This is a topic I consider important enough to abandon the “non-commercial-only” policy of BeyondJava.net. I hardly ever quote from or link to professional web pages unless they are so ubiquitous you can’t avoid them or there’s a good reason to do so. Web security definitely is one of the best reasons. Today, Wordfence – a professional company providing a popular WordPress security plugin – has published an interesting blog post about the green “secure” bar in your browser’s URL.
Secure vs. safe
Cutting a long story short, “secure” doesn’t mean the same as “safe”. That’s particularly annoying for Spanish and German users because these languages don’t distinguish between secure and safe. (Chances are that this holds true for many, if not most, other languages, too). Users read a green “secure” in the address bar and feel “safe”.
But in reality “secure” means that the connection between the client and the server is secure. That’s great. It means that nobody can intercept the messages and manipulate them. But that’s all it means. It does not prevent the server from being malicious.
Revoking security certificates
The good news is that when a malicious website is discovered, the certificate guaranteeing the security of the connection usually is revoked, and the server is added to a blacklist. But that takes time, and it’s not guaranteed it’ll ever happen for a particular malicious website. Plus, Wordfence reports that the revocation of a certificate does not or not always result in a red address bar. You can see the revocation, but this information is buried in the developer tools. In other words, it’s invisible to most casual users.
It’s a good thing that Google has added the “secure” and “insecure” bars to the browser’s address bar, but that doesn’t mean you don’t have to be careful. Keep looking at the address bar. Keep looking for anomalies. Nowadays, fake URLs are increasingly clever, but even so, you can spot most of them if you’re alert. The Wordfence blog covers the topic in much more detail and has a few interesting examples of fake URLs.