HTTPS: Why this alone doesn’t represent enough security
It may seem hard to believe, but there was a time when it was easy to identify whether you were on a secure website or not: all you had to do was check your browser's address bar for the iconic green padlock, a visual representation that the page was protected by Hyper Text Transfer Protocol Secure (HTTPS). HTTPS is basically the conventional HTTP protocol with the addition of an encryption layer.
The issue was very simple: sites that use HTTPS require a Transport Layer Security (TLS) or Secure Socket Layer (SSL) type digital certificate, which, until a few years ago, could only be issued by prestigious certification institutions to those who could afford it. This guaranteed that Company X's site really belonged to Company X. It afforded end users peace of mind, who knew that, thanks to HTTPS, the data traffic between their computers and the final server was protected through encryption.
Times, however, have changed. The use of HTTPS has become a market standard, and with this, access to TLS/SSL certificates has also become much easier. After all, it would be unfair for the web to advance to a level that prevented anyone from having the freedom to make a website available to everyone. Nowadays, any Internet user can generate a certificate without paying a cent, and this naturally includes cybercriminals.
Certified cybercriminals
In 2021, experts pointed out that 91.5% of malware on the Internet was being delivered over connections encrypted with the HTTPS protocol. This figure only underscores that, nowadays, simply checking for the "padlock" to decide if a website is trustworthy no longer cuts it. With the popularization of free certification institutions, a scammer can issue a fake certificate for a malicious page within minutes.
More than generating a random certificate just to make their trap seem more convincing, some criminals can even steal the original certificates of the site or application they’re looking to spoof. This can be done in no time if the fraudster gains privileged access to the server where the original site is located, by simply copying the private cryptographic keys used to sign the authentic certificate.
These days, it seems cybercriminals have zero concern when it comes to "wasting time" issuing (or stealing) certificates for their malicious sites. After all, by default, all browsers already block access to sites that do not offer this basic level of encryption. So working with HTTPS has become key to criminals looking to ensure their fraudulent pages are displayed properly in their victims' browsers.
Tips to protect yourself
Ultimately, the lesson remains the same: don’t use HTTPS as the only indicator that a particular site is secure. Remember to always pay attention to details: Is the domain, that is, the address of the page, correct? Are there signs of a social engineering campaign, such as urgent messages, overly tempting offers, or text spelling errors?
It is worth pointing out that we should always be wary of links received via email or messaging apps. It’s best to manually type the desired site’s address into your browser. Finally, if it is a "new" service or online store, check for recommendations (or possible complaints) from other Internet users before committing to buying or installing something.