HTTPS doesn’t mean a site is trustable.

When making an online purchase, any reputable website will require a secure HTTPS connection before requesting payment information and completing the transaction. This is the method used by browsers and websites to securely exchange sensitive data. Its underlying encryption uses digital certificates and strong encryption to create a secure tunnel between a web browser and a web server.

Many people, including many IT professionals, believe that an SSL Certificate means a website is safe to browse. In fact, just because a website has a certificate, or has HTTPS enabled, it does not guarantee that it is 100% secure (another fact is that you cannot even put a percentage level on that kind of “security”) and without malicious code. We need to be clear: the main motivation of HTTPS is authentication and in second-line security, so the website might be probably safe only.

And that is said because cybercriminals can use valid SSL certificates in phishing websites or there are ways to exploit trust in the same certificates. Relying in solutions like blacklisting non-SSL websites is a complete mistake and very often sysadmins leave this configuration by default on perimeter solutions/content filters/proxies.

But how the last thing is possible, you tell me how malicious people can access valid certificates for their sites? Well, security professionals tend to believe the more encrypted websites the better, but maybe this is not the case. Because it is extremely easy to get a basic Domain Validated Certificate (a basic SSL/TLS certificate for enabling encryption) anybody can quickly acquire it for any kind of website with obscure intentions. Another thing is that SSL and TLS only provide what is called "encryption in transit", this means that our data and communications between a browser and website server are in an encrypted format, so if these packets of data are intercepted, they cannot be read or tampered, but they don’t provide encryption at rest (when the data is stored on the website's server). This means that if a hacker gains access to the server, they can read all the data you have submitted.

Even with the greatest of intentions of making the Internet safe, bad people have taken advantage of these free services enabling these types of phishing sites. Additionally, many certificate authorities do not have a particularly strict vetting process. There have recently been several banking websites set up that use the certificates even though the sites are not genuine. So, who is at fault in this, the certificate authority for issuing the certificate or the browser on the client for allowing the site to be presented as secure? That’s a debate we’re not going to address here.

SSL by itself can also be vulnerable. SSL is always evolving and being upgraded. The first real experience we all got with SSL came in 1995 with SSLv2, which contained a number of serious security flaws.

SSLv3 was introduced in 1996, and since then we have seen the introduction of TLSv1, TLSv1.1, and TLSv1.2.

This is where SSL starts to be dangerous in conjunction with websites. As technologies progress not all websites progress with them, and a lot of them still support older protocols despite using a newer SSL certificate. Hackers can use this vulnerability and older support to perform protocol downgrade attacks. SSL is also vulnerable to a number of other potential vulnerabilities including BEAST, FREAK, and Heartbleed.

In conclusion, HTTPS is more secure than none that’s undoubtedly, but what it mainly tries to provide is authentication. The protocol is just one piece in a cybersecurity jigsaw that is always the face of one of the easiest security features to identify from a hacker’s point of view (especially from a web-crawler point of view). The solution, as with every aspect involving security, is awareness; the more aware people is about taking measures than just HTTPS, and always educating themselves in avoiding malicious websites, the more protected they will be.