What is an SSL Certificate and what does it do for me?
An SSL Certificate allows your site to serve your data – and receive input from visitors – in an encrypted form. This means that if either side is sending sensitive data, it becomes extremely difficult for anyone else to see what is being sent. It’s an important tool to thwart Man-In-The-Middle attacks.
The https:// part of an address (also called “Secure Sockets Layer” or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and cannot be read by third parties.
We’re advised to never send sensitive information to a website which does not have the https:// and a padlock icon on the address line, as pretty much anyone can read it if they know how.
However, security expert Brian Krebs points out that the presence of “https://” or a padlock in the browser address bar does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.
Here’s a sobering statistic: According to PhishLabs, by the end of 2019 roughly three-quarters (74 percent) of all phishing sites were using SSL certificates.
The reason Mr. Krebs brings this up is that “many U.S. government Web sites now carry a message prominently at the top of their home pages meant to help visitors better distinguish between official U.S. government properties and phishing pages. Unfortunately, part of that message is misleading and may help perpetuate a popular misunderstanding about Web site security and trust that phishers have been exploiting for years now.”
The problem is that those government sites are misinforming the public, including statements such as “The https:// ensures that you are connecting to the official website….”
No, it does NOT.
All it ensures is that you’re connecting to a site which has an SSL Certificate in place. It’s not particularly difficult to obtain a .gov domain name, and it’s a fairly trivial exercise these days to get a basic SSL Certificate. So all that the https:// on a .gov site ensures is that someone got a .gov domain name and put an SSL Cert on it – nothing more.
The moral? Make sure you’re going to the right site! Both for government anything else you do online.
Original article at Krebs On Security