Ho

Why Chrome shouldn’t call out websites that don’t have an SSL Certificate

I believe every website visitor should feel safe. I believe they should have their personal information protected from hackers and phishing attacks.

I believe all websites that request personal information from visitors should use an SSL Certificate to encrypt their data while in transit to prevent a third-party from hacking the connection in order to gain access to that information. Information such as login details, credit card information and of course, Cryptocurrency keys.

I’m the Founder and CEO of a Security startup called MetaCert. So on the surface, it would appear strange for me to say that Google shouldn’t call out websites that don’t have an SSL Certificate as “not secure”. Below are my reasons but before I articulate them, please look at the screen shot above and ask yourself, “can I trust this website?” If you know the answer, ask yourself; “would my [insert name of average Internet user in your family here] trust this website?” That’s a broad question and I’ll come to in a moment.

It looks like a “safe” site, right? Wrong. It’s “secure”. That means a third-party is unable to hack the connection between you and the website owner. That’s what the “Secure” bit of the green address bar means.

The website in the screenshot above is actually a known phishing website classified by MetaCert. While third-parties will be unable to hack your details, as soon as you give this website access to your crypto wallet, every penny or your hard earned money will be immediately stolen. This happens every day of the week to the Crypto community inside Slack.

10% of all phishing links are now hosted on such “secure” sites. This trend has been increasing and in the month of July 2017, we saw a large spike in such sites.

So, if an investor/user is on a website with an SSL Certificate telling them that it’s “secure”, why shouldn’t they trust it to be the real website and not a phishing site created by cybercriminals?!

Here’s another screen shot of the Comodo website inside the Chrome address bar.

This SSL Certificate is called an “Extended Validation Certificate”. It uses the exact same technology as an “SSL Certificate”. The only difference is that to get your name mentioned in the browser address bar you need to have your company credentials verified by the Certificate Authority to prove you are who you say you are — the idea is to reduce the risk of phishing attacks. I’m not convinced it helps that much. Why? Because the vast majority of people on the Internet see the green “Secure” symbol and immediately assume that it can be “trusted”.

In summary:

  • When you see “Secure” it just means the website is secure. It doesn’t mean the website or its owner can be trusted. W
  • When you see the company name, it means that the website is really owned by that company — again it doesn’t make an assertion about the trustworthiness of the company behind it — just that it really is that company.

Below are the reason why I don’t think Google should promote websites without the “Secure” bit as “not secure” but you must first consider my preamble above in the context of these points.

A website that does not contain an SSL Certificate is technically “not secure” as Google asserts. Even though it’s accurate, it’s likely to scare everyday visitors by allowing them to assume that somehow, by just being on the site, they could fall victim to an attack of some kind.

Let’s pretend you have a website that only displays content. It does not request any input from visitors — they don’t have to create an account, or login. There is no need for you to implement an SSL Certificate to secure your website. For the vast majority of people, implementing an SSL Certificate is a very very very very complicated thing to do — way more complicated than it needs to be. Most technical people’s answer to this is “but you can get SSL Certificates for free”. They are not free if you have to pay someone to implement them.

If you don’t need an SSL, why should you be penalized by a browser that tells all of your visitors that your website is “not secure”. It might scare them away. Not fair. It’s the long tail that makes the Web as great as it is. I’d argue it’s one of the few reasons the Web will always be part of our lives — even with the proliferation of bots, apps et al.

According to Info Security, 10% of all phishing links are now hosted on such “secure” sites. This trend has been increasing and in the month of July 2017, they saw a large spike in such sites. If anything, SSL Certificates will make it much easier for phishing scams to be successful as people will assume they are “safe” and not just “secure”.

Hardcore security professionals and the entire Chrome team will assert that getting everyone on the Web to implement SSL Certificates will improve security overall. But I’m not convinced. Again, I believe every website that requests / processes / stores any information that belongs to you, should implement an SSL Certificate. I don’t think this sledgehammer approach is a healthy one in the longterm.

And don’t assume that Google knows best all of the time, or is a great implementor of security just because it’s Google. Have you read in the media this week, that it’s Gmail app is going to help protect users from phishing links? I filed a full patent for in-app WebView security against phishing links a few years ago and MetaCert has been protecting users inside apps for a few years also. It doesn’t take a genius to see that this was a massive problem waiting to happen.

My advice: don’t immediately trust a website just because it has the “Secure” symbol in the browser. And don’t distrust websites that don’t have an Extended Validation Certificate with the company’s name in the address bar— it could just mean that they refuse to pay for over-priced technology.

Some companies are more likely to want EV Certs. A company launching an ICO for example, might want one because there are a lot of scam ICOs popping up — so you might want to know more about the team and company behind the offering as part of your due-diligence.

To use a food analogy — in the US you really don’t want to buy anything that’s not explicitly certificated as organic. You can assume food that isn’t certified is stuffed with lots of crap. Whereas in Europe, the price of Organic certification outweighs the benefit for many companies — because most consumers know that most food is by default, organic. OK, I digress. I hope that last bit didn’t confuse my ramblings even more.

Please tap or click “♥︎” to help to promote this piece to others.

Like what you read? Give Paul Walsh a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.