When you see a little green lock with the word ‘Secure’ to the left of a URL, you’re likely to assume the site is safe.Ditto for the words “this site uses a secure connection”
or a URL beginning with the letters ‘https’.
While more and more sites are switching to HTTPS, those ‘secure’ symbols don’t
guarantee that a website is safe from all threats.
A phishing site, for example, can legitimately display that comforting green lock next
to its ‘https’ address.
The green lock means that a site has been issued a certificate and a pair of
cryptographic keys have been generated for it, encrypting any information transmitted
between you and the site.
Like in our case we are using COMODO CA certificate for HTTPS connection.
if you click on the ‘more information‘ in Firefox it will show you detailed information about the certificate and used encryption algorithms.
The problem is that the green lock and the issued certificate.say nothing about the site
A phishing page can just as readily get a certificate and encrypt all traffic that flows between you and it. Put simply, all a green lock ensures is that no one else can spy on the data you enter. But your password can still be stolen by the site itself, if it’s fake.
You are easily able to check Spam Website with www.scamadviser.com, it will show you trust rating of that website.
If the address bar shows no lock at all, that means the website does not use encryption, and any information it exchanges with your browser uses standard HTTP.
Although Google Chrome has started tagging such websites as unsafe, they might, in fact, be squeaky clean–they just don’t encrypt traffic between you and the server.
I will recommend you to read An overview of Transport Layer Security (TLS) 1.3 if you are looking for depth knowledge of HTTPS.
However, most website owners don’t want Google to label their websites as unsafe, so more and more are migrating to HTTPS.
In any case, entering sensitive data on an HTTP site is a bad idea because anyone can spy on it.
If you want’s to Test Your site’s certificate and configuration, browser SSL implementation and How other websites are doing, just visit https://www.ssllabs.com/
Does a padlock icon mean a site is completely safe to use?
In fact, the majority of web applications are insecure, despite the widespread
usage of SSL technology and the adoption of regular PCI scanning. Visit Open Web Application Security Project to find the Top web application attacks.
Broken authentication:- This category of vulnerability encompasses various defects within the application’s login mechanism, which may enable an attacker to guess weak passwords, launch a brute-force attack, or bypass the login.
Broken access controls:- This involves cases where the application fails to properly protect access to its data and functionality, potentially enabling an attacker to view other users’ sensitive data held on the server or carry out privileged actions.
SQL injection:- This vulnerability enables an attacker to submit crafted input to interfere with the application’s interaction with back-end databases. An attacker may be able to retrieve arbitrary data from the application, interfere with its logic, or execute commands on the database server itself.
Cross-site scripting:- This vulnerability enables an attacker to target other users of the application, potentially gaining access to their data, performing unauthorized actions on their behalf, or carrying out other attacks against them.
Information leakage:- This involves cases where an application divulges sensitive information that is of use to an attacker in developing an assault against the application, through defective error handling or other behavior.
Cross-site request forgery:- This flaw means that application users can be induced to perform unintended actions on the application within their user context and privilege level. The vulnerability allows a malicious web site visited by the victim user to interact with the application to perform actions that the user did not intend.
SSL is an excellent technology that protects the confidentiality and integrity of data in transit between the user’s browser and the web server. It helps defend against eavesdroppers, and it can provide assurance to the user of the identity of the web server he is dealing with. But it does not stop attacks that directly target the server or client components of an application, as most successful attacks do.
Specifically, it does not prevent any of the vulnerabilities just listed, or many others that can render an application critically exposed to attack. Regardless of whether they use SSL, most web applications still contain security flaws.