Internet users are being taught to think about online security the wrong way, which experts warn might actually make them more vulnerable to hacking and cyberattacks.
Websites that want to demonstrate their secure credentials will usually do so by displaying a padlock sign in the address bar that aims to show the website is usingHTTPS encryption.
The Hypertext Transfer Protocol Secure (HTTPS) is the more secure version of the Hypertext Transfer Protocol (HTTP) used across the web to load pages using hypertext links it's there to transfer information between devices, allowing users to enter and receive information.
SEE: 10 tips for new cybersecurity pros (free PDF)
HTTPS encrypts that information, allowing the transmission of sensitive data such as logging into bank accounts, emails, or anything else involving personal information to be transferred securely. If this information is entered onto a website that is just using standard HTTP, there's the risk that the information can become visible to outsiders, especially as the information is transferred in plain text.
Websites secured with HTTPS display a green padlock in the URL bar to show that the website is secure. The aim of this is to reassure the user that the website is safe and they can enter personal information or bank details when required. Users have often been told that if they see this in the address bar, then the website is legitimate and they can trust it.
However, as security researcher Scott Helme warned in his keynote address at the SANS Institute and National Cyber Security Centre (NCSC) Cyber Threat 19 conference in London, this information is potentially misleading, because it isn't difficult for cyber attackers to register HTTPs domains for use inphishing attacksand other hacking campaigns.
But because web users have been told the padlock is a sign of safety, they're potentially vulnerable to falling victims to attacks.
"This is why phishers are using it on phishing sites, because they know that people who use the websites think that means its OK when it's not," said Helme. "The padlock doesn't guarantee safety, it never has, that's just a misunderstanding of the interpretation of what this actually means."
In December 2017, a television advert for Barclays Bank in the UK warned users to check for a green padlock to ensure that the website is genuine. There were complaints that this advice was misleading, because it would be possible for attackers to exploit HTTPS for their own ends.
The complaint was upheld by the Advertising Standards Authority, which concluded that the advice from Barclays was inaccurate because "the padlock measure alone could not ensure safety".
Because it turns out, it's actually relatively easy for a criminal to acquire HTTPS for malicious websites to help them look entirely legitimate. By buying a Transport Layer Security (TLS) certificate, attackers can encrypt traffic on their fake website and make it look legitimate. And because the traffic is encrypted, the browser can be fooled into believing that website is safe.
"Cyber criminals started to use HTTPS and their trust scores can be higher than normal websites, they really care about this stuff," said James Lyne, CTO at SANS Institute.
So by asking the user to notice when something is wrong, it's putting unfair pressure on them, especially, as Helme argued, as it doesn't happen in other aspects of life.
He pointed to cars and how there isn't a warning light that tells the driver everything is OK. That light only comes on when the driver needs to be aware of an issue, there's no light or alert that appears just to show that things are working as expected and that model should also be applied to the internet.
SEE:A winning strategy for cybersecurity(ZDNet special report) |Download the report as a PDF(TechRepublic)
"We should only be bugging the user with new information when there's a problem, not when everything is OK, not when the connection is secure. It should be that all connections are secure and that's the default and a non-encrypted connection is the exception," Helme explained.
"We need to flip the model around, we need encryption to become the default and non-encrypted HTTP to become the exception, the thing that we warn about like the warning light on your car, indicating there is a problem," he added.
Even now, encryption is sometimes discussed as if it's a bonus when using the internet, when it needs to become the standard way of doing things everywhere on the internet, Helme explained.
"We need it to become so ingrained and embedded into everything that we do that it's boring and we don't need to talk about it because it shouldn't be special. Encryption should be the boring default that we don't need to talk about," he said.
The security industry therefore needs to step up and help fix the issue, Helme argued, because by doing this, it takes the responsibility for deciding if a website is safe or not away from the user something that will help make the internet safer for everyone.
