Unlocking the Green Padlock
So you’re doing some online banking – or shopping or logging into your health insurance or HSA account, etc. – and you suddenly remember all those terrible stories about fake websites luring unsuspecting customers into giving up all their login credentials. You glance quickly at the address bar and… there it is. The little padlock icon.
So you’re safe, right?
Yes! And maybe no.There has been lots of confusion about the “little padlock icon.” Often, people associate the padlock with security and safety and assume that it places a stamp of approval on the website in question; that any website so adorned is safe and secure.
In reality, that’s only partly true. The padlock symbol (or checking to be sure an address begins with “https”) does ensure that your traffic with the website is encrypted. That means it is secure in the sense that whatever information you may communicate with the site won’t be intercepted and read by a third party. This is important and several organizations – like Google, for example – are pushing to make this more and more standard for all legitimate websites (see this recent announcement by Google for example).
The problem is that the bad guys who are out to steal your personal information know that many assume the padlock is a stamp of approval for a website’s safety. They also know how to purchase the appropriate certifications to get their fake website its very own padlock. So when you click on that unexpected link in your email purporting to be from your bank (which you should never do, by the way) and it takes you to a webpage that looks just like your bank’s homepage but is really a hacker’s creation for the purpose of collecting your login information…there it is: the padlock icon. It is doing its job, mind you. But that job is not to assure you that the website is safe or legitimate, but to assure you that all your personal information will be safe from prying eyes on its way to the hackers files.
Here’s a real life example. Take a look at this screenshot of PayPal’s website (or is it?). One of our customer’s was taken here after following a link in an email asking him to login to complete a PayPal transaction.
Unfortunately, this is not PayPal’s real site. Can you tell the difference? Despite the padlock, a close inspection will reveal the web address to begin with “paysnal.com” (not paypal.com). Once the deception was discovered the padlock certification was revoked, but in the meantime, anyone who clicked on the link in that malicious email and looked to the padlock for assurance may have been deceived.
So is the padlock useless? Absolutely not. It informs you of a very specific, very important security certification that assures you that your data is being encrypted and safely reaching the website in question. But that’s it. It doesn’t say anything about the legitimacy of the website or if the site is faking or mimicking a trusted site. For that, we must still be vigilant in following safe practices like:
- Never clicking on unexpected links
- Typing an address into the browser ourselves
- Using your bookmarks for websites you visit regularly
- Using private browsing when possible for verifying a URL without entering your credentials
Following these practices protects you from a variety of deceptions, fake websites certainly being one of them.