The battle for a secure web has been long and hard-fought, but over the last couple of years, we’ve been edging closer to the — probably unattainable — ideal of SSL Everywhere. The number of sites delivering content over secure encrypted connections has soared, largely because buying and installing SSL certificates is no longer onerous. For most sites, a domain validated certificate is adequate. DV certificates are available for free from certificate authorities like Let’s Encrypt, which also provides a tool to install and verify certificates on common server configurations.
But have users become too trusting of sites with SSL certificates? According to recent stories from WordFence and Netcraft, users are falling victim to phishing attacks because they trust sites that browsers mark as secure. From the perspective of the browser, a valid SSL certificate backed by a certificate authority and associated with a domain is enough to declare a site secure.
But there’s nothing to stop criminals from getting their hands on these certificates, which really only mean that the connection is encrypted and the browser is connected to a minimally verified domain. An encrypted connection to a phishing site doesn’t make us any safer, although many seem to assume that that’s the case.
The problem lies with the validation process for DV certificates. There’s usually no human involved, and all the domain’s owner has to do is demostrate that they control the domain — it doesn’t matter whether it’s a legitimate domain or part of an obvious attempt to mislead users with a domain that looks similar to a major brand like PayPal or Google.
Users have understood that sites without certificates aren’t secure, but they may also be assuming the opposite: that sites with certificates are safe. That’s not a valid deduction, and it’s obviously problematic if the mechanism that is supposed to secure the web causes users to develop an unjustified confidence.
Phishers can exploit this trust by purchasing domains that, at a quick glance, look similar to the domain of a bank or other service that deals with sensitive information. When users are tricked into visiting these sites, often through phishing emails, the domain checks out and their browser tells them the site is safe. They input their credentials, and off they’re sent to the criminal’s server.
This isn’t an easy problem to solve. Ideally, certificate authorities would be careful about the domains they issue certificates for, rejecting obviously misleading domains. But manual checking is expensive and any increase in cost will reduce the number of legitimate sites that implement HTTPS.
Alternatively, browsers could start being more explicit about the real security risks of sites with DV certificates, but that’s likely to confuse users, most of whom don’t understand the difference between certificate validation levels. At some point in the near future, machine learning algorithms may be capable of spotting misleading domains, and there are companies working on that, including Netcraft, the company making waves about misleading domain names and which obviously has a horse in this race.
Ultimately, it’s unlikely that much can be done until certificate authorities find a to way reliably spot and reject obviously misleading domains.