Is web phishing HTTP or HTTPS?

Offensive, Defensive
Is web phishing HTTP or HTTPS?

Overview

Web phishing is one of the attack methods most frequently used by attackers. In a phishing attack, the attacker creates a fake website that imitates a legitimate website. This fake website is usually used to steal sensitive information from victims, such as login credentials, credit card information, and others.

A common perception is that phishing websites always use the HTTP protocol. However, is that really the case? Do phishing websites never use the HTTPS protocol?

Read also: Phishing Attacks and Prevention

HTTP vs HTTPS

HTTP

HTTP (Hypertext Transfer Protocol) is the protocol used to transfer data on the web. HTTP is not secure because the transmitted data is not encrypted. This means that data sent through HTTP can be read by anyone who is able to eavesdrop on the connection such as in Man-in-the-Middle (MitM) attacks or sniffing.

HTTPS

HTTPS (Hypertext Transfer Protocol Secure) is the secure version of HTTP. HTTPS uses SSL/TLS encryption to protect the transmitted data. This makes it much more difficult for attackers to eavesdrop on the connection and steal data, because the transmitted data is encrypted end to end before being sent to the server and will be decrypted by the server after it is received.

Are HTTPS sites safe?

HTTPS itself does not guarantee that a website is legitimate or safe. HTTPS only guarantees that the data transferred between the browser and the server is encrypted. Phishing websites can use the HTTPS protocol to trick victims and make the site appear more valid.

The project Let’s Encrypt is one of the very popular free SSL/TLS certificate providers and has greatly helped improve web security, even companies like Shopee have used this certificate provider. By using Let’s Encrypt, anyone can easily obtain a free SSL/TLS certificate for their website. This is a positive step to improve overall web security, because HTTPS helps protect user data from attacks such as sniffing and MitM.

LE Shopee

However, these free SSL/TLS certificates can also be exploited by attackers to create phishing websites that use HTTPS.

Phishing Websites

Example phishing website
Example of a phishing URL using HTTPS and the use of deceptive subdomains

Phishing websites can use the HTTP or HTTPS protocol. However, the use of HTTPS on a phishing website does not make it safe or more legitimate. Attackers can easily obtain free SSL/TLS certificates from services such as Let’s Encrypt and use them to encrypt their phishing websites to make them appear more valid and convincing.

Therefore, it is important not to rely only on the protocol (HTTP or HTTPS) to determine whether a website is safe or not. Always check the website URL carefully, pay attention to signs of phishing, and be cautious of phishing attempts that use advanced techniques.

Conclusion

Phishing websites can use the HTTP or HTTPS protocol. The use of HTTPS on phishing websites does not make them safe or valid. Always be cautious of phishing attempts, check URLs carefully, and never enter sensitive information into suspicious websites. HTTPS only guarantees that the data transferred between the browser and the server is encrypted, but it does not guarantee that the website is legitimate or safe. Therefore, it is important not to rely only on the protocol (HTTP or HTTPS) to determine whether a website is safe or not.

So, do not fall into the perception that phishing websites must use HTTP. Be aware of phishing attempts that use advanced techniques such as AiTM (Adversary-in-the-Middle) and HTTPS to deceive victims. Attackers can use various techniques to steal sensitive information from potential victims.