Users -- particularly those who do not understand technology well -- have long been taught to look for the green...
lock in their web browser to be certain it is communicating with a trusted site.
The problem is, of course, the green lock doesn't mean the site itself is trusted. It just means the connection between your computer and the site is encrypted. It doesn't mean the contents of the site are trusted, or that the site itself doesn't contain some sort of malicious code.
For example, freely available Secure Sockets Layer encryption certificates are being combined with the /.well-known/ directory to embed phishing in websites. This recent Netcraft article describes the technique.
This hole can, and probably will, be closed eventually. But what network engineers and everyone working in IT should remember is that a network may look like a castle, but it has thousands of entry points, with every Ethernet port and every Wi-Fi signal, and tens of thousands of windows -- every application running on every compute host with access to network resources.
If you work to improve network security, there will always be another hole in the wall to exploit, someone to exploit it and a user somewhere who is in a hurry or doesn't understand what the green lock really means. There will always be vendors more interested in making users feel safe to complete the transaction -- whether in information or money -- than in actually providing a secure environment.
Reduce complexity to improve network security
First, while you can't fix all your users, you can at least try to educate them. You are countering an entire industry fixated on making things happen and not getting in the way of the transaction. But spending a little time explaining that the green lock does not, in fact, mean a website is safe and that a little encryption will not cure all privacy and security ills is a good start.
Second, you can treat simplicity as a first-order problem to be solved when designing systems. Engineers and designers begin with a goal and pile system upon system until they reach that goal. What we often fail to recognize is every layer of complexity, every interaction surface between systems, is another hole in the network security system -- something else that needs to be understood, monitored and protected.
Reducing complexity is not only a good design discipline; it is also a good security discipline. Simpler systems have fewer holes to protect, much like a castle that encompasses a smaller space and has a shorter wall is just easier to defend.
Improve network security using multiple vantage points
Third, although castle walls are the most common paradigm for security, engineers and designers need to stop thinking in terms of outside and inside their networks. The modern security landscape is more like a modern army than a castle. Rather than erecting castle walls, protecting areas and people through mobility, superior planning and better methods are the right models for modern network protection. Part of this change is to stop seeing security as an appliance or certificate you can put in place and call it done.
Fourth, you can think about security from Day One, making it an integral part of the application design, as well as part of the network design.
The green lock is a still a useful symbol for understanding security in a modern, networked world. But to make it effective, separate what it means from what it doesn't mean. Understand the limitations, simplify your surfaces and stop counting on the appliance or encryption to be your security life buoy.