When HTTPS Doesn’t Mean Safe — A Thumbs Down to Free SSL

Nishi Agrawal
4 min readFeb 10, 2020

More than 90% of web site visitors throughout Google is now over HTTPS. That being said, only one is unsafe for every 10 sites visited through Chrome via Windows. That has been a remarkable accomplishment, as only half the web used HTTPS five years ago.

It has become a standard of SSL certificates and users are able to connect a trustworthy site to the Green Padlock. How else can it be, if the “S” stands for “safe” at the end of “HTTP? But ‘ safe ‘ is a generic term and means more than for many.

HTTPS encrypt sensitive information from a user’s browser to a website server, when a payment form is filled in online. All personal information is kept in a plain text and it becomes an easy am for the cyber-criminals without SSL certificates to protect it.

By protecting the safety of the users, TLS protocol is doing an excellent job, but this is a narrow part of web security. Sadly, many still see the Padlock and “S” as a final proof of the legitimate website.

This introduction and confusion of Free SSL Certificates has been playing right into the hands of the hackers.

How free SSL certificates became a double-edged sword?

Who doesn’t love free things? And few challenges this if it’s sponsored by Google, Mozilla, and Facebook. Google revealed in 2014 that it plans to encrypt the site as a whole. Let’s Encrypt released its free SSL Certificate, an open source security authority, in the same year. With such well known supporters it became the pioneer of encryption and had signed over 380 million certificates in the first three years.

Hosting companies today provides Let’s Encrypt or AutoSSL in their hosting packages. Even, cyber criminals or scammers can get Free SSL certificates because it only verifies the domain control. Not surprisingly in their phishing schemes online thieves use free SSL Certificates, which now protect nearly 60% of the phishing sites. These figures will increase in the coming years, nothing worse than this. When the FBI must step in, the situation is out of hands you know.

Federal Bureau of Investigation (FBI) issues warning about HTTPS Phishing

FBI has made the following recommendations to reduce the number of phishing victims: -

  • Don’t blindly trust your email name: question your email content purpose.
  • When you receive a suspected e-mail with a connection from an unknown source, you will ensure that the e-mail is genuine before you call or e-mail the contact.
  • Check for miscopy or incorrect domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).
  • Because a website has a lock icon and the ‘https’ in its browser address bar you cannot trust it easily.

The warning by FBI to re-evaluate the security indicators we look for and use to Certificate Authorities and Browsers is a strict reminder.

Google Chrome plans to phase out the SSL padlock icon

Safe websites on the internet should be the standard for the Google. Even the phishers benefit from it, the company is doing an excellent job in encryption so far. It’s not needed to recall anyone about anything when somethings become familiar. That’s what Google believe at least.

Users should expect that the web is safe by default, and they’ll be warned when there’s an issue. Since we’ll soon start marking all HTTP pages as “not secure”, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure.

Emily Schechter, Product Manager, Chrome Security

Google has dropped the mark ‘Safe’ in the Chrome 69 and padlock will also be removed sooner or later. This action makes an ideal sense in an ideal environment, but that’s not the end. But someone will argue that, phishing sites are more masked with the absence of padlock with Free SSL Certificates.

Extended Validation Certificates prevent phishing

The SSL industry is still quite young with Extended Validation, simply EV certificates. The first version of EV guidelines was approved by the CA/Browser Forum in the year 2007. EV SSL Certificate was a critical element of securities for the large companies and the financial institutions.

One of the greatest and important features of the EV SSL Certificate is the well-known Green Address bar with the company’s name next to its URL. The green bar in a shortened area is greater than just a nice place to reveal your business name. EV certificates also avoid phishing attacks by verifying company identity. Customers are aware of the same and genuine websites at hand. In addition, given that EV Certificates require a thorough check before acceptance on the legal status of a website and business or organization, there is no possibility of issuing a fake EV Certificate.

Final Words

Web security has improved because of free and affordable SSL Certificates. From few years, it is much easier to exchange sensitive data throughout the network. The availability of free SSL certificates has, however, also led to the gloom. The phishers are deceitful with free SSL Certificates, which are harder to detect and tough to prevent. As experts of the industry continue to increase the awareness of users about encryption and why it is so important to stress that HTTPS is not an indicator of an authentic web site, unless an EV certificate is installed.



Nishi Agrawal

Management Student, Digital Marketing Enthusiastic Interested in Web Security and Internet topics. Young Mind with creative thinking capabilities.