can enter private information on the site without worrying that someone might read it on the way from your PC to the server. I would advise businesses and webshops to go for extended validation (EV) certificates. An EV certificate is issued only after thorough vetting. The applicant has to provide full company details and show that they really are acting for the company in question. Even when visiting a site with an EV certificate, a user should look critically at the content, but you can have more confidence about the site itself. It's only with an EV certificate that both the company name and the green padlock appear in a browser's address bar, and the user can be sure that they're on the right company's site.
Only one of the Netherlands' ten leading news sites has an EV certificate
"We recently found that, out of the country's ten biggest news sites*, just one had an EV certificate," continues Pim. "With so much fake news around these days, you would expect news outlets to be keen to show how trustworthy they are."
|news sites||EV certificate|
* ‘De 80 grootste websites en meest gebruikte apps van Nederland’, ('The 80 biggest websites and most used apps in the Netherlands'), Consultancy.nl, consulted on 6 June 2018
Adding a green padlock to a fake website is easy
As well as looking for the green padlock, internet users are advised to check a site's domain name. Even then, there are pitfalls. Crooks often register domain names that are barely different from those used by legitimate organisations. To show how easy that is, the NOS registered the domain names 'mijn-ing.nl', 'bankierenrabobank.nl' and 'binck-bank.nl' without being challenged. It's easy to see how those names could be used to trick people looking for the genuine bank log-in pages 'mijn.ing.nl' and 'bankieren.rabobank.nl'. Especially when used with valid SSL certificates. Distinguishing between legitimate and scam domain names can be hard, and a green padlock doesn't tell you which is which.
It pays to actively monitor your domain name
"The banking industry has now got its house in order," Pastoors clarifies. "Most banks proactively monitor their domain names, enabling them to act quickly if someone registers a name similar to their brand. However, the majority of corporates, government agencies, smaller companies and webshops aren't so alert, and scammers take advantage of that. One good way to monitor your domain name is by subscribing to our Domain Name Surveillance Service. A lot of people imagine that monitoring is expensive, but it isn't really. There are suitable and affordable options for organisations of all kinds. And the cost of monitoring has to be weighed up against the potential reputational and financial cost of not monitoring."