Certificate authorities aren’t scrutinizing who gets their SSL certificates, and now a large number of phishing sites have legitimate certificates, said Netcraft, a United Kingdom-based Internet security and research company.
SSL certificates rely on trust. Website operators deploy SSL on their sites so that the data transferred between the Web browser and the server are sent over a secure connection. Certificate authorities issue SSL certificates to show the holder is a legitimate owner of the site. Web browsers typically display a padlock sign to indicate the site has a valid certificate.
The system works -- to a point. When it becomes cheap and easy enough for the criminally minded to obtain SSL certificates for their malicious sites, users lose one of the methods for identifying trusted sites from phishing targets. Users have been trained to look for the padlock in their browser or for HTTPS in the domain before submitting sensitive information to websites, such as passwords and credit card numbers, but that becomes irrelevant when the site operators cannot be trusted.
“A displayed padlock alone does not imply that a site using TLS can be trusted or is operated by a legitimate organization,” Netcraft’s Graham Edgecombe said.
There used to be an assumption that only legitimate website owners would go through the hoops necessary to get a valid SSL certificate. No more -- content delivery network CloudFlare gives customers a free Universal SSL certificate (issued by Comodo and GlobalSign) to encourage more website owners to encrypt their connections and protect users. Comodo offers its own free 90-day certificates, and Symantec offers a free 30-day option through its GeoTrust service. Since phishing sites typically have very short lifetimes, remaining online for online a few weeks at a time, the certificate's short validity is ideal for fraudsters.
Netcraft’s research seems to indicate that certificate authorities aren’t flagging domains with names suspiciously similar to high-risk sites at all. In an analysis of phishing attacks from deceptive domain names -- sites with similar names to legitimate websites -- for the month of August, Netcraft found that Universal SSL certificates accounted for 40 percent of certificates used by phishing sites. For example, GlobalSign issued a Universal SSL certificate for pay-pal.co.com, a phishing site for PayPal, and Comodo issued a Universal SSL certificate for halifaxonline-uk.com, a phishing site for UK-based bank Halifax.
An industrywide code of conduct requires certificate authorities to apply a rigorous vetting process when issuing SSL certificates to high-risk domain names that may be used for fraud or phishing. The special rules apply regardless of the type of certificate -- domain validation, organization validation, or extended validation -- if the site is considered high-risk.
“Despite this requirement, many major certificate authorities issue SSL certificates for deceptive domains used in phishing attacks,” Edgecombe said, noting that Symantec issued a certificate for itunes-security.net and GoDaddy for paypwil.com.
But maybe it is not up to the certificate authority to decide whether a URL looks too similar to an existing domain. Perhaps that level of scrutiny should occur at the domain registrar, at the point when someone tries to register the name. The certificate authority’s job is to verify the certificate owner actually owns the domain -- which it is currently doing. The problem lies in the fact that criminals are abusing the certificate authority system.
“Turns out, the certificate authority scheme that we’re all using to enable trust on the Internet is not, itself, a trustable scheme,” said Tod Beardsley, security research manager at Rapid7.
Criminals simply need a marginally believable URL and a padlock icon displayed prominently in the browser to set up a successful phishing site. And domain-validated certificates are issued automatically within minutes, making them popular. The problem will likely get worse in the coming months. Let’s Encrypt, a project backed by the Electronic Frontier Foundation, plans to offer free, automatically issued domain-validated certificates before the end of the year.
Even if it isn't up to the certificate authorities to fix the phishing problem, they can make it harder for fraudsters to get valid certificates. Netcraft's analysis found Entrust and DigiCert certificates were not used by phishing sites, most likely because these two certificate authorities do not offer domain-validated certificates. Certificate authorities can stop issuing certificates with less stringent verification rules. Dropping domain-validated certificates runs counter to Let's Encrypt's goals, though.
Security professionals have long criticized the idea of giving entities “authority” to issue certificates. There are hundreds of certificate authorities, and there’s no central body determining which are more trustworthy than others. Apple ships iOS 9 with more than 200 trusted root certificate authorities, while Microsoft ships only 100 trusted in Windows 8. The decision of who is in and who is out is left up to operating system companies and other major companies, Beardsley said.
"The only reason we can shop and share data online is because we can trust these security measures, but who can you trust when the systems of trust themselves are being abused?" said Kevin Bocek, Vice President of Security Strategy & Threat Intelligence from Venafi.
Businesses have no way of telling which authorities to trust, and users are losing one of the ways they could use to identify bad sites. The bad guys are subverting the system for their purposes, so it's up to the system to enforce the rules and shut down abuse.