For years, we taught users that a website’s URL that includes https at its very beginning is a relatively good indicator of whether they can safely input sensitive information into it.
Most users would not be able to explain why that is, exactly, but at least some have that recommendation firmly lodged in mind.
A short primer on HTTPS, and what it means
To gain the coveted prefix, website owners must obtain an SSL/TLS server certificate from a trusted Certificate Authority (CA). But there are different types of certificates, and some offer more security than others.
Extended Validation (EV) certificates for websites top the “secure” list. The CA that issues them must verify the legal identity, the operational and physical presence of website owner, confirm that the applicant is the domain name owner or has exclusive control over the domain name, and confirm the identity and authority of the individuals acting for the website owner.
Organization Validation (OV) certificates can be given if the CA can confirm the applicant’s right to administratively manage the domain name, and the organization’s existence as a legal entity (including a confirmed customer contact using reliable third-party data to make sure the applicant is with the company).
Finally, a CA issuing a Domain Validation (DV) certificates for a domain must only make sure that the applicant has control over the domain in question. It usually does so by sending (and receiving a response from) an email to the email contact in the domain’s whois details or an administrative contact in the domain (e.g. admin@). The CA may have no idea who the applicant for the DV certificate is – the whole process can be anonymous and untraceable.
Consequently, DV certificates offer encryption (i.e. assurance that the traffic to and from the website is encrypted, and therefore the sent sensitive data is known only to the user and the site’s owner), but do not offer proof that the owner of the site is a legal entity (existing organization), or a particular legal entity. In fact, with DV certificates the owner of the site may be completely unknown.
The rise of HTTPS phishing websites
DV certificates owe their genesis to commercial pressures, and the massive global push towards total web encryption. Unfortunately, as they can be issued and installed quickly and through an automated process, DV certificates have become a preferred way for phishers to make their phishing websites gain an aura of legitimacy.
The rise in anonymous, free, automated DV certificate offerings, the poor efforts to revoke these certificates for flagged phishing sites, and some browsers’ lack of revocation checking for DV and OV certificates are just part of the problem, though.
According to Entrust Datacard’s Chris Bailey and Kirk Hall, another big one is that popular browsers don’t differentiate – obviously and unequivocally – between the various types of certificates.
“In the past, browser UI security indicators were pretty simple and mostly the same across browsers – a gold padlock meant encrypted (DV and OV), and a green padlock and bar with identity information meant higher level EV. Users could easily tell the difference. Unfortunately, over time browser UIs diverged, and it’s now hard to tell the difference between DV, OV, and EV certs,” they point out.
“Nearly 100% of phishing on encrypted sites is done with DV certs, and almost none with OV and EV certs – so identity in certificates is already a proxy for user security. All the browsers have to do is show users which websites are protected by identity certs, and which are not.”
The fastest way to do this is to eliminate the padlock for DV sites, they believe. “DV encryption should be treated as the new, minimum ‘normal’ for websites, with no special UI (unencrypted http sites will get a user warning).”
Bailey and Hall are veterans of the information security industry, and currently occupy the positions of VP Strategy & Business Development – SSL and Director of Policy & Compliance – SSL at Entrust Datacard, respectively. Bailey is also a member of the of the CA Security Council, and Hall is the current Chair of the CA/Browser Forum. Their opinions on this should definitely carry some weight.
Hall showed me lists of DV certs issued for phishing sites sitting on domains chosen to confuse victims into believing they are Apple’s or Microsoft’s, and their number occasionally reaches thousands. “More than 14,000 fake DV login certs for PayPal.com have been issued since the start of 2016,” he also noted.
“We’re completely in favor of requiring encryption for all websites to ensure privacy, and many http sites are moving to DV certs to avoid browser warnings – that’s good. But the browsers have unfortunately made DV sites look a lot like EV sites,” he explained.
The duo wants browser makers to work together and create a universal, simplified set of UI security indicators highlighting identity that all browsers will use, and which will remain stable over time. They advise reserving the plain padlock for OV sites, the green padlock and bar for EV sites, and downgrading the DV cert UI.
It could look something like this (design proposed by Bailey):
“Once the change is made, we can all work together to educate users on how to understand the new browser UIs what to look for, and how to protect themselves by only providing personal information (passwords, credit cards, personally identifiable information, etc.) to sites with confirmed identity (OV and EV sites), ” Bailey pointed out.
Effecting such a change should be easy, and they are hoping that browser vendors will get a move on it, and soon.
“The bad guys don’t want to go through the process of establishing their company identity to a Certification Authority (CA) to get an OV or EV cert – it’s too much trouble for a quick exploit which today only requires an anonymous, throwaway domain and free DV cert,” he noted.
“The CA infrastructure is already in place to leverage website identity, and most important sites already have OV and EV certificates – all we have to do is make greater use of this existing infrastructure for user security.”