Alisa | February 21, 2019

HTTPS - false sense of security for a common internet user

With this rather provocative heading, today I’ would like to tackle an interesting issue. Namely, a larger question of how particular cyber hygiene topics could create unfounded sense of security in end-users. More specifically, explaining intricacies of HTTPS and HTTP protocol basics to non-IT professionals.

I started having my reservations when I was compiling my first set of training materials on cyber hygiene. Later I have discussed the same question with expert instructors as well, only to reconfirm my doubts on the matter.

Just to be clear, by HTTPS I mean HTTP over TLS. By “false sense of security”, I mean the fact, that HTTPS connection is often referred to as “secure” without much further explanation.

Cyber Hygiene 101, anyone?

Thinking about cyber hygiene training fro non-IT professionals, there is a number of topics that are essential. However, one cannot expect a regular user to observe all the best practices constantly. In fact, even common sense fails from time to time in a rush or under pressure. So, as an instructor, one has to find an optimum point where cyber hygiene behaviour guidelines are brief but comprehensive. Something that is more likely to stick and yield the most results. And this is where I seem to fail miserably when I think of HTTPS.

It seems reasonable to explain a concept and meaning of “closed/green padlock” to cover his topic concisely. But this is where I spot the most dangerous pitfall. By concentrating on keyword “security” in a context of closed padlock icon in address bar, we inevitably divert audience’s attention to this icon and away from the padlock + URL combination. Indeed, combination of padlock and URL must be considered as a whole to make any conclusion with reasonable certainty. Moreover, that too can be insufficient to eliminate risk.

We see, but we do not observe

Nowadays, the situation is possible, when perpetrator creates a visually similar domain name and gets free Domain Validation SSL certificate for it. This recipe yields one totally secure connection to one entirely malicious site. As a result of such manipulations, eager but not tech-savvy user could concentrate on green padlock icon and miss out the fact that the URL is in fact wrong.

Question: how many of your users understand the difference between Domain Validation and Organisation Validation SSL certificates? How many actually implement this knowledge when exploring the web? How often do you yourself take a peek into certificate details under a padlock?

Sophisticated look-alike domains add to this problem. There even padlock + URL combination may trick a user to “lower his deflector shields”.

We’re losing him, doc!

As of February 2019 still only under 50% of websites use https as default protocol, according to W3Tech. Minority, eh? Chances are, your organization has a counterpart, that has its online service (i.e. order-placing system) served over HTTP. In that case a question form the audience is in order: “Does that mean, now we cannot insert our orders at http://example.com ? But how are we supposed to work then?”

And then you need to get really verbose about sensitive data transfer as opposed to simply reading the content, reasonable risk management in organization when it comes to partner e-systems and whatnot. All in all it gets either too techy or too corporatey, wherefore your initial point gets blurred if not forgotten altogether. In my pessimistic world people would keep asking for clarification, eventually instructor would be forced to slide into in-depth explanation of transfer protocols, man-in-the-middle attacks and data encryption, scrambling for good even that little knowledge listeners had in the first place.

Is there a solution?

Pretty morbid picture, right? I wouldn’t want to stand in front of audience without enough background knowledge to be able to convey my point unambiguously. Especially when “security” is a main keyword in the agenda.

Moreover, at this point I probably would entirely forego touching the topic of HTTPS in training materials for non-IT professionals. Unless, I could devote at least 4-5 presentation slides to it. One for theory basics, real-life examples, unfortunate exceptions and organization’s policy (if any). And, of course, enough listeners’ attention span for the notion to stick. =)

Cheers!
Alisa

Cover image by Debby Hudson