Phishing with SSL

Bruce Morton

I read an article from Netcraft about Phishing on sites using SSL certificates. It reminded me that the industry has been working on anti-phishing for many years. In 2005, the SSL industry created the CA/Browser Forum. One of the issues was to create a new SSL certificate that would fight phishing. The result was the Extended Validation (EV) SSL certificate.

The EV certificate provides greater subscriber identity validation. Based on the high level of validation, the browsers give a more trusted display. The typical display includes the subscriber identity, issuing CA name and a green indication in the browser chrome. This helps reduce phishing of your site as your users will get used to seeing the EV indications. A phishing site would not have those indications, unless the attacker either obtains an EV certificate or hacks an EV site to use in the attack.

Typically though, phishing is performed using an untrusted site. The phisher sends an email with a link and tries to get you to click it. If you do click, then you go to a site that looks very much the same as the authentic site. The difference is the site does not have the same domain name and does not have an SSL certificate.

However, the Netcraft study tells us that SSL certificates are used for phishing. Their numbers from July 2012 show there were 505 unique valid SSL certificates found on phishing sites. In some cases, the domain name in the certificate matched the domain of the site, which means the certificate was either issued legitimately to the attacker or the phishing page had been hacked. The same domain name means there would be not trust dialogue box due to name miss-match.

Phishing attacks using a certificate issued by a CA do not generally mean incompetence by the CA. The CA does not know the trustworthiness of their customers; nor do they know their security ability. However, once the CA knows that there is an issue, then any fraudulent SSL certificates should be revoked.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


Add to the Conversation