ÃÛÌÒTV

Best Practices 04-06-2015

The Fraud Problem with Free SSL Certificates

Flavio
SSL Certificates are the defacto standard for online trust today. SSLs are such a critical backbone to online security thatÌýÌýto sites that secure their content with HTTPS.

Savvy Internet usersÌýhave come to recognize and expect that any website asking for sensitive or personal information to display the universal symbol—the padlock—before typing in any sensitive information.

In a Tech-Ed survey, users reported that without knowing the identity of the organization conducting business, over 35% would reconsider entering a credit card number from a site using a plain SSL Certificate.

Differences between SSL Certificates

Are SSLs less trustworthy than we think?ÌýTo answer this question, we have to consider the fact that not all SSL Certificates are created equal.

Domain Validated (DV):ÌýNo identity verification is done. The Certificate Authority (CA) sends an automated challenge email and the site owner clicks on a link to approve the certificate. Information is encrypted, but no assurance is made that the organization should be trusted.

Because of the lack of trust and the frequent use for fraudulent purposes, ÃÛÌÒTV does not issue cheap domain validated certificates.

Organization Validated (OV):ÌýBasic identity verification is completed. In the case of an OV certificate, the CA conductsÌýa much more substantial validation process. This includes checking the applicant’s business credentials (through government and business databases) and verifying that the website is a legitimate organization.

ÃÛÌÒTV validation experts are online 24/7 and can complete basic verification in less than 10 minutes on most certificates.

Extended Validation (EV):ÌýExtended identity verification is completed. This is the highest level of validation and strict standards for identity verification. The validation process includes physical location checks, phone calls to ensure the applicant is authorized to order the certificate on behalf of the company or business represented, and more.

ÃÛÌÒTV EV is issued in less than 24 hours for most EV Certificate requests.

Although all SSLs ensure that information online is encrypted, only OV and EV SSL Certificates actually certify the website is being operated by a legitimate organization, keeping users safe from fraud and phishing scams online.Ìý

The Problem with Free SSL CertificatesÌý

Let’s be honest, no one can give something away for free and remain in business for very long. ÌýSome organizations today provide free SSL Certificates, relying solely on automated systems that skip authentication to keep costs extremely low. These organizations often provide add-on services for a fee, or are funded by third-party organizations with deep pockets.

Authentication is critical to online trust. Authentication provides the assurance that you're at the real PayPal.com, and not a fake PayPal phishing site. CAsÌýthat include identity authentication in their certificates follow strict rules for verifying identity of organizations, individuals, and the authority to request SSL Certificates on behalf of organization. Free SSL CertificatesÌýdon'tÌýrely on performing authentication checks or identify verification,Ìýmaking them a prime candidate for fraudulent websites today.

on an email campaign that leveraged a site benefiting from a free CloudFlare certificate in order to deliver malware to users online.

The malicious email message claimed to be a notice from cloud-based, remote connectivity service provider LogMeIn, about an alleged problem with extending the service subscription due to insufficient funds.

The HTTPS link included in the email claimed to point to an invoice showing the details of the transaction. Since the website had an SSL Certificate installed, users were more likely to trust it and download the malware file.

Fortunately, CloudFlare has since revoked the certificate for the website and the location is now flagged as malicious in all major web browsers.

However, this is only the tip of the iceberg and cyber criminals are taking notice. With free SSL Certificates or cheap SSL becoming more readily available, it’s likely that cyber criminals will continue to exploit the lack of identity verification to take advantage of users online.

EV SSL Certificates for All

In working with the CA/Browser Forum industry group create EV SSL Certificates, ÃÛÌÒTV set out to ensure that any organization could qualify for an EV certificates.

We continue to work with the group to make amendments to the EV verification process to ensure that more organizations can take advantage of the higher level of trust the EV provides, while ensuring that the process remains cyber-crimeÌýproof.

Tech-Ed’s EV survey showed that 67% of web users saidÌýthey would not buy from an unfamiliar website that did not have an EV SSL Certificate to confirm the identity of the organization. for application security and require all UEFI code submissions must be signed by an Extended Validation (EV) Code Signing Certificate.

Enterprise Benefits of Extended Validation

EV SSL Certificates ensure that users can communicate securely with a website. Websites using an EV SSL Certificate gainÌýimmediate trust in the eyes of users because it reassures the user that the data is secure andÌýthe organization receiving the data is a reputable entity.

Since technical requirements prevent EV SSL Certificates from being forged, large enterprises especially benefit fromÌýusingÌýEV certificates as an easy anti-phishing indicator or that data being secured cannot be intercepted by a malicious third party.

Keeping users safe online and staying ahead of cyber criminals and scammers requires going above and beyond in online security. Identity verification is the clear answer to the problem of online trust.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-27-2024

6 actionable ways to secure the IIoT at every stage

Tracking the progress toward post-quantum cryptography

The state of PQC since the publication of FIPS 203, 204 and 205