The SSL “lock” doesn’t mean you’re safe

Netcraft is reporting that phishing attempts spoofing SSL encryption in the browser are on the rise.

The attacks are using more sophisticated means, including certificates with bank-like names on them. As Netcraft notes, most people will ignore browser messages that say the certificates don’t match. I agree.

The warnings are not specific enough to alarm most people, usually stating that the certificate cannot be validated, or “doesn’t match.” And most folks who decide to look at the certificates don’t care what the domain on the cert says, and/or won’t have a clue what the signatures mean.

We need a concerted effort here to correct this issue. One, browser warnings need to be a lot more prominent, and require the user look at invalid certs and agree to proceed despite non-matching domains. Second, we need to think about moving beyond SSL altogether, as it is less about security than putting some money in the hands of certificate providers anyway.