Internet users are being taught to think about online security the wrong way, which experts warn might actually make them more vulnerable to hacking and cyberattacks.
Websites that want to demonstrate their secure credentials will usually do so by displaying a padlock sign in the address bar that aims to show the website is usingHTTPS encryption.
The Hypertext Transfer Protocol Secure (HTTPS) is the more secure version of the Hypertext Transfer Protocol (HTTP) used across the web to load pages using hypertext links it's there to transfer information between devices, allowing users to enter and receive information.
SEE: 10 tips for new cybersecurity pros (free PDF)
HTTPS encrypts that information, allowing the transmission of sensitive data such as logging into bank accounts, emails, or anything else involving personal information to be transferred securely. If this information is entered onto a website that is just using standard HTTP, there's the risk that the information can become visible to outsiders, especially as the information is transferred in plain text.
Websites secured with HTTPS display a green padlock in the URL bar to show that the website is secure. The aim of this is to reassure the user that the website is safe and they can enter personal information or bank details when required. Users have often been told that if they see this in the address bar, then the website is legitimate and they can trust it.
However, as security researcher Scott Helme warned in his keynote address at the SANS Institute and National Cyber Security Centre (NCSC) Cyber Threat 19 conference in London, this information is potentially misleading, because it isn't difficult for cyber attackers to register HTTPs domains for use inphishing attacksand other hacking campaigns.
But because web users have been told the padlock is a sign of safety, they're potentially vulnerable to falling victims to attacks.
"This is why phishers are using it on phishing sites, because they know that people who use the websites think that means its OK when it's not," said Helme. "The padlock doesn't guarantee safety, it never has, that's just a misunderstanding of the interpretation of what this actually means."
In December 2017, a television advert for Barclays Bank in the UK warned users to check for a green padlock to ensure that the website is genuine. There were complaints that this advice was misleading, because it would be possible for attackers to exploit HTTPS for their own ends.
The complaint was upheld by the Advertising Standards Authority, which concluded that the advice from Barclays was inaccurate because "the padlock measure alone could not ensure safety".
Because it turns out, it's actually relatively easy for a criminal to acquire HTTPS for malicious websites to help them look entirely legitimate. By buying a Transport Layer Security (TLS) certificate, attackers can encrypt traffic on their fake website and make it look legitimate. And because the traffic is encrypted, the browser can be fooled into believing that website is safe.
"Cyber criminals started to use HTTPS and their trust scores can be higher than normal websites, they really care about this stuff," said James Lyne, CTO at SANS Institute.
So by asking the user to notice when something is wrong, it's putting unfair pressure on them, especially, as Helme argued, as it doesn't happen in other aspects of life.
He pointed to cars and how there isn't a warning light that tells the driver everything is OK. That light only comes on when the driver needs to be aware of an issue, there's no light or alert that appears just to show that things are working as expected and that model should also be applied to the internet.
SEE:A winning strategy for cybersecurity(ZDNet special report) |Download the report as a PDF(TechRepublic)
"We should only be bugging the user with new information when there's a problem, not when everything is OK, not when the connection is secure. It should be that all connections are secure and that's the default and a non-encrypted connection is the exception," Helme explained.
"We need to flip the model around, we need encryption to become the default and non-encrypted HTTP to become the exception, the thing that we warn about like the warning light on your car, indicating there is a problem," he added.
Even now, encryption is sometimes discussed as if it's a bonus when using the internet, when it needs to become the standard way of doing things everywhere on the internet, Helme explained.
"We need it to become so ingrained and embedded into everything that we do that it's boring and we don't need to talk about it because it shouldn't be special. Encryption should be the boring default that we don't need to talk about," he said.
The security industry therefore needs to step up and help fix the issue, Helme argued, because by doing this, it takes the responsibility for deciding if a website is safe or not away from the user something that will help make the internet safer for everyone.
"We need to take encryption and make it the default, universal it needs to be everywhere," he said, adding: "The lack of encryption on the web is actually a bug. And what we're doing now isn't adding a new feature for an improvement or a new thing: we're going back and fixing a mistake we made in the beginning."
In the mean time, it's going to remain difficult to convince internet users that something they've been told means that a website can be trusted can't actually be used as an indicator of whether the page is safe or not.
"We've beaten into people that's safe, only go to websites with a padlock. But now it turns out that a cyber criminal can go out and buy a padlock for a dollar. That turns it around, so how do you unwire all of that?" said Paul Chichester, director of operations at the NCSC.
"Cybersecurity is a really challenging discipline to operate in. If you think about driving a car and, over many years of driving, you learn certain things and it doesn't generally change, the practices keep you safe. Nobody tells you not to use the brakes any more," he added.
