I took an informal poll of my non-industry friends on Facebook about the padlock in the address bar and what it meant to them. I either got “I don’t know,” or a variation of “it means that the website I’m visiting is secure” or “it’s why there is an ‘S’ in https.” Unfortunately, we’ve been led to falsely believe the padlock, or the “s” in https, means we are at a valid, legitimate site, and any communication with that website is secure.
However, that is not entirely accurate. The padlock icon (or the word “Secure” or sometimes the organization name) along with the “s” in https, indicates that the owner of the website being visited has purchased an SSL Certificate which encrypts the data transmitted from the user’s browser to the website.
It does not, however, always verify that the website itself is legitimate and well-intentioned. This is an important distinction.
What’s an SSL Certificate?
SSL is an acronym for Secure Sockets Layer, and is the name for the technology used in establishing an encrypted communication channel between a web server and a browser, denoted by the “s” at the end of http in the website address. Its purpose is to make sure that transmitted data remains private.
Utilizing SSL to protect user’s data is an industry standard and is widely used across the Internet. To create an SSL encrypted communication channel, the website owner purchases an SSL Certificate from a certificate authority (CA).
(A note on naming conventions: SSL certs can also be called TLS certs in reference to Transport Layer Security, which is essentially a newer version of SSL. Many vendors use the phrase “SSL/TLS certificate”; however, it’s probably more accurate to call them “certificates for use with SSL and TLS” since the protocols are determined by the server configuration and not the certificates themselves. I’ll refer to them collectively as SSL certs for this article.)
What most consumers don't know
There are different levels of SSL Certs available to purchase. The basic certificate provides domain validation (DV), which simply demonstrates that the applicant has control of the domain name – either by responding to an email sent to one of the WHOIS contacts on the domain name, adding a particular TXT record to the DNS zonefile of the domain name, or adding a particular text file to the website of the domain name.
Organization-validated (OV) certs have a more extensive validation process, including confirming domain ownership and organization identity. Organization validated certs are recommended. Extended Validation (EV) certs are most commonly used for financial and ecommerce sites, because the CA uses a rigorous authentication method before the cert is issued.
There isn’t any standardization across the browsers in how they display EV vs. OV or DV certs; Firefox shows the company name in the address bar for EV certs, and will list the name of the website that is secured for OV and DV certs:
However, Chrome makes no distinction for EV, OV, or DV and only indicates “Secure”:
HTTPS does not mean the site is safe
Cybercriminals have now found a way to trick Internet consumers into believing a site is safe.
Until recently, most cybercriminals did not register SSL Certs for sites since it was costly, and CAs vetted the organization before granting an SSL Cert. Recently, organizations like Let’s Encrypt, which led the initiative on this, and Comodo, have changed the landscape by removing fees for issuing short-validity (90 days) domain validated SSL certs and greatly simplified the process of utilizing an SSL Cert.
Their goal is smart: to convert unsecure traffic to secure traffic for a large number of sites that either couldn’t afford to purchase a cert, or didn’t have the tech savvy to administer a cert. Unfortunately, though, while more sites are encrypted to protect legitimate consumers, there has also been heavy misuse of this initiative by cybercriminals.
This new option to register SSL certs easily and for free has given cybercriminals the ammunition they need to take advantage of the general consumer perception that a https/padlock/”secure” designation
indicates a safe site. The SSL cert conveys a false sense of security and lures more consumers to fall prey to phishing sites.
MarkMonitor has been tracking the volume of phishing sites identified using an SSL Cert and the chart below illustrates percentage of total phishing sites using SSL certs from January 2018 to February 2019. In October, there was a significant spike in phishing sites with certs and as of February 2019 the volumes are nearly at the same levels.
Web Browsers Can’t Protect Against this Problem
Web browsers have long encouraged consumers to trust the https secure designation; however, what was generally not made clear to the vast majority of Internet users is that the SSL Cert encrypts a communication channel but DOES NOT provide validation of how trustworthy the website is nor any indication of web application security.
Web browsers have been doing their part to further protect consumers, as they do have a vested interested in establishing a secure online experience. Both Google Chrome and Mozilla Firefox began identifying un-encrypted sites (those sites with HTTP instead of HTTPS, indicating no SSL Cert) as “Not Secure” in the address bar anytime credit card or password fields are on the website, or with Chrome 62, when a person is using any type of data field.
The web browsers’ initiative is helpful in finding unencrypted sites, however with some SSL Certs now being free, and CAs not required to do any sort of validation beyond making sure the person registering the SSL Cert is the owner of the domain, web browsers only provide limited protection. There are no additional checks to validate affiliation with the brand or organization contained in the domain name (if any).
MarkMonitor has Adjusted Phishing Detection to Combat the Threat
To respond to this new threat, MarkMonitor has been working with some of our heavily-targeted customers to quickly turn this problem into an opportunity to expand our detection capabilities for AntiFraud Services. By monitoring new SSL Cert registrations, we are now able to more rapidly detect phishing sites. We can then begin mitigation steps before the email campaign is launched, thereby blocking consumer exposure and preventing damage.
Best Practices for Consumers Include:
- Approach new websites with skepticism, regardless of how you are directed to them.
- Make sure the phishing filter is turned on in your browser. Details for Firefox are here, for Chrome here and for IE and Edge here.
- Always view SSL certs and whois (domain ownership) records when unsure if the site is valid or not (there is a whois lookup available at the foot our MarkMonitor.com home page).
- Always install the newest updates for your software.
Additionally, for MarkMonitor Domain Management customers, Certificate Authority Authorization (CAA) records are fully supported by MarkMonitor Enterprise and Premium DNS. CAA records are a new type of DNS record which allow for domain owners to specify the CA(s) that are authorized to issue a cert on behalf of the domain name. See Digicert.com for more information about CAA records.
Learn more about SSL Certificates here.