Every year, we think next year we'll have solved the phishing problem, but it just seems to be a pesky problem that doesn't go away. In fact, Venafi recently released a study that revealed that the total number of certificates for look-alike domains is more than 200% greater than the number of authentic retail domains.
Using fake domains that substitute a few characters in the URLs, cyber attackers can point to malicious online shopping sites that mimic legitimate, well-known retail websites. As a result, it has become increasingly difficult for customers to detect the fake domains, especially because many of these malicious pages use an anonymous TLS certificate, so they appear to be safe for online shoppers who unknowingly provide sensitive account information and payment data.
Because anonymous TLS certificates can lead to a false sense of security, it’s critical that consumers are educated about the importance of valid machine identities. Highly secure websites, such as those from a bank, will have a special indicator in the browser. This indicator will display the name of the organization and often the country it's associated with. It’s a relatively easy way for the average person to look and see if they're actually connected to their real bank. Here are actual examples of what is displayed in the address bar of the Google Chrome web browser for a highly secure website vs an anonymous TLS website.
Example 1: Address Bar of Google Chrome showing the actual Bank of America Corporation website with organization name and country
Example 2: Address Bar of Google Chrome showing a website using an anonymous TLS certificate which only shows website address
Highly secure websites are able to offer this additional level of confidence because they encrypt their pages using an extended validation certificate. But before we talk about how it works, it’s important to understand the factors that contributed to the creation of this higher level of validation.
Going back into the '90s, the lock symbol first started to appear. We were trained to look for the lock symbol. When users saw the lock symbol, they felt the website was safe. Over time, the lock symbol has evolved, and does not actually mean the same thing as it did before. Back then, it was a good idea to look for the lock symbol. But today, the lock symbol really just means that the website is encrypted. When you see sites with the lock symbol, you know it's encrypted. But, as we’ve seen with look-alike sites, encryption alone is not enough.
To better determine whether a website is valid, consumers need to see additional identity information associated with the owner of the website. For example, if a visitor sees that the organization name is right there beside the lock symbol, they will know it's gone through a higher level of verification. And that verification involves the organization being vetted by a third party called a certification authority (CA). And that process is pretty thorough.
Before granting an extended validation certificate, the CA will actually go and try to figure out if the company is legitimate and in good standing. The CA will also try to prove that the entity trying to request that identity has the right to do so. It's a very different type of process than just getting a simple anonymous certificate, nowadays.
Bottom line, extended validation makes it difficult to spoof a valid website. Higher levels of identification mean that it’s harder for the person who is requesting a certificate to hide. Most do not want to be identified if they are, indeed, trying to do something fraudulent because they will just create a forensic trail for themselves.
The most important element of extended validation is that the information that's being displayed is actually generated from the validation organization (or CA), not the folks posting the website. Indeed, the organization’s identity is cryptographically bound to the digital certificate. To further bolster confidence, the CA will maintain that the certificate is still in good standing over time via revocation services.
Extended validation has proven to be a great security differentiator for websites that require high levels of privacy and security. Any website that collects personal or financial information should be held to this higher standard for strong machine-to-machine connections and communications. Machine identities are integral to this process and savvy organizations will go the extra mile to protect these high-value credentials.
How secure are the machine identities on your public-facing websites?
- The London Protocol Aims to Expose the Misuse of Machine Identities in Phishing Attacks
- Phishing Campaign Uses TLS Certificates to Impersonate Netflix and Steal Users’ Account Credentials
- PayPal Phishing Fiascos: Protecting Yourself from Fraudulent Certificates
- Preventing Your Webservers from Becoming Phishing Sites - Eliminate Wildcard Certificates