SEE: 10 great gifts for the hacker in your life
To fix that, the industry needs to improve its messaging, because cybersecurity can be complicated for the average web user and changing advice all the time isn't going to help, especially if people stick to adhering to the first thing they were told like believing the padlock automatically means the website is safe.
"We're pivoting in much shorter periods of time and, even within our community, sharing practices can be tough, particularly when a new practice isn't as simple to convey as the original because those ideas stick," said Lyne. "That's where the average person has lost reasonable expectation it's genuinely hard".
- The Rise of the Internet of Things | 2020-01-20 - Security Magazine - January 25th, 2020
- Protecting Websites from Magecart and Other In-Browser Threats - Security Boulevard - January 25th, 2020
- Off-campus wireless internet security on par with University - Kent Wired - January 25th, 2020
- Jeff Bezos Phone Hack Should Terrify Everyone - The New York Times - January 25th, 2020
- Limited internet to be restored in Kashmir, no access to social media - WSAU News - January 25th, 2020
- Cyber Security Today Kids clothes site hacked, a new phony email extortion scam and be careful with Internet Explorer - IT World Canada - January 25th, 2020
- Experts write to government on cyber fixes - Economic Times - January 25th, 2020
- Internet Security Software Market by Types, Applications, Countries and Forecasts to 2026 - Vital News 24 - January 24th, 2020
- An Open Source Effort to Encrypt the Internet of Things - WIRED - January 24th, 2020
- Local News Role of the internet in human trafficking to be highlighted at summit in SLO - KSBY San Luis Obispo News - January 24th, 2020
- Global Internet of Things (IoT) Security Market | By Component,By Type,By Application Area Dagoretti News - Dagoretti News - January 24th, 2020
- Internet Security Market to Reap Excessive Revenues by 2026 Dagoretti News - Dagoretti News - January 19th, 2020
- How to Secure Your Windows 7 PC in 2020 - How-To Geek - January 19th, 2020
- Security fears saw nearly half of Europe use the internet less during 2018 - The Brussels Times - January 19th, 2020
- Senate Passes Legislation to Help Boost and Secure the Internet of Things - Nextgov - January 19th, 2020
- Internet of Things presents the next frontier of cyberattacks - ITProPortal - January 19th, 2020
- Ooma Improves on Phone and Home Security with New Products for Cord Cutters - Cord Cutters News, LLC - January 19th, 2020
- Windows 7 computers will no longer be patched after today - Naked Security - January 19th, 2020
- How the Trump administration is secretly assisting Iranian protesters - Washington Examiner - January 19th, 2020
- Iowa results will be compiled over the internet, hacking threat aside - The Fulcrum - January 19th, 2020
- Interview with Jordan Blake on the potential of behavioural biometrics - The Paypers - January 19th, 2020
- Cyren (NASDAQ:CYRN) Stock Rating Lowered by Zacks Investment Research - Riverton Roll - January 19th, 2020
- Password Managers: What Are They & How to Use Them? - TechAcute - January 19th, 2020
- EZVIZ C6CN pan-and-tilt security camera review: Motion tracking keeps intruder in this camera's sights - TechHive - January 19th, 2020
- New Year, new gadgets? Five ways to keep your new devices safe from hackers, cyber attacks and malware - ZDNet - January 6th, 2020
- BlackBerry Collaborating with Amazon Web Services to Demonstrate Safe, Secure, and Intelligent Connected Vehicle Software Platform for In-Vehicle... - January 6th, 2020
- Internet of Things security firm Armis in talks to be acquired -media - Nasdaq - January 6th, 2020
- The Internet of Things: how safe are your smart devices? - Spectator.co.uk - January 6th, 2020
- Beset by lawsuits over poor security protections, Ring rolls out 'privacy dashboard' for its creepy surveillance cams, immediately takes heat - The... - January 6th, 2020
- Start the new year, and new decade, by making your slice of the internet more secure - Times Colonist - January 6th, 2020
- Industrial Internet Consortium teams up with blockchain-focused security group - Network World - January 5th, 2020
- Russia Takes a Big Step Toward Internet Isolation - WIRED - January 5th, 2020
- 'This Is the Beginning': Hackers Claiming to Be from Iran Take Over U.S. Government Website - PJ Media - January 5th, 2020
- Virus-Crippled Travelex Was Running Windows 8, RDP Connected to Internet - Computer Business Review - January 5th, 2020
- From the archives: Top ten WSU stories of the decade - - The Wright State Guardian - January 5th, 2020
- Down Over 30% Since August, Is Recent IPO Fastly a Buy for 2020? - The Motley Fool - January 5th, 2020
- North Dakota's building a cybersecurity operations center and everyone's invited - StateScoop - January 5th, 2020
