Are all websites starting with "https" secure?

S

Sly21C

Expert Member
Joined
Feb 14, 2008
Messages
4,632
Reaction score
18
Location
Pretoria
I just watched a story on Carte Blanche's website titled "Fighting Cyber Crime". The presenter was sent an email while interviewing a guy from an anti-virus software company, the email was from "SARS". If you follow the link, watch "Fighting Cyber Crime" as I've mentioned and go to 05:30 minutes.

The guy looked at her email, clicked on the link which took them to a pishing site of Standard bank. Now the pishing website's address from what I can see is "https://www6.encrypt.standardbank.co.za/ib". I was under the impression that all secure websites have an "s" on https, while unsecure websites just have http.
 
No it simply means that the packets are being encrypted so a man in the middle type atack is less possible.
 
From what i understand, when it is https the connection between your computer and the http server is encrypted, so that part is secure. But you could be having a secure conversation with a dud site, which would be a problem.

This is usually overcome by a certificate transferred or authenticated which is issued by a known certifying authority (Thawte and Verisign are the biggest i think), which certifies that the website you are indeed communicating with is Standard Bank. The certificate includes the url, so for example: https://standardbank.co.za . You can usually see the certificate by clicking on the padlock on your browser. You browser also will only accept certain certifying authorities, so if i start issuing my own certificates, the browser will usually pick it up.

So your browser does some of the work, and usually pick up an invalid or expired certificate. Unfortunately some of the people don't check for the https, or when it tells them the certificate in invalid, they just ignore it and click through. So ensure you are using a proper browser and not an unknown one.

Sometimes the invalidity is because of sloppy/lazy website managers though, so i have been to websites where the certificate is issued for paygate.website.com , but they have changed the url of the actual payment gateway to secure.website.com , so it is picked up as invalid. In those cases, i personally will not deal with that website, as if they are sloppy, they maybe even sloppy with your personal details also.
 
You also get different types of certificates.

The "best" is Extended Validation certificate.

EV certificates are more expensive (not much)

EV certificates are great because they actually show you more information and make it REALLY easy to spot a fake. They also require much stricter validation and etc.

Pretty much I wouldn't bank with a bank that aren't capable of implementing an EV certificate because it is just shows how little their devs/admins/whatever know about security.

Just did a quick search of banks I could think of.
Have EV certificates:
Absa, Capitec

Didn't have EV certificates:
FNB, Standardbank

You are welcome to add to this list if you want.
 
Last edited:
Sly21C said:
Thanks for the replies guys. :)
Click to expand...

Https is simply the protocol used to establish secure connections, but without a valid, authenticated SSL certificate layered on top of it, there's really nothing secure about it at all.
 
Generally you'd be looking for a combination of
A) https
B) Certificate

That covers everything to an acceptable, but not perfect standard. i.e. Its good enough for consumer level & it would require hardcore skill to get past that. Still vulnerable to other types of attacks though. e.g. Some software install an evil keylogger on your PC that records your keystrokes then all that is for nothing. So try not to install any software that isn't well known & stay well clear of torrents & sketchy USB sticks etc. PC security is an imperfect art...

A) is easy. B) is usually indicated by a green bar in the address field...depends on the browser but usually not all that tricky to work out.

Visual demo (Chrome):

paypal.PNG

EDITED to add keylogger info
 
Last edited:
Gnome said:
That is an EV certificate, not all valid secure sites will look like that. Go to standardbank internet banking and you'll see what I mean.
Click to expand...
hmmm thats new to me & kinda retarded. So you need to click on the damn thing to check the cert?
 
Beachless said:
No it simply means that the packets are being encrypted so a man in the middle type atack is less possible.
Click to expand...

True and there are tools out there designed to remove the SSL using SSLSTRIP from your session in a man in the middle attack so when opening a site with SSL the attacker will remove the SSL and your browser wont display a error... to the average user this won't appear out of place if they don't see the HTTPS.
 
HavocXphere said:
hmmm thats new to me & kinda retarded. So you need to click on the damn thing to check the cert?
Click to expand...

You'll only need to click on the padlock to verify the authenticity of the company and the type of certificate being used. Your browser will almost certainly notify you if the certificate is not valid or if the page is not properly secured.
 
chopsky said:
You'll only need to click on the padlock to verify the authenticity of the company and the type of certificate being used. Your browser will almost certainly notify you if the certificate is not valid or if the page is not properly secured.
Click to expand...

There is a lot of crapware out there that gets installed when you install free programs. I have to do an audit of all the company computers, to clean the **** up. That includes dodgy toolbars, browsers and search engines. People are totally thick sometimes when it comes to computers, and the same people install the same crap every time.

A dodgy browser or default search engine can do lots of damage with your personal details, forgt keyloggers and the like
 
HavocXphere said:
yep like the SB one
Click to expand...

That is the problem most people do not realize.

The normal cert is not worth much. It only proves the domain is legitimate. It gives absolutely 0 guarantee the company is legitimate or even exists. Or even that the person works for whom they claim or that they have the authority to make that request.

You get normal certs very quickly so if you get your hands on a domain that is close enough, or looks legitimate, then bam little green pad lock.

Yeah the connection is secure, but who owns the server, domain, etc?

People who actually understand how computer security works realized that it was a problem.

And thus EC certs were born where the actual company is verified, not just the domain.

Not sure if all authorities are 100% strict but the requirements are usually that your company must be verified. Must have physical address (verified again). Requester must actually work for the company and have the authority to make the request for a certificate. And so on.

SB and other companies that do not have the EC certs for the most part probably lack the expertise in the company to realize there is a problem. Or even understand what a certificate does/is/etc.
 
Last edited:
Gnome said:
That is the problem most people do not realize. Like chopsky above they assume they can trust the cert and its information.

The normal cert is not worth much. It only proves the domain is legitimate. It gives absolutely 0 guarantee the company is legitimate or even exists. Or even that the person works for whom they claim or that they have the authority to make that request.
Click to expand...

Er, I clearly stated that you'll need to click the certificate's padlock to verify the authenticity of the company and the type of certificate (DV/OV/EV). If it's purely a Domain Validation (DV) certificate (i.e. low trust), it won't tell you anything about the legitimacy of the business.
 
chopsky said:
Er, I clearly stated that you'll need to click the certificate's padlock to verify the authenticity of the company and the type of certificate (DV/OV/EV). If it's purely a Domain Validation (DV) certificate (i.e. low trust), it won't tell you anything about the legitimacy of the business.
Click to expand...

Ah I apologize, I think I misunderstood what you were trying to say.

Edited my post.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X