I'll keep this blog post straightforward, it is about the famous green padlock icon on browsers.
A friend recently asked me, "Is it safe to use a website with an HTTPS connection?" You've likely seen the padlock icon on most browsers, signifying a secure connection. In simple terms, a green padlock suggests that a website is safe.
My brief answer: Not necessarily, unless...
Let me provide a detailed response.
The green padlock only indicates that a certificate has been issued to encrypt the connection with the website. However, here's the catch - it doesn't guarantee that the certificate comes from the right authority.
This risk isn't just for individuals; it also affects the company whose website you're trying to access.
What could go wrong?
1) The certificate might be from someone monitoring your online activity. For example, employers often track internet use in workplaces. So, if you're using your company laptop, that green padlock might mean your employer is a "Man in the Middle" (MitM). Before reaching the real website (like forbes.com), your connection goes through your employer's server, which decrypts, re-encrypts, and then sends it to Forbes.
2) A rogue third party could issue a certificate and act as a MitM. Criminals can easily create fake websites with "https" and use a trick called "framing" to display genuine website content. This allows them to monitor your clicks and steal passwords.
3) Authorities in certain countries might issue certificates to monitor citizens' online activities.
Moral of the story: If privacy matters to you, don't blindly trust the green padlock.
What can companies do?
There are a few responsible technical measures that companies can take as a minimum precaution:
1) Use CAA records as part of their DNS management, which costs nothing.
2) Use DNSSEC to protect against rogue CAA records, which is free.
3) Be aware of what a CDN provider (reverse proxy) adds as CAA records.
4) Implement CT (Certificate Transparency) monitoring, which is free.
5) Prevent your website from being framed-in through appropriate security headers and the "content-security-policy".
6) Implement CORS headers for complex applications.
In my observation, many Fortune 100 companies do not yet use many of the above. Does this show their careless attitude towards you or incompetence? I say nothing!
What can we do as individuals?
Here are some basic precautions:
1) Use a reliable VPN with a kill switch and leak protection, especially when on public WiFi.
2) Avoid using someone else's computer (or your work laptop) for private stuff if you don't want to be monitored.
3) Use a password manager like Bitwarden to avoid falling for framed websites.
For more tips, check out my previous blog articles on (1) Choosing a Browser, (2) Choosing a smartphone.
Stay safe,
Santosh Pandit
16 January 2024
Go to the Blog Collection