When it comes to Google, web security is a top priority. Many of us confidently rely on our trusted Google Chrome browser to determine if a site is secure or not.
In fact, the browser does a great job at notifying users when they are about to enter a potentially malicious site. When it encounters, say, a payment site without Secure Socket Layer (SSL)/Transport Layer Security (TLS) encryption, it flags it as insecure. Very soon, any HTTP site will also be flagged insecure.
In their blog post, they elucidate how SSL certificates are being issued by certificate authorities (CA) to phishing sites pretending to be other sites. Operating under false premises with valid certificates, Chrome reports these sites as being secure while in reality, they are not.
Obviously, this means that CAs are often tricked into issuing security certificates to such malicious sites. Let’s Encrypt, for example, being free, open and automated, is readily used to create a multitude of SSL certificates for sites illegally citing ‘PayPal’ as part of their name.
Other CAs like Symantec too have borne the brunt of incorrectly issuing certificates to malicious sites. A common practice is to pretend to be trusted and popular companies like Google, Apple or Microsoft, to gather fake certificates.
So, while Chrome’s Safe Browsing does screen out many shady sites, it fails to recognise immediately, a malicious site if it has been issued a valid SSL certificate. Moreover, as WordFence explains:
In Chrome, when you see ‘secure’ in your browser location bar, it means that the connection between your browser and the website you are connected to is encrypted. … It does not mean that the domain is ‘trusted,’ ‘safe,’ ‘not malicious,’ or anything else.
Even if a CA realizes its error and revokes the certificate, Chrome still shows it as secure. The revoked status is visible only in Chrome developer tools. Turns out, it is a problem with the certificate revocation system being in a bad shape.
However, Chrome has a user base of more than 50% web users. This calls for greater awareness among users. For starters, users must check the complete hostname and look for anything out of place. Mostly, they must check if the URL continues after the top-level domain and before the first forward slash. If so, (for example https://randomname.microsoft.com-more_stuff_here/…) they are dealing with a malicious site.
To check if a site has a revoked certificate, head over to Chrome’s View > Developer > Developer Tools and view certificate.