First, the good news. Starting with the mid-April release of Google’s Chrome 90 web browser, Chrome will default to trying to load the version of a website that’s been secured with a Transport Layer Security (TLS). These are the sites that show a closed lock in the Chrome Omnibox, what most of us know as the Chrome address (URL) bar. The bad news is that just because a site is secured by HTTPS doesn’t mean it’s trustworthy.
A few years ago, WordFence, a well-regarded WordPress security company, found that SSL certificates are being issued by certificate authorities (CA) to phishing sites pretending to be other sites. Because the certificates are valid, even though they’re operating under false premises, Chrome reports these sites as being secure. True, the data sent along that connection is secure, but safe? I think not!
Of course, CAs shouldn’t issue bogus security certificates. Unfortunately, it happens. A perfect example of “Why we can’t have nice things,” it’s been revealed that Let’s Encrypt, the free, open, and automated CA, had been used to create thousands of SSL certificates for phishing sites illegally using “PayPal” as part of their name. It’s not just PayPal. Google, Microsoft, and Apple have also had their names taken in vain by phishers.
It’s also not just that the CA process can be abused. Paul Walsh, founder and CEO of the zero-trust security company, MetaCert and co-founder of the World Wide Web Consortium (W3C) URL Classification Standard, sees many other problems with our naïve belief that HTTPS alone is enough to secure our internet connections.
True, Walsh tweeted, “When DNS-based security services were first introduced, most of the web wasn’t encrypted, and threat actors didn’t use trusted domains like Google, Microsoft, GitHub, et al. So they were effective in the past, but less effective today.” When the leading free CA, Let’s Encrypt, began in 2015, less than a fifth of websites were secured by HTTPS. Today, 82.2% of sites are covered.
That was then. This is now. And there are other problems.
First, Walsh believes that what Google is doing is “great in theory, but their execution sucks. I think it’s unethical for a single company that represents a single stakeholder to railroad what they think is the right thing for every website creator and every person that uses the web.” Walsh isn’t the only one that feels that way, while many people think of this as a small, but real, step forward in web security, others think, “Forcing https on people’s throats is a stupid idea.”
Besides, as Walsh observed in his analysis of website security, “the basic [URL] padlock is designed to tell users when their connection to a website is encrypted. A padlock doesn’t represent anything related to trust or identity. Browser designers didn’t do a good job with the design of their UI. They should have made website identity more obvious — such as a separate icon on the toolbar — making it completely separate to the padlock.”
In other words, you can be “safely” secured to a site that’s pretending to be the real Amazon, eBay, or PayPal. That’s a fail.
This happens not just because of the fake sites with real HTTPS certificates. Walsh points out that Modlishka attacks create a reverse-proxy between you and the website you want to visit. It looks like you’re connected to the real thing because you get authentic content from the legitimate website but the reverse-proxy is silently redirecting all your traffic to and from the Modlishka server. Thus, your “credentials and sensitive information such as a password or crypto wallet address entered by the user are automatically passed on to the threat actor. The reverse proxy also asks users for 2FA tokens when prompted by the website. Attackers can then collect these 2FA tokens in real-time, to access the victims’ accounts.”
Besides that, Walsh is not at all convinced that free and easy HTTPS certificates is a good thing at all. Walsh wrote, “The volume of cyberattacks that use automatically issued free DV certificates has weakened the Trusted Computing Base (TCB) of the internet in my opinion. And free DV certificates are an existential threat to the safety and wellbeing of society.”
The answer? According to Walsh, CAs should:
- Tighten up their identity verification processes.
- Reduce the cost, time, and effort of acquiring identity verification.
- Browser vendors should design a meaningful icon for identity verification for the browser toolbar — away from the padlock.
- Browser vendors should improve the user experience so websites’ real identity is intuitive.
Then, and only then, will the web be well on its way to being truly secure.