A Implementing HTTPS on your website, is a required step to do, but when you see the Secure Symbol next to the browser, it does not guarantee a website is safe from all threats. A Phishing Site, can also show the same Secure Symbol as an example, while its cloning the original website.
The green lock means that the site has been issued a certificate and that a pair of cryptographic keys has been generated for it. Such sites encrypt information transmitted between you and the site. In this case, the page URLs begin with HTTPS, with the last “S” standing for “Secure.” Depending on the configuration lots of vulnerabilities such as ‘MassBleed’ or ‘HeartBleed’ due to misconfigurations, can allow full CIDR Scans and reveal Vulnerabilities such as: CVE-2014-0160 (OpenSSL Heartbleed) CVE-2014-0224 (OpenSSL CCS MITM) CVE-2014-3566 (Poodle SSLv3) MS14-066 (Winshock SChannel) CVE-2016-0800 (Drown Attack) to name a few.
Sure, encrypting transmitted data is a good thing. It means that information exchanged between your browser and the site is not accessible to third parties—ISPs, network administrators, intruders, and so on. It lets you enter passwords or credit card details without worrying about prying eyes. But the problem is that the green lock and the issued certificate say nothing about the site itself. A phishing page can just as readily get a certificate and encrypt all traffic that flows between you and it. Put simply, all a green lock ensures is that no one else can spy on the data you enter. But your password can still be stolen by the site itself, if it’s fake.
According to Phishlabs, a quarter of all phishing attacks today are carried out on HTTPS sites. Moreover, more than 80% of users believe that the mere presence of a little green lock and the word “Secure” next to the URL means the site is safe, and they don’t think too hard before entering their data.
Meaning:
The presence of a certificate and the green lock means only that the data transmitted between you and the site is encrypted, and that the certificate was issued by a trusted certificate authority. But it doesn’t prevent an HTTPS site from being malicious, a fact that is most skillfully manipulated by hackers and scammers. So always be alert, no matter how safe the site seems at first glance.
Never enter logins, passwords, banking credentials, or any other personal information on the site unless you are sure of its authenticity. To do so, always check the domain name — and very carefully; the name of a fake site might differ by only one character. And ensure links are reliable before clicking. Always consider what a particular site is offering, whether it looks suspicious, and whether you really need to register on it. The Red Team, will perform Penetration Testing for your WebApps, and preferably Black Box types, when you are confident that you are secure due to the Blue Team taking care of the configuration, it means you are ready to get a simulation of real world hacking scenarios, to point how someone can take over your WebApp, in order to perform the necessary steps and mitigate the risks minimizing the impact if real hackers attempt a targeted attack towards your business. There is no silver bullet.
