When a small padlock appears in the corner of your Web browser's address bar or the entire bar turns green, it seems like a powerful signal you're safe to proceed.
But experts say the SSL certificates those green lights signify — digital stamps of approval that Web sites buy to prove they're running a legitimate business and can send and receive encrypted data safely — don't provide the safety they seem to.
"They instill some sense of security, but that could be a dangerously false sense of security," said Paul Mutton, a researcher with UK-based security firm Netcraft Ltd.
Attacks are still possible because having an SSL certificate only indicates that a third party has verified the identity of the site's owner and set up an encrypted line of communication with the site.
The site itself could still be riddled with security holes for hackers to exploit. And the certificate could simply be bogus: Criminals have been forging them to get the padlock icon and dress up fraudulent sites.
In response, companies that sell the certificates began offering an enhanced version about a year ago, for which about 5,000 site owners worldwide have undergone an extra level of scrutiny that includes face-to-face visits.
But even those sites may contain malicious code. Researchers from Netcraft said last week they discovered vulnerabilities in four sites boasting Extended Validation SSL certificates.
Criminals could exploit the flaws to create programs to steal passwords and credit card numbers, for example. Data stolen by those malicious programs is siphoned off outside the encryption SSL provides, and thus is totally visible to hackers, Netcraft's Mutton said.
Security experts said Netcraft's report highlights the continued need for up-to-date antivirus protection and for users to be cautious about where they enter sensitive data.