14 DAY TRIAL // Despite that "secure" notification Chrome plasters next to the address bar, it doesn't mean that a website is also safe to visit, and that's because SSL certificates are being issued by CAs to phishing sites.
According to a report from WordFence, a WordPress security company, security certificates are being issued by certificate authorities (CA) to phishing sites pretending to be other sites.
Of course, this isn't exactly new as Google itself is currently "punishing" Symantec for doing pretty much the same thing. Let's Encrypt, the free, open, and automated CA, has also been used to create thousands of SSL certificates for phishing sites illegally using "PayPal" in their name.
Regardless of how and why this is happening, the reality remains that these certificates are valid, which makes Chrome and other browsers report these sites as being secure.
As you may know, both Chrome and Firefox are currently transitioning towards marking all HTTP connections as insecure. By default, however, they're also marking all HTTPS websites as "secure," which is not always the same as "safe."
Caution is key
"In Chrome, when you see 'Secure' in your browser location bar, it means that the connection between your browser and the website you are connected to is encrypted. It also means that the person who installed the certificate on the website actually owns the site domain. It does not mean that the domain is 'Trusted', 'Safe', 'Not malicious' or anything else," WordFence explains.
What's more, even when a certificate is revoked by the CA once it realizes there's a problem, Chrome still shows a site as "secure." The new status of the certificate is visible in Chrome's developer's tools, so this means that Chrome itself has a problem for not spotting the changes once they occur. It's not just Chrome's fault, however, as the entire certificate revocation system is quite twisted and doesn't really work, as many experts have pointed out over the years.
This means that you have to pay extra attention to all the sites you visit, no matter what your browser may tell you.