Can a cloned page have HTTPS certificates?



  • Imagine that a hacker is cloning Twitter or Facebook. The attacker uses his own website, but it is going to be HTTP, right? So can he have the certificates that ensure that his website is "secure" showing the green confirmation before the url in the browser?



  • ... have the certificates that ensure that his website is "secure" showing the green confirmation before the url in the browser?

    It is still a common misconception that certificates ensure that a website is "secure".

    Certificates and use of HTTPS do not say anything about the inherent security of a website. What they do instead is to protect the communication between the client (browser) and the server (website) against sniffing or manipulation by an attacker. Use of certificates also makes sure that the website displayed is actually the one which is shown in the URL bar.

    But it does not make sure that that it is actually the site you believe it is or the site you've intended to visit. It does not protect against cloned sites or look-alike sites or similar looking domain names. Certificate issuers (CA) don't control what content is served on the domain, i.e. it is easy to get a certificate for sites serving malware, look-alike sites asking for your password (i.e. credential phishing) etc.

    Certificates and HTTPS protect against insecure networks, like open WiFi hotspots or malicious internet providers. They don't protect against malicious websites though.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2