In recent times, there has been a big push by the security and privacy communities to encourage websites to adopt HTTPS. This is certainly a step in the right direction to preserve privacy of sensitive communication and as a result, improve security posture overall.

However, often there are times where we see the industry pushing a message without explaining the caveats. This causes confusion and damage to end-users in spite of them following what they think are recommended best practices.

HTTPS/SSL is a prime example of such phenomenon. We’ve seen over and over again security practitioners recommending people to “look for the green lock” or “look for https” in the browser when opening a link. The caveat often not mentioned is that anyone can create a site with SSL certificate and that it does not guarantee anything about the site’s content.

Someone who doesn’t necessarily understand the nitty gritty of SSL certificates would believe any website with a “green lock” is safe to visit, but this cannot be further from the truth.

We know that there are several free SSL certificate providers like Let’s Encrypt, SSL for Free and Wosign that have made it very easy for anyone to obtain a certificate. Unfortunately, this also includes bad actors who use them to conduct phishing attacks.

We monitor phishing attacks perpetrated through HTTPS websites and found that nearly 10% of all phishing links are now hosted on such “secure” sites. This trend has been increasing and in the month of July 2017, we saw a large spike in such sites.

These sites are either newly registered and have one of the free SSL certificates, or are hijacked websites with phishing pages injected on them. The takedown of these sites depends on the hosting provider and there are several providers who are prompt in taking down phishing sites within hours of abuse report. Some others do not facilitate takedowns until days after the complaint.

The hijacked pages are slightly tricky to take down as it requires cooperation with the site owner which may or may not be fast enough depending on the owner.