In the past few years there has been a rise in the number of security experts advocating people actively seek sites with https / ssl certificate protection, and with reason. However in the drive to push https, many have been guilty of unintentionally over-stating the benefits of SSL certificates.
Browser companies are just as culpable with the use of padlocks and the use of words such as ‘secure’ to give a mis-leading impression of what https means. To be clear, all the https padlock means is that the data between your browser and the site is encrypted and can not be read in transit by a third-party. It makes no claim as to the reliability or accuracy of either the site or the content on the site. In the past year, over 15,000 SSL security certificates have been issued to sites known or believed to be engaged in phishing activities. This means these sites will display the ‘secure’ padlock symbol when visitors land on their site, and many will be duped into believing the padlock means the site is safe to use, in part because of the exhortations by experts to seek sites with the hhtp padlock symbol in the address bar.
The problem lies in what and how a SSL certificate is and how it is issued. At its most basic, a SSL certificate simply means that a third-party, the Certificate Authority (CA), confirm that the domain name is valid, and that the owner has applied for a SSL certificate. The actual checks on the owner are minimal to non-existant for the simplest certificate (Domain) since all it checks is that the certificate being presented matches the one registered to that domain, there is no check made on who the owner is, or how reliable or otherwise they are. Next level up from Domain is Organizational certificate, this incorporates third-party checks on the identity of the owner of the domain. However, it is very hard to tell without actually hovering over the padlock what type of certificate (Domain or Organizational) the site is using, so the benefits can be hard to quantify.
This means that a fraudster can get a free SSL certificate, and use this apparent ‘security’ to gain a degree of trust that visitors should not be granting. Education is obviously a critical part of the equation, teaching people to be more understanding of the technology used, and what it does and does not do (and this includes the ‘educators’ and experts – they must be more clear in explaining security principles).
Beyond that though, there is a question of should there be a better way of displaying security in the browser, starting with a consistent way of describing and rating site security – different browsers can give differing opinions and presentation on the security of a site, especially those with mixed layers of security, leading to some confusion over the safety or otherwise of sites. Several organisations have attempted to do this, such as the Web Of Trust initiative, but that was fraught with the fact that ordinary users were rating sites, and often they were failing to understand issues they were experiencing resulting in mis-rating the wrong sites, which was compounded by near zero moderation or review of ratings granted. Some better initiatives were the site seal by CAs issuing Organisational and Enterprise SSL certificates which attempted to reflect the higher degree of scrutiny that the owner under went to gain the certification. However since these were unregulated, it could be hard for a visitor to tell the difference between say a Thawtes site seal and Acme site seal.