"We need to take encryption and make it the default, universal it needs to be everywhere," he said, adding: "The lack of encryption on the web is actually a bug. And what we're doing now isn't adding a new feature for an improvement or a new thing: we're going back and fixing a mistake we made in the beginning."
In the mean time, it's going to remain difficult to convince internet users that something they've been told means that a website can be trusted can't actually be used as an indicator of whether the page is safe or not.
"We've beaten into people that's safe, only go to websites with a padlock. But now it turns out that a cyber criminal can go out and buy a padlock for a dollar. That turns it around, so how do you unwire all of that?" said Paul Chichester, director of operations at the NCSC.
"Cybersecurity is a really challenging discipline to operate in. If you think about driving a car and, over many years of driving, you learn certain things and it doesn't generally change, the practices keep you safe. Nobody tells you not to use the brakes any more," he added.
SEE: 10 great gifts for the hacker in your life
To fix that, the industry needs to improve its messaging, because cybersecurity can be complicated for the average web user and changing advice all the time isn't going to help, especially if people stick to adhering to the first thing they were told like believing the padlock automatically means the website is safe.
"We're pivoting in much shorter periods of time and, even within our community, sharing practices can be tough, particularly when a new practice isn't as simple to convey as the original because those ideas stick," said Lyne. "That's where the average person has lost reasonable expectation it's genuinely hard".
- Get In Depth Analysis Of How Covid-19 Is Impacting The Internet Security Software Market - The Daily Chronicle - September 12th, 2020
- Better late than never: Zoom boosts security with 2FA - Verdict - September 12th, 2020
- Show and Tell: The Gryphon Tower Mesh Wi-Fi Security Router - Grit Daily - September 12th, 2020
- Internet of Things (IoT) Security Market 2020 Trends, Market Share, Industry Size, Opportunities, Drivers, Outlook, Analysis And Forecast To 2028 -... - September 12th, 2020
- Ensuring cyber awareness in the healthcare sector - Help Net Security - September 12th, 2020
- Internet of Things (IoT) Security Market Size, Regional Outlook, Competitive Strategies and Forecast by 2026 - The Daily Chronicle - September 12th, 2020
- Internet of Things Security Market, Share, Growth, Trends And Forecast To 2027: Dataintelo - Scientect - September 12th, 2020
- Kaspersky: 37% of internet users in SEA think they won't be targeted by cybercriminals - SoyaCincau.com - September 12th, 2020
- TikTok and WeChat may raise security concerns, but Trump's knee-jerk reaction isn't the way to deal with them - NewsChannel 3-12 - KEYT - September 12th, 2020
- Helping companies prioritize their cybersecurity investments - MIT News - September 6th, 2020
- Rapid7 NICER - starting a conversation on internet security | Company Report - FinTech Magazine - The FinTech & InsurTech Platform - September 6th, 2020
- Kansans are getting letters saying they applied for unemployment. The problem? Some never did. - Pittsburg Morning Sun - September 6th, 2020
- Embedded Security For Internet Of Things Market 2025 Opportunities, Applications, Drivers, Limitations, Companies, Countries, & Forecast - Express... - September 6th, 2020
- Why should you use a VPN on your iPhone and Mac? - Cult of Mac - September 6th, 2020
- 'No longer safe in their classroom:' NHCS remote-learning session hacked, sexualized profanity used - Port City Daily - September 6th, 2020
- How Romania is Solving Technology and Poverty Disparities - Borgen Project - September 6th, 2020
- How government is delivering better election security - GCN.com - September 6th, 2020
