Phishing has hit the halfway point on encryption. This means that being TLS-encrypted is no indication a site is real or not (its an indication that it is exactly what it says it is, but not what it might appear as).
Ironically, they might be stronger than the average web site. If we look at whynothttps.com, we find some big ticket names that are not encrypted. I’m looking at you bbc.com (interestingly they do support encryption, but don’t turn it on unless you force it). There’s a workaround (install HTTPS Everywhere as a chrome add-on).
Now, the percent of pages fetched, and of browsing time, is high. See the Google Transparency report. But this is an 80/20 type thing. A small number of sites capture the majority of time, but its the other sites that you get phished and leaked from.
Lets take a look by country. For Canada, there’s a set of non-https sites. Some are owned by our federal government (http://www.cic.gc.ca/). Who’s up for taking their favourite site, checking whether it:
- Is available in HTTPS
- Is *only* available in HTTPS (or redirects all non HTTPS to the HTTPS version)
- Has HSTS enabled?
- Has a strong certificate?
Its easy, head on over to https://www.ssllabs.com/ssltest/analyze.html and run a quick check. If its not an A, maybe write to their IT admin and ask why not.
Leave a Reply