HTTPS is no guarantee for a reliable website

27.03.2018

A market study commissioned by DNS Belgium at the end of last year and executed by InSites Consulting shows that for the average Belgian, confidence in a website is based primarily on the presence of https (45%).  Indications that it is an official site (40%) and the domain extension (38%) round off the top three indicators.

This result shows that Belgians recognize an encrypted internet connection and are aware of its importance.  This is a positive thing of course. On the other hand, there is also a risk involved, because nearly half of the people trust websites if they are accessible via https.  We explain why below.

Cybercriminals have discovered https too

Cybercriminals are constantly looking for 'new' ways to mislead people and machines.  Figures from the American cybersecurity company PhishLabs show that cybercriminals more and more use https for phishing sites (25%) to instil a sense of trust in internet users. Such criminals take advantage of the misconception that the green lock in the browser bar on top means that the website is legitimate and/or reliable, while https offers absolutely no guarantee in that respect.

Https = secure information transfer

As of July of this year, Chrome (version 68) will mark all http websites as 'unsafe,' thereby perpetuating the misconception among internet users that http is not safe but https is.

Whether a website is available via https says very little about the security of that website. It only says something about the security of the communication between the end user and that website. Https in fact ensures that the information that is interchanged between the user's browser and the server on which the website is hosted cannot be read by third parties and that third parties cannot see the precise URLs of the pages visited.  Certificates are used for the security of such communication via https.

Reliability via certificates?

Yet we can wonder about the reliability even of certificates at times. There is no rigorous verification as to who the actual applicant is for every sort of certificate. For Extended Validation (EV) certificates, which DNS Belgium also uses, an application is validated  by the authorities which provide the certificates only after an identity investigation is conducted on the application (e.g. via the trade register). These checks are automated for certain other types of certificates and can therefore be circumvented.

Finally, there are also free alternatives to the often expensive certificates that are used to make websites available via https, such as Let's Encrypt. Thus everyone, including malicious parties can obtain a certificate for their website pretty easy and free of charge.  

For the sake of clarity, it is very important to secure sites via https. Https ensures that you can send personal data securely online.  It is an important protective measure for your privacy on the internet.  But it must not create a false feeling of security that cybercriminals could exploit. Be alert, also when a green lock appears next to the website in your browser.

phishing

Tricksters lure you to a fake website that is a copy of a real one. They then get you to log in with your user name, password and credit card number. Once you’ve done that, the fraudster has your details.

server

A computer program or hardware device that provides services to other computer programs or users.

Browser

program that makes it possible to access and read web pages. Internet Explorer, Google Chrome, Mozilla Firefox and Safari are some well-known browsers.

DNS

Domain Name System or Domain Name Server. The global DNS is the system and protocol used on the internet to translate domain names into IP addresses and vice versa. 
DNS Belgium
Security