As a cybersecurity tip, you will always hear "ensure that the website you are browsing or entering confidential information such as usernames, passwords, or credit card information uses HTTPS." While this tip is vital to bear in mind when browsing the web, many misunderstand it, and this article seeks to set the record straight.
Simply put, HTTPS means that the website was issued a certificate from a certificate authority (CA), and a pair of cryptographic keys were generated for it. These keys allow the website to encrypt information transmitted between you and the website itself, making it perfect for protecting sensitive data such as your passwords and credit card information in transit from prying eyes. However, many mistake HTTPS to mean that the website is safe from all types of web-based attacks, which is not the case.
It should be made clear that issued certificates say nothing about the site itself as a phishing page or any other malicious site can just as easily get a certificate and encrypt all traffic that flows between you and it. According to an article written by Phishlabs in 2017, a quarter of all phishing attacks are carried out on HTTPS sites. Moreover, more than 80% of users believe that the mere presence of a little green lock and the word "Secure" next to the URL means the site is safe, and they don't think too hard before entering their data.
Still not clear? Let's explore this scenario. You clicked on a phishing link that took you to a fake version of your bank's website, for example. That phony website may use HTTPS, which securely transports your information to the criminals to collect it. Sure, HTTPS ensures is that no one else can spy on the data you enter. But your information can still be stolen by the website itself if it's fake.
In conclusion, your biggest take away from this article should be that the presence of a certificate and the green lock means only that the data transmitted between you and the website is encrypted and that a trusted certificate authority issued the certificate. But it doesn't prevent an HTTPS site from being malicious; a fact, phishing scammers most skillfully manipulate. So always be alert, no matter how safe the website may seem at first glance. Never enter confidential information such as passwords, banking credentials, or any other personal information on websites if you are unsure of its authenticity. To check the authenticity of a website, you can always check the domain name very carefully as the name of a fake webpage might differ by only one character.