What You Need to Know about HTTPS Certificate Abuse

What are HTTPS Certificates?

HTTPS Certificates are SSL (Secure Socket Layer) certificates which allow a secure connection between a web server and a web browser. From then on, all traffic between them is secured. SSL certificates are security protocols that use public key cryptography to bind together a server, domain or hostname with an organization name and location.

SSL certificates are normally used to protect your sensitive data such as usernames and passwords, or credit card details. There are different types of SSL certificates depending on the level of validation required: Extended Validation (EV), Organization Validation (OV) and Domain Validation (DV).

SSL certificates are issued by trusted Certificate Authorities (CA) such as GlobalSign, Comodo, LetsEncrypt, etc.

After the certificate is installed on your server, the HTTP protocol will become HTTPS and, depending on your web browser, a padlock icon or a green bar will appear when you visit an SSL-secured website.

How HTTPS Certificates Can Be Abused?

These days HTTPS certificates have become widely and readily available which has both positive and negative consequences. On the bright side, more websites can make their traffic secure. On the downside, they can be abused for the purposes of phishing and spreading malware, because malicious websites can have HTTPS certificates installed, too.

Statistics looks disconcerting: more than 700 certificates have been issued with ‘PayPal’ in the hostname. It is reasonable to suppose that some of these DV certificates were used for phishing websites faking the appearance of the world-known online payments provider. Thus, your account details and credit card information may well be ‘securely’ stolen. Big banks and other world brands run the same risk.

The problem with DV SSL certificates is that they only verify the right of the applicant to publish on the target domain at one point in time. No company identity information is checked. This means that DV certificates can easily be abused to mislead users that they’re on a verified website while they risk becoming victims of phishing. EV SSL certificates offer the highest level of verification, but they’re also the more difficult to obtain and potentially, harder to abuse.

Why HTTPS Certificates Can Be Abused?

Part of the answer is that it is not clear who can do anything to prevent it. CAs argue that web browsers are responsible for dealing with malicious sites. However, browsers cannot really guarantee if a website is safe, they can only know whether there is an error-free HTTPS connection or not.

Websites also bear some responsibility for failing to use HTTPS certificates properly, frequently changing domain names, emailing non-secure links, etc.

Low user awareness of web security and HTTPS certificates also contributes to the problem. It is no longer enough to look for the padlock icon on the browser and be sure it means it’s secure.

What Now?

One way to deal with malicious websites is to use malware and phishing blocklists, though they lag behind in updates. New phish sites can be reported directly to browsers through services such as Google’s Safe Browsing.

There isn’t a single bullet-proof solution to website security. Even what makes a site secure is a whole set of indicators such as website age, HTTPS certificates, website hosting location, presence of login, etc. so all of this should be considered when designing security systems. Also, both CAs and web browsers can make more effort at making their authentication methods more reliable.

If you’re a business owner, here’s more on how to protect your brand on the Internet <What you Need To Know about Protecting your Brand Online>.

Phishing websites are no small matter. Read about the 2016 statistics here <Over 400,000 Phishing Websites Detected Each Month in 2016>.

To find out what cybersecurity means nowadays, go to <Cybersecurity – one of the hottest topics nowadays>.

 

Need some help?