Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
The ability to register a site for free with an HTTPS protocol could lead to malicious sites appearing to be secure, according to security analysts.
Sebastian Bortnik, security analyst at ESET Latin America, claimed in a recent blog post that while advice on checking in the address bar for the presence of the HTTPS protocol still holds true, it is very frequently misinterpreted as meaning that 'whenever a site has HTPPS, it is safe'.
Bortnik explained that HTTPS (HyperText Transfer Protocol Secure) is intended to ensure that the information transmitted from a user's computer to a remote website is encrypted during transmission. Bortnik said: "An analogy might be that if you were sending a letter, the protocol would be like a sealed envelope that guarantees that the contents can't be read by anyone until it reaches the recipient.
"However, once information reaches the web server, it is no longer encrypted. Therefore, if the server belongs to an attacker rather than the legitimate individual or organisation you think you're sending information to, it's easy for them to read this information."
He claimed that malicious web servers have generally had to work directly with the HTTP protocol, where information in transit is not encrypted. However, while it doesn't commonly happen, an attacker can use the HTTPS protocol on a false (spoofed) or malicious website.
Recent news announced that Microsoft's Internet Explorer is to support free certificates following the addition of StartCom as a valid certifying authority to the Internet Explorer browser. This will mean that Internet Explorer now accepts StartCom certificates 'without prompting the user or requiring any special configurations for the certificates. Third-party programs that use the operating system's certificate memory will also accept the certificates without asking further questions', according to H-online.
Bortnik said: "The opportunity of getting certificates for free provides a significant potential opportunity for attackers. They can now register a domain, create an email account and set up malicious servers to work with the HTTPS protocol (and a valid certificate).
"Thus, if potential victims see the all-important letter 'S' (HTTPS), and this persuades them that the website is safe, this will provide attackers with a great opportunity to commit some form of malicious act."
Commenting, Tim Callan, vice president of SSL product marketing at VeriSign, said: "With Extended Validation SSL, organisations undergo a rigorous verification process. If an extended validation certificate is issued, the address bar of the website turns green to easily show that the website is who it claims to be. Users seeing the green address bar can be confident that they are on the site they intended to be on and not an impostor site."Callan also claimed that there are numerous other ways to check whether a site is safe or not, including checking for spelling mistakes and overly long URLs.
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.