Can we really trust the browser padlock? Fake banking sites given TLS certificates

Nothing like the padlock icon showing in your browser window to put your mind at ease, eh?

After all, that lock signifies that the site has a Transport Layer Security (TLS) certificate (TLS being the successor to Secure Sockets Layer, or SSL; it’s also referred to as SSL/TLS).

The certificate authorities (CAs) that give out those certificates are supposed to vet the domains that get those certificates and hence bear that supposedly trusty padlock.

But it looks like the vetting is actually a bit lackadaisical, the result being that typosquatters’s sites are being stamped with TLS certificates they don’t deserve, according to internet services provider Netcraft.

In just one month, Netcraft claims, CAs have issued “hundreds” of certificates for deceptive domain names targeting brands including Paypal, Apple, Bank of America, and UK financial institutions Halifax and NatWest.

Likely-sounding (but fraudulent) domains that had been issued with TLS certificates and then used in phishing attacks include the following:

dodgy-uris-1000

A few years ago, Naked Security took a look at what happens when you mistype a website name – easy typos to make, with the resulting URLs being populated by some flavor of fraudster.

The least egregious results of fumbling fingers were links to advertising sites and pop-ups.

The more risky typosquatting URLs were associated with cybercrime, be it hacking, phishing, online fraud or spamming. What’s more, some 2.4% of the domains were devoted to adult or dating sites.

As Netcraft says, sites that use TLS are marketed as trustworthy and operated by legitimate organisations.

The result is that conscientious consumers look for the padlock before they submit sensitive information to websites, including passwords and credit card numbers.

But the fact is that a padlock alone doesn’t imply that a site using TLS can be trusted.

Industry requirements for CAs require that high-risk domain names – i.e., those that may be used for fraud or phishing – be subjected to additional verification.

From the CA/Browser Forum’s Baseline Requirements:

High Risk Certificate Request: A Request that the CA flags for additional scrutiny by reference to internal criteria and databases maintained by the CA, which may include names at higher risk for phishing or other fraudulent usage.

The CA SHALL develop, maintain, and implement documented procedures that identify and require additional verification activity for High Risk Certificate Requests prior to the Certificate’s approval.

Netcraft’s Graham Edgecombe stops short of outright accusing CAs of ignoring checks like these, which are meant to put the kibosh on giving certificates to high-risk sites – say, those that have anything to do with online banking.

But he does point out that some of the CAs’ offerings – including free trial certificates with short expiration times – are quite appealing to phishers:

The short validity periods are ideal for fraudsters as phishing attacks themselves typically have short lifetimes.

Similar issues include one CA’s plan to offer free, automatically-issued certificates later this year.

In other words, there’s not a lot of vetting taking place, Edgecombe told SC Magazine:

The tech industry has been telling users for years, if you want to enter credit card information on a website make sure it's got a padlock, make sure it's using SSL. But now anyone can go and get an SSL certificate for £5 or so, using minimal information, but it's verified.

All the CA will check is that you own the domain name, and that's it. Some of them don't even check that the domain may be misused. One of the rules imposed on certificate authorities is they have to give additional scrutiny to domain names that may be used for fraudulent purposes, but these rules are quite vague.

Edgecombe said that the problem of fake SSL certificates isn’t new, but price competition has caused the cost and levels of checks on certificates to fall.

Meanwhile, phishing is getting smarter, more focused, and even though it’s as old as the hills (at least in internet time), it’s still doing quite well when it comes to putting online consumers at risk.

But just what do we expect the CAs to do, exactly?

Here’s how Paul Ducklin framed it:

If the powers that be accept that I am the guy who owns sn34kydomain.example, then what "vetting" do you expect a CA to do? Why not prevent the domain even being used at all?

In the meantime, this is one more nail in the coffin when it comes to being able to recognise a phishing URL by keeping an eye out for irregularities and mistakes.

Image of phishing courtesy of Shutterstock.com

Leave a Reply