- Internet of Things (IoT) Security Market Report: Regional Data Analysis By Production, Revenue, Price And Gross Margin - Kewaskum Statesman News... - September 6th, 2020
- What is the quantum internet? Everything you need to know about the weird future of quantum networks - ZDNet - September 6th, 2020
- How automation testing stays crucial to the future of Internet of Things (IoT) - Latest Digital Transformation Trends | Cloud News - Wire19 - September 6th, 2020
- One of the largest internet outages ever recorded occurred this weekend - TechRadar - September 6th, 2020
- A third of companies are exposing unsafe network services to the internet - BetaNews - September 6th, 2020
- Meet The New Anonymous100 Million BTS ARMY And K-Pop Stans, A Cyber Threat To Be Reckoned With - Forbes - September 6th, 2020
- Is Wall Street winning in China? - The Economist - September 6th, 2020
- 60 Seconds In Cybersecurity: Heres What Happens In Just One Malicious Internet Minute - Forbes - August 28th, 2020
- Research Report prospects the Internet Security Software Market - Owned - August 28th, 2020
- Cyber Security Market to Benefit from Increasing Application of AI and IoT Technologies - GlobeNewswire - August 28th, 2020
- Hackers are exploiting the 'Internet of Things' - ITProPortal - August 28th, 2020
- Distributed Denial of Service (DDoS) Protection Market Will Generate New Growth Opportunities in the next upcoming year - The Daily Chronicle - August 28th, 2020
- IT Security Market to Remain Competitive | Major Giants Continuously Expanding Market - The News Brok - August 28th, 2020
- Internet Of Things Iot Security Market : Global Industry Analysis And Opportunity Assessment 2026 Cisco Systems, Inc., Ibm Corporation, Intel... - August 28th, 2020
- Click Fraud Risk as Smartphone Is Discovered with Pre-Installed Malware - Infosecurity Magazine - August 28th, 2020
- The ability to hear, be heard and be understood is vital The importance of audio communication devices in security - IFSEC Global - August 28th, 2020
- Wrap your ears around Episode 451 of the Two Blokes Talking Tech podcast - Tech Guide - August 28th, 2020
- Taking stock of the Chinese factor in American elections - Arab News - August 28th, 2020
- How to choose and set up a business VPN - TechRadar - August 28th, 2020
- Internet Grows to 370.1 Million Domain Name Registrations at the End of the Second Quarter of 2020 - Social News XYZ - August 28th, 2020
- Internet of Things Security Market Analysis by Size, Share, Growth, Latest Innovation, Trends and Forecast 2019 2025 - Scientect - August 28th, 2020
- The TikTok Ban Should Worry Every Company - Harvard Business Review - August 28th, 2020
- TLS and VPN Flaws Offer Most Pen Tester Access - Infosecurity Magazine - August 28th, 2020
- The Center for Internet Security (CIS) Use Cases and Cost Justification - Security Boulevard - August 10th, 2020
- Peering into the Future of Sino-Russian Cyber Security Cooperation - War on the Rocks - August 10th, 2020
- Internet of Things Security Industry Market Sales, Price, Revenue, Gross Margin and Industry Share 2020-2025 - Express Journal - August 10th, 2020
- Insights on the Cyber Security Global Market to 2028 - Featuring Dell Technologies, Fireeye & Fortinet Among Others - GlobeNewswire - August 10th, 2020
- So What Does Trump Have Against TikTok? - The New York Times - August 10th, 2020
- Internet of Things (IoT) Security Market Size, Development, Key Opportunity, Application & Forecast to 2025 - Chelanpress - August 10th, 2020
- Someone just dumped 20GB of internal Intel data on the Internet - TechSpot - August 10th, 2020
- Malaysia Internet of Things (IoT) Security Market Size, Global Future Trend, Segmentation, Business Growth, Top Key Players, Opportunities and... - August 10th, 2020
- Global Internet of Things (IoT) Security Market 2020 Competitive Analysis Cisco Systems, Intel Corporation, IBM Corporation - Owned - August 10th, 2020
