As of April 2017, there were 3.8 billion people in the world accessing the Internet.
That’s roughly 51 percent of the world’s population and officially means non-Internet users are becoming the minority. As 2018 dawns, it’s important to understand that in developed countries, we now live in a digital society; indeed, it’s nearly unheard of to live, work, or go to school without Internet access being required. As our digital penetration increases, so does the risk that individuals and organizations are exposed to when operating online. In fact, as real-world traditional crime has been going down, online related crime and consumer complaints have only been increasing. Is it any surprise that cybercrime damages are predicted to cost the world more than $7 trillion annually by 2021?
I think it goes without saying that Internet users should be, at this point, more educated in how to securely function online if they want to avoid falling victim to online scams. User experiences online have become easier, preventing any barriers to Internet adoption, so that even young children can operate an app or navigate a tablet, but how safe are they? Does the average Internet consumer know how to stay protected?
According to a survey Mozilla conducted earlier this year, 90 percent of respondents said they do not know how to protect themselves online, and a third of all respondents said they feel like they have no control of their information online. I must believe that if these people don’t know how to protect themselves or their data online then they also don’t know how to protect their employer or their employer’s information.
A new year provides a good opportunity to review the basic threats and security measures we should all know, from the fickle protection of SSL Certs and brand or non-brand targeted malware, to the riskiest communication channel that we all use every day: email.
Here’s Part One of a three-part overview of this important topic.
Part 1: SSL Certs Do Not Protect Against Phishing
I took an informal poll of my non-industry friends on Facebook about the padlock in the address bar and what it meant to them. I either got “I don’t know,” or a variation of “it means that the website I’m visiting is secure” or “it’s why there is an ‘S’ in https.” Unfortunately, we’ve been led to falsely believe the padlock, or the “s” in https, means we are at a valid, legitimate site, and any communication with that website is secure.
However, that is not entirely accurate. The padlock icon (or the word “Secure” or sometimes the organization name) along with the “s” in https, indicates that the owner of the website being visited has purchased an SSL Certificate which encrypts the data transmitted from the user’s browser to the website.
It does not, however, verify that the website itself it legitimate and well-intentioned. This is an important distinction.
What’s an SSL Certificate?
SSL is an acronym for Secure Sockets Layer, and is the name for the technology used in establishing an encrypted communication channel between a web server and a browser, denoted by the “s” at the end of http in the website address. Its purpose is to make sure that transmitted data remains private. Utilizing SSL to protect user’s data is an industry standard and is widely used across the Internet. To create an SSL encrypted communication channel, the website owner purchases an SSL Certificate from a certificate authority (CA).
(A note on naming conventions: SSL certs can also be called TLS certs in reference to Transport Layer Security, which is essentially a newer version of SSL. Many vendors use the phrase “SSL/TLS certificate”; however, it’s probably more accurate to call them “certificates for use with SSL and TLS” since the protocols are determined by the server configuration and not the certificates themselves. I’ll refer to them collectively as SSL certs for this article.)
Most consumers do not know that there are different levels of SSL Certs available to purchase. The basic certificate provides domain validation (DV), which simply demonstrates that the applicant has control of the domain name – either by responding to an email sent to one of the WHOIS contacts on the domain name, adding a particular TXT record to the DNS zonefile of the domain name, or adding a particular text file to the website of the domain name. Organization validated (OV) certs have a more extensive validation process, including confirming domain ownership and organization identity. Organization validated certs are recommended. Extended Validation (EV) certs are most commonly used for financial and ecommerce sites, because the CA uses a rigorous authentication method before the cert is issued.
There isn’t any standardization across the browsers in how they display EV vs. OV or DV certs; Firefox shows the company name in the address bar for EV certs, and will list the name of the website that is secured for OV and DV certs:
However, Chrome makes no distinction for EV, OV, or DV and only indicates “Secure”:
HTTPS Does Not Mean the Site is Safe
Cybercriminals have now found a way to trick Internet consumers into believing a site is safe. Until recently, most cybercriminals did not register SSL Certs for sites since it was costly, and CAs vetted the organization before granting an SSL Cert. Recently, organizations like Let’s Encrypt, which led the initiative on this, and Comodo, have changed the landscape by removing fees for issuing short-validity (90 days) domain validated SSL certs and greatly simplified the process of utilizing an SSL Cert. Their goal is a good one: to convert unsecure traffic to secure traffic for a large number of sites that either couldn’t afford to purchase a cert, or didn’t have the tech savvy to administer a cert. Unfortunately, though, while more sites are encrypted to protect legitimate consumers, there has also been heavy misuse of this initiative by cybercriminals.
A new ability to register SSL certs easily and for free has given cybercriminals the ammunition they need to take advantage of the general consumer perception that a https/padlock/”secure” designation indicates a safe site. The SSL cert conveys a false sense of security and lures more consumers to fall prey to phishing sites.
Web Browsers Can’t Protect Against this Problem
Web browsers have long encouraged consumers to trust the https secure designation; however, what was generally not made clear to the vast majority of Internet users is that the SSL Cert encrypts a communication channel but DOES NOT provide validation of how trustworthy the website is nor any indication of web application security.
Web browsers have been doing their part to further protect consumers, as they do have a vested interested in establishing a secure online experience. Both Google Chrome and Mozilla Firefox began identifying un-encrypted sites (those sites with HTTP instead of HTTPS, indicating no SSL Cert) as “Not Secure” in the address bar anytime credit card or password fields are on the website, or with Chrome 62, when a person is using any type of data field.
The web browsers’ initiative is helpful in finding unencrypted sites, however with some SSL Certs now being free, and CAs not required to do any sort of validation beyond making sure the person registering the SSL Cert is the owner of the domain, web browsers only provide limited protection. There are no additional checks to validate affiliation with the brand or organization contained in the domain name (if any). There have already been multiple reports of thousands of DV free SSL Certs registered for websites with legitimate brand names in the domain name.
MarkMonitor has Adjusted Phishing Detection to Combat the Threat
To respond to this new threat, MarkMonitor has been working with some of our heavily-targeted customers to quickly turn this problem into an opportunity to expand our detection capabilities for AntiFraud Services. By monitoring new SSL Cert registrations, we are now able to more rapidly detect phishing sites. We can then begin mitigation steps before the email campaign is launched, thereby blocking consumer exposure and preventing damage.
Best Practices for Consumers Include:
- Approach new websites with skepticism, regardless of how you are directed to them.
- Make sure the phishing filter is turned on in your browser. Details for Firefox are here, for Chrome here and for IE here.
- Always view SSL certs and whois (domain ownership) records when unsure if the site is valid or not (there is a whois lookup available at the foot our MarkMonitor.com home page).
- Always install the newest updates for your software.
Additionally, for MarkMonitor Domain Management customers, Certificate Authority Authorization (CAA) records are fully supported by MarkMonitor Enterprise and Premium DNS. CAA records are a new type of DNS record which allow for domain owners to specify the CA(s) that are authorized to issue a cert on behalf of the domain name. See Digicert.com for more information about CAA records.
In my next blog post, I’ll look at the risks posed by different kinds of malware in 2018.