Due to recent events, specifically revelations over the extent of various Governments internet surveillance, efforts are under way to encrypt more and more sites to https standard, but it's important to realise the limitations of this increase in security. Https only guarantees that the connection between your computer and site it is communicating with is encrypted, and it can be undermined in various ways, for example if your computer is infected with a virus or other malware, or if the site itself is not a legitimate site.
It is, of course, this last one that I'll be focusing on here.
So lets look at an example of a fake bank with an SSL Certificate:
http://www.wealth-dib.com/
You'll note that the homepage itself is not secured, not unusual even for legitimate banks. However, when we attempt to login to this bank, we're redirected to a different domain:
https://banking.dubai-international-bank.com/
 |
| Encryption.......... |
http://banking.dubai-international-bank.com/?lg=1
 |
| ...you're doing it wrong! |
This site only uses the basic SSL Certificate that any site owner can get themselves, not the Extended Verification Certificate that major online sites have, which requires more than just evidence that you own the domain name, it also requires that the domain is linked to the actual business, to guarantee that you are at the correct site and not a fake site. Most browsers will differentiate between the two, so if you are unsure of being able to tell the two apart it may be time to learn, as more of the internet switches to https as standard, so too will the fake sites.
Update: Both sites have been suspended.
No comments:
Post a Comment