- Quid Pro Quo the truth | Opinion - Kingstree News - January 5th, 2020
- All You Need to Know About Indias First Data Protection Bill - CISO MAG - January 5th, 2020
- Start the new year, and new decade, by making your slice of the internet more secure - SaultOnline.com - January 5th, 2020
- Cheetah Mobile (NYSE:CMCM) Stock Rating Lowered by Zacks Investment Research - Riverton Roll - January 5th, 2020
- The Army Bans TikTok - WIRED - January 5th, 2020
- Acer Introduces New TravelMate P6, a Durable and Thin-and-Light Notebook for Mobile Professionals - PRNewswire - January 5th, 2020
- Know in Depth about Internet Security Software Market Trends, In-Depth Analysis and Forecast To 2026 | Symantec, McAfee, Trend Micro, AVG - AnalyticSP - December 31st, 2019
- Staying Out Of Trouble In 2020 With New Security Practices And Human Firewalls - Forbes - December 31st, 2019
- Expansion of the Internet Security Software Market is Forecasted to Reach at Very High Rate By 2026 - Market Research Sheets - December 31st, 2019
- Bangladesh shuts down internet along India's border 'for the sake of the countrys security in the current cir - Business Insider India - December 31st, 2019
- The year in #StupidSecurity 2019's biggest security and privacy blunders - The Daily Swig - December 31st, 2019
- Together with the community, weve given away more than 100,000 for important causes - Security Boulevard - December 31st, 2019
- The Most Dangerous People on the Internet This Decade - WIRED - December 31st, 2019
- The Top Security Stories of 2019, Part Two - Foreign Policy - December 31st, 2019
- About That IoT Device You Received as a Holiday Gift... - Security Intelligence - December 31st, 2019
- China nears completion of its GPS competitor, increasing the potential for Internet balkanization - TechCrunch - December 31st, 2019
- Best Android antivirus? The top 11 tools - CIO East Africa - December 31st, 2019
- 4 Ways to Make Security Training A Priority in Your Healthcare Organization - HIT Consultant - December 31st, 2019
- Beware of the Smart Device: Ways to Stay Private and Safe - The New York Times - December 31st, 2019
- A ton of Ruckus wireless routers are vulnerable to hackers - TechCrunch - December 31st, 2019
- The MS-ISAC Helps State and Local Governments Boost Their Cybersecurity - StateTech Magazine - December 31st, 2019
- Discover Lafayette podcast with Rader Solutions' security team: Here are 9 tips to prevent data breaches - The Advocate - December 31st, 2019
- #SocialSec Hot takes on this week's biggest cybersecurity news (Dec 27) - The Daily Swig - December 31st, 2019
- Ookla Adds Free VPN To It's Speedtest App For iOS And Android - Techworm - December 31st, 2019
- How to Keep a Security Breach Out of your Internet-Connected Stocking this Christmas - Forbes - December 13th, 2019
- Internet Security Market: Deep Analysis by Production Overview and Insights 2019-2025 - Drnewsindustry - December 13th, 2019
- The Great $50M African IP Address Heist - Krebs on Security - December 13th, 2019
- Avast announces cybersecurity predictions for 2020, expects rise in mobile scams and IoT Malware - Gadgets Now - December 13th, 2019
- Office and Penetration Testing Software Increasingly Becoming Vectors for Malware - Campus Technology - December 13th, 2019
- Network attacks increased in third quarter, WatchGuard says - TechRepublic - December 13th, 2019
- What is a VPN Used for on Android? - eTurboNews | Trends | Travel News - December 13th, 2019
- Pulse Secure Partners with Nozomi Networks in IT-OT Convergence Play - Channel Futures - December 13th, 2019
- 2 Dead in Protests Over Indias Religion-Based Citizenship Bill - The New York Times - December 13th, 2019
- RIPE NCC and TRA hold roundtable in UAE on government role in Internet - Intelligent CIO ME - December 13th, 2019
- Global and Regional IT Security Market 2019 by Manufacturers, Countries, Type and Application, Forecast to 2025 - Industry PressRelease - December 13th, 2019
- How do Cypriots spend their time on the Internet? - In-Cyprus.com - December 13th, 2019
- CipherCloud and Thales Collaborate to Support Zero Trust Data Access - Business Wire - December 13th, 2019
- Malware variety grows by 13.7 percent in 2019 due to web skimmers - Eagle Online - December 13th, 2019
- Installing a Fake Internet with INetSim and PolarProxy - Security Boulevard - December 10th, 2019
- China to ban all American-made hardware and software in government and public offices - ConsumerAffairs - December 10th, 2019
- TLS 1.3 Is Coming: Here's What You Need To Know To Be Prepared For It - Forbes - December 10th, 2019
- Global Internet Security Market 2019 by Manufacturers, Countries, Type and Application, Forecast to 2025 - Breaking News Updates - December 10th, 2019
- Now, keep your data safe in a private, digital home on the internet, thanks to this tech startup - YourStory - December 10th, 2019