Are Secure Web Sites Truly Secure?
You need to access your bank account online, so you visit the banks' website. But before you enter your name and password, you glance at the top of your browser window. The green color, the padlock icon, and the URL beginning with https reassure you that you have a safe connection.
But do you? In recent months, the people working to keep the Internet secure have faced an unpleasant reality. As Steve Roosa put it in a Law Technology News article, "In 2011…, SSL was hacked to the bone, on multiple occasions, calling into serious question whether companies can still rely on SSL to communicate securely across the web."
Criminal masterminds successfully broke SSL by hacking at least one of the institutions—called Certificate Authorities (CA)—that act as the ultimate official authorities on whether a secure website really is what it claims.
They do this by handing out certificates, which are basically vouchers that the sites are on the up-and-up. When you visit a secure site, your browser checks the certificate, and only if it's in order does it create a secure connection.
This worked quite nicely until someone successfully broke into servers belonging to DigiNotar, one of the major CAs. This hacker of ill repute was able to issue fraudulent certificates that could give you a nice, safe, encrypted connection to criminals masquerading as your bank.
It's difficult to say at this point how big a danger this could be for the average user. Remember that before your browser can be fooled into thinking that the wrong site is safe, it has to be sent to the wrong site in the first place. In most cases, the forced certificate would have to work in conjunction with a phishing scheme.
That gives you all the more reason to keep your guard up. Any edition of Trend Micro's Titanium will block access to and downloads from malicious web sites. But you're safer with Titanium Maximum Security, which can find and block malicious links in emails, as well as block spam.