- Common Internet of Things security pitfalls Urgent Comms - Urgent Communications - July 29th, 2020
- US starts work on making virtually unhackable internet a reality; All you need to know about Quantum Internet - The Financial Express - July 29th, 2020
- Internet Of Everything (IoE) Market Growth Analysis By Manufacturers, Regions, Types and Application Forecast - Market Research Posts - July 29th, 2020
- What are you giving away on social media? | IT PRO - IT PRO - July 29th, 2020
- Explained: Why is spyware, stalkerware gaining traction during the pandemic? - The Indian Express - July 29th, 2020
- Are we seeing the beginnings of an Indian internet? - Deccan Herald - July 29th, 2020
- What the Tech? Check Your Internet Security When Working from Home - Alabama News Network - July 27th, 2020
- Security of the internet is improving, but there is work to be done - Security Magazine - July 27th, 2020
- Outlook on the Internet Security Software Market to 2025 by Application, End-user and Geography - CueReport - July 27th, 2020
- U.S. Government Says Its Building A Virtually Unhackable Quantum Internet - Forbes - July 27th, 2020
- Amid 'heightened tensions,' US government issues warning to critical infrastructure providers - Utility Dive - July 27th, 2020
- The global Internet of Things (IoT) security market size is expected to grow from USD 12.5 billion in 2020 to USD 36.6 billion by 2025, at a Compound... - July 27th, 2020
- WISeKey to Showcase its Cybersecurity Solutions for Artificial Intelligence Used in Drones and Robots at SIDO 2020 - GlobeNewswire - July 27th, 2020
- Various Politicians, Companies, And Activists Are Targeted By A Secretive Industry - See How India Has Become A Hire-for-hack Place For Other... - July 27th, 2020
- Internet of Things (IoT) Security Product Market Forecasts and Opportunity Assessment Analysis 2019-2025 - Owned - July 27th, 2020
- ESET scores high in the Business Security Test 2020 - My Startup World - July 27th, 2020
- Global Internet of Things (IoT) Security Market 2020 Trends Analysis and Coronavirus (COVID-19) Effect Analysis | KEY PLAYERS MARKET WITH COVID-19... - July 27th, 2020
- The 12 Coolest AWS Tools Of 2020 (So Far) - CRN - July 27th, 2020
- Smart Home Market with COVID-19 Impact Analysis by Product, Software & Services, and Region - Global Forecast to 2025 - GlobeNewswire - July 27th, 2020
- MailVault ties up with BD Soft as the National Distributor, for the Indian Markets - CRN.in - July 27th, 2020
- WISeKey Appoints Ben Stump as Chief Revenue Officer to Drive the Next Phase of its Global Growth - GlobeNewswire - July 27th, 2020
- 4G internet not a security concern, no objection restoring it: JK admin tells Centre - The Kashmir Walla - July 27th, 2020
- This Is a Good Time to Buy Fastly Stock on the Dip - InvestorPlace - July 27th, 2020
- How firms are keeping staff and secrets safe from hackers now everyone is working remotely - CNBC - July 27th, 2020
- Cloudflare goes down, and takes the internet's security blanket with it - Mashable - July 23rd, 2020
- Should You Connect Your Brain to the Internet? - Security Boulevard - July 23rd, 2020
- Global Internet Security Market Growth Rate and Opportunities By 2025 With COVID-19 Outbreak, Top Players: HPE, IBM, Intel, Symantec, AlienVault,... - July 23rd, 2020
- Global Internet Security Market 2020 Growth Rate, Gross Margin, Competitive Situation and Trends, Forecast To 2026 - 3rd Watch News - July 23rd, 2020
- How Coronavirus Pandemic Will Impact Internet Security Software Market Size, Growth Opportunitis, Current trends, Forecast By 2026 - 3rd Watch News - July 23rd, 2020
- IT Security Consulting Services Market 2020: Potential Growth, Challenges, and Know the Companies List Could Potentially Benefit or Loose out From the... - July 23rd, 2020
- Scammers prey on Coronavirus fears - The Tomahawk - July 23rd, 2020