I laughed when I saw a recent phishing email. Not so much because it was a new technique - it wasn’t. It was your old generic phishing scheme with SSL put in the middle of it: leo.ne.jp/ssl/onlinebanking.capitalone.com but it suddenly occurred to me. One thing I have heard many security people say when they are trying to explain best practices in web surfing to newbies is “look for SSL”. The term SSL means absolutely nothing to most people outside of the internet technology/security space. They may understand that “https” means it’s secure or that that “little lock thingy” in the corner makes them safe, but they don’t know why, and they probably have no clue that it’s SSL in the back end. So why do we tell them to look for it?
This all goes back to my distaste for consumer education. In this case our education is working wonderfully. The consumers are looking at that nice little “ssl” word and poof, they must be secure! They’ve never seen it before and they have no idea what it means, but they know that they’re secure now. I think it would behoove the security industry to stop chastizing people for being stupid when we are the ones who are misleading or miscommunicating to them in the first place. Besides, we need to come up with something more secure than SSL anyway.