Yesterday the FBI issued a warning about hackers misusing SSL certificates and lure people to HTTPS sites for phishing attacks (https://www.ic3.gov/media/2019/190610.aspx).
The problem according to the FBI is that just because the site starts with HTTPS (where the ‘S’ stands for secure), it doesn’t mean the site itself is save. They offers some recommendations to reduce the likelihood of falling victim to HTTPS phishing.
The problem is that since day one people (the average user) get to hear that HTTP is not safe. Everything that is going over the wire is in plain-text and can be intercepted by cyber criminals. What to do? Use HTTPS and check if there is a padlock in front of the URL. But because there is a padlock in front and the URL starts with HTTPS that doesn’t mean the site is safe. So how can companies help users to check the safety of their websites?
Extended Validation (EV): with this kind of validation it means the company behind the TLS certificate should be verified. The benefit of this validation is that it shows the name of the company on the padlock in the browser. The downside for some companies is the cost, which is quite expensive.
Organization Validated (OV): with this kind of validation the ownership of the domain and the organization’s information is verified. This makes it harder for cyber criminals to acquire this kind of certificate.
Domain validation (DV): this kind of validation is very easy to acquire. You only have to prove that you have ownership of the domain and a certificate authority like Let’s Encrypt provides the certificate for free. These kinds of certificates are mostly exploited by cyber criminals.
EV validation is the key to maximize the customers trust about your site. Off course with this knowledge you can ask yourself why an entity like the FBI, which informs people on the dangers of SSL/TLS misuse doesn’t use EV validated certificates itself.
As you can see a DV validated certificate is enough for the FBI to give the visitors trust:
So should everyone have EV validated certificates? Personally I don’t think that would be the answer or even feasible. For instance, why should a blogger have an expensive certificate? I don’t know. I myself make also use of a free Let’s Encrypt certificate. Why? Because I only want the network traffic to be encrypted.
The use and cost that comes with the different kind of certificates should be added to the risk calculation every company should make.