The little green padlock is one of the elements on which users focus more when determining whether a website is legitimate or not, this is a complete mistake, let’s see, the fact that a browser qualifies as “is safe” to a particular web page or a complete website, does not mean it is safe and the false belief that it is, causes many people to put their information at risk, so let’s see a little more in depth what this is about and how to act to improve the security of our information.
What does "is safe" mean?
Let’s see, the green padlock (which today is more gray than anything else), this occurs when the specific page or entire website works with the HTTPS protocol (HyperText Transfer Protocol Secure) which is the secure version of the HTTP protocol (HyperText Transfer Protocol) and this protocol originates from the merger of the HTTP protocol and TLS and what is TLS, to talk about TLS is necessary to investigate its previous version, SSL.
What is SSL?
SSL stands for Secure Sockets Layer, its function is to implement an encrypted connection between several assets and, consequently, that the information travels in encrypted form, thanks to this, if a cybercriminal manages to capture it, he will not be able to understand it, or so we are promised.
What happened to SSL? It happens that, nowadays it is completely in disuse, SSL managed to reach version 3.0 (having a total of three versions, the 1.0 that was never published due to the huge security errors it had, the 2.0 and the aforementioned), after that version TLS began to be implemented, which is the evolution of SSL, it is not an additional or foreign protocol as you may think.
What is TLS?
TLS stands for Transport Layer Security and, as we mentioned before, it is the evolution of SSL, it is not an alien or separate protocol, it is the evolution, although it is the evolution of SSL, it does not mean that all versions of TLS are secure today, currently TLS has three versions, 1.0, 1.1, 1.2 and 1.3, from 1.2 is that browsers qualify it as secure, from 1.1 downwards (including SSL versions) are not classified as such.
The problem of blindly trusting the little green padlock
We must also understand that cybercriminals have access to buy domains, to rent a hosting, VPS or dedicated server, to create a website from scratch or replicate an existing one and, obviously, to acquire TLS certificates, configure them and have your website rated as “is secure” by the visitors’ browser, of course, it should be using at least TLS 1.2, since as we mentioned before, below this version it is no longer catalogued as secure.
Based on the above information, we can understand that the fact that a website has the green padlock and says that the site “is secure” does not necessarily mean that it is secure, since TLS certificates do not check whether the site is malicious or not, they only improve the security of the information when sending or receiving it.
Therefore, the fact that a website works with the HTTPS protocol (which is the fusion of the HTTP and TLS protocol) and therefore is using a TLS certificate does not mean that it is completely reliable, because it can perfectly be a phishing website that was installed and configured with a TLS certificate, as simple as that, so this element is something that adds up when detecting whether a website is legitimate or not, but it should never be something that determines 100% the veracity of a site in question.
Based on the above information, we can understand that the fact that a website has the green padlock and says that the site “is secure” does not necessarily mean that it is secure, since TLS certificates do not check whether the site is malicious or not, they only improve the security of the information when sending or receiving it.
Therefore, the fact that a website works with the HTTPS protocol and therefore is using a TLS certificate does not mean that it is completely reliable, because it could very well be a phishing website that was installed and configured with a TLS certificate, as simple as that, so this element is something that adds up when detecting whether a website is legitimate or not, but it should never be something that determines 100% the veracity of a site in question.
