While the Firefox 51 and Chrome 56 roll-out promised a safer place thanks to security warnings and a gentle push in the right direction to making websites having to rely on HTTPS with SSL certificates, it seems phishing sites rather quickly jumped the bandwagon and started implementing “secure and encrypted” phishing scams.
HTTPS enabled phishing sites on the rise
As reported by Netcraft on May 17th 2017 since the release on January 26th 2017 of the Chrome and Firefox “security warning enabled” browsers, the number of phishing websites using https has risen from 5% to 15% with even a small peak of 20%.
To make this an even bigger problem, the phishing sites rely on trusted valid Certificate Authorities like Let’s Encrypt and Comodo.
The popularity of Let’s Encrypt has also became it’s weakness: it’s very easy to get a valid, browser trusted certificate valid for a limited amount of time. While this is excellent for automated renewal services, it also makes an attractive magnet for institutions with less happy incentives such as phishing sites. As a reaction to Let’s Encrypt’s “free” certificate, Comodo has launched a so called Trial Certificate valid for 90 days. But, as always, “free” is usually to good to be true.
Let’s Encrypt does use the Safe Browsing API to check validity of an issued certificate, but this relies on a check before the content probably is added so basically, when the harm is done.
Since browser users are trained to check for a “valid” and “secure” URL at first glance it seems the website they visit is legit. This makes the problem even worse, since the scam sites are TLS enabled and appear to be valid.
What will happen?
While some Certificate Authorities claim it is not the task of a CA to check whether the certificate being issues is reliable content-wise, we can not deny this can become a problem. But, when you take a look at the bigger picture it was a problem that could be expected. We are talking about DV, Domain Validation certificates… they are cheap or free and the validation method is, to say the least, pretty limited (a simple mail or dns validation check usually is enough to get you going).
Our advice generally is not to rely on “the cheapest” SSL certificate option unless you know what you are doing, you know what you are going to use the SSL certificate for and you can live with the idea there might become a day the SSL certificate can (let’s hope not) become a problem.
If you got an organisation or corporation and wish to steer away from this there’s always the less cheap Domain Validation certificates or the more reliable Organisation Validation certificates. As from the perspective of an end user: always, and we do mean ALWAYS check the certificate and the domain name in the address bar. There is a thing called “Deceptive Domain Score” which usually explains well how unreliable the domain can be.