This node was originally added in response to Action-9

GeorgeStaikos (KDE), BobLord (Red Hat), and AmirHerzberg have all written about the problem described here. The contents of this node are mostly just a collation of examples they've collected and/or already written about.

Problem Description

Content providers (typically bank sites) have login pages which lack SSL/TLS security and for which browsers do thus not display a padlock icon in the taskbar. Lacking that padlock indicator in the browser chrome, many of these same sites instead display a padlock icon somewhere in the actual login page content (near the login form). That represents a misappropriation of the convention of the padlock as a trust/security indicator -- a misuse designed to give the user a greater sense of security but that actually only gives users a false sense of security.

This problem devalues attempts of browser vendors and security experts to educate users to "check for the padlock". Users begin to trust any page that displays a padlock icon somewhere on the page -- even if the browser address bar displays no padlock (because that's that these bank sites are teaching them to do).

That in turn makes it much easier for fraudsters to construct phishing sites that have login pages with the same level of apparent trust value as the actual bank login pages (that is, pages for which no lock icon is displayed in the browser address bar but that have a lock icon on the phishing page in exactly the same place the real bank-site login page has its padlock).

Examples from Bob Lord

Bob's comment

"Even pros cannot tell the difference between real sites and phishing sites as long as the real sites behave like phishing sites."

Example from George Staikos

Login page for Air Canada site. No SSL/TLS, but note the padlock icon and statement, "Your personal information is encrypted..."

Examples from Amir Herzberg

See also AmirHerzberg, Phishing and Spoofing FAQ. Especially see the Is Padlock OK section, which asks the question, "My bank's site says 'protected by SSL' and/or displays padlock sign; is it protected?" and for which Amir's answer is:

And find more good writing on this topic by Bob Lord in the phishing tag on his blog, especially these entries:

See Also

BobLord also quotes from a related paper by Aaron Emigh that's worth reading, Online Identity Theft: Phishing Technology, Chokepoints, and Countermeasures