Who’s afraid of The big bad site – no one soon!

Bad site is not just a bad dream, but reality

Back in 2016 I wrote an article under the the title Who’s afraid of the big bad site (unfortunately it is in Finnish). You can find that article here . The point in the article was that browsers are doing a great job trying to prevent users from ending up on a phishing site. This is a good thing, but nowadays the browsers categorises all sites running HTTPS Secure, not matter what the content or who is running the site. Unfortunately this has gone even more difficult for a common internet surfer now that Google..

.. and Mozilla have removed the EV (Extended Validation) certificate indicator from their browsers all together!

Different medias in the internet have published multiple articles about how cybercriminals have abused PayPal and created phishing sites with Paypal as part of the site name. Paypal is not alone, many banks and other businesses have been targeted as well. One example of a phishing site was: paypal.com.webapps-mpp-accounts.com, which was running a free DV certificate by Let’s Encrypt, creating a secure and legitimate looking site.

Should we worry about that, isn’t that a technical problem?

YES we should! We live busy lives. You may receive an email that looks coming from a trusted source and you go and click on a link in it. It may direct you to perfectly official looking site and you may end up entering your credentials to a criminal site which has all the logos and functions looking like official site should look. Of course you check that the site has a padlock and your browser tells you that the site is Secure. What could possibly go wrong? Except everything. You have been pwned.

Let’s use this legitimate site as an example later on in this article

What do the statistics tell you about encrypted traffic:

DV certificates, the free and very cheap ones that only need a domain validation are being used on 98% percent of encrypted phishing sites.

At the same time when asked from the organizations what should a certificate on a website tell to the visitor:

Number one is the IDENTITY. This is how it used to be (and still is in some browsers):

What if it was like this ..

Google Chrome browser

..and a cybercriminal had registered a sitename: ssI-apua.fi (ssi-apua.fi, capital i looks like L ) and has directed a user to the site with a well constructed Phishing email?

Isn’t it good to have encrypted internet after all?

It is a good thing. Today most of the traffic in the internet is already encrypted. Even though cybercriminals can take advantage of the encryption too. Let’s Encrypt has done a great job in “encryption for everyone” project, but if your site asks any identity related or credit card, personal or any classified information, you should use Extended- or Organization Validated certificates on it. These certificate types are validated with a very strict vetting process using official public registeries and topped up with a human verification work. Then your visitor can check from the certificate who is actually running the site and get more insurance on entering their information on it.

CA:s (Certificate Authorities), who are responsible of running these certificate services are doing more than just pushing out certificates. They are developing new and more strict and secure methods for spotting out the bad from the good. The London Protocol is one of them.

Let’s encrypt and be careful out there..

Sources:

https://www.wesentra.com

https://duo.com/decipher/chrome-and-firefox-removing-ev-certificate-indicators

https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/ev-to-page-info.md

Leave a Reply