The need for online trust, user privacy and credibility is rising. Companies find it important to safeguard the ‘data’ from their website visitors. And are taking measures such as using HTTPS. At the same time internet users are demanding more and more safety measures from the sites they visit.
While the Firefox 51 and Chrome 56 roll-out promised a safer place thanks to security warnings and a gentle push in the right direction to making websites having to rely on HTTPS with SSL certificates, it seems phishing sites rather quickly jumped the bandwagon and started implementing “secure and encrypted” phishing scams.
HTTPS enabled phishing sites on the rise
As reported by Netcraft on May 17th 2017 since the release on January 26th 2017 of the Chrome and Firefox “security warning enabled” browsers, the number of phishing websites using https has risen from 5% to 15% with even a small peak of 20%.
To make this an even bigger problem, the phishing sites rely on trusted valid Certificate Authorities like Let’s Encrypt and Comodo.
The popularity of Let’s Encrypt has also became it’s weakness: it’s very easy to get a valid, browser trusted certificate valid for a limited amount of time. While this is excellent for automated renewal services, it also makes an attractive magnet for institutions with less happy incentives such as phishing sites. As a reaction to Let’s Encrypt’s “free” certificate, Comodo has launched a so called Trial Certificate valid for 90 days. But, as always, “free” is usually to good to be true.
Let’s Encrypt does use the Safe Browsing API to check validity of an issued certificate, but this relies on a check before the content probably is added so basically, when the harm is done.
Since browser users are trained to check for a “valid” and “secure” URL at first glance it seems the website they visit is legit. This makes the problem even worse, since the scam sites are TLS enabled and appear to be valid.
What will happen?
While some Certificate Authorities claim it is not the task of a CA to check whether the certificate being issues is reliable content-wise, we can not deny this can become a problem. But, when you take a look at the bigger picture it was a problem that could be expected. We are talking about DV, Domain Validation certificates… they are cheap or free and the validation method is, to say the least, pretty limited (a simple mail or dns validation check usually is enough to get you going).
Our advice generally is not to rely on “the cheapest” SSL certificate option unless you know what you are doing, you know what you are going to use the SSL certificate for and you can live with the idea there might become a day the SSL certificate can (let’s hope not) become a problem.
If you got an organisation or corporation and wish to steer away from this there’s always the less cheap Domain Validation certificates or the more reliable Organisation Validation certificates. As from the perspective of an end user: always, and we do mean ALWAYS check the certificate and the domain name in the address bar. There is a thing called “Deceptive Domain Score” which usually explains well how unreliable the domain can be.
This excellent tool analyses the https installation based on a number of tests against known vulnerabilities and standards: the certificate, protocol support, key exchange and cypher strength…
Known vulnerabilities such as DROWN, BEAST, POODLE and Heartbleed are also tested extensively.
Sinc,e for the first time in 20 years, HTTPS is getting an advantage over classic http traffic – probably also a bit thanks to the forced “push” by Google among others, testing an SSL installation becomes a necessity, and the tool will become more strict as the market evolves.
From 2017 on, the following changes will be incorporated:
- 3DES: Because of the Sweet32 vulnerability enabled support for 3DES in modern browsers will get a C score.
- Forward Secrecy: since Edward Snowden announced several privacy related breached the industry decided to see forward secrecy as a requirement, if this is not enabled on the server, a score of B is the best you will get.
- AEAD Suites: authenticated communication is strongly advised and AEAD is the only suite having support for TLS 1.3. AEAD suites are required to get an A+ score!
- TLS Fallback: since the introduction of the POODLE vulnerability most browsers have made adjustments and TLS_FALLBACK_SCSV is no longer needed to get an A+ rating.
- Weak cyphers: all cyphers with less than 128 bits will get an F rating, without hesitation!
- RC4: Servers supporting RC4 will get a C capped score.
- SHA-1: Sites using an SHA-1 certificate will not be treated as secure and chances are (not confirmed yet) that they might get an F rating. We strongly suggest everyone to replace the SHA-1 certificate with a SHA-256 certificate!
The SSL Labs test helps us in refining an SSL certificate installation and will help you as website or server owner in following up whether your SSL installation is still “up to par” with the recommended strict HTTPS settings.
We always suggest everyone to frequently audit their SSL installation!
Start here to check your HTTPS installation: casecurity.ssllabs.com
From January 2017 on, new browser versions of Google Chrome (version 56) and Mozilla Firefox (version 51) will start giving a notification in the address bar to state your site is “not secure”.
It gets better, if your website is in the Google Search Console (for SEO tracking) you will also get a warning there as an administrator that certain URL’s will trigger a “Not secure” warning at your visitors, for example registration pages or password forgot pages.
Why installing an SSL certificate on your site?
The main reason why you would choose an SSL certificate for your website is the fact data is sent encrypted between visitor, website and back…
- Web forms, registrations, profile pages, passwords… preferably are sent over a secure connection.
- If you offer online services, having a HTTPS enabled website simply is a necessity!
- You are running a web shop or e-commerce platform? Give that extra confidence to your visitor when he visits your site!
Which SSL certificate to choose?
There are several types of SSL certificates: domain validation, organisation validation, extended validation (the famous green address bar), wildcard certificates… but which one is the best option for your site or application?
We admit it, finding the path through the dense SSL forest is not exactly easy. Therefore, consult Kinamo when trying to figure out which certificate fits your needs best. We will check with you which type is the most applicable to your needs.
Looking for the highest degree of visual “trust” and a green address bar with your company name embedded?
Then the Extended Validation (EV) certificate is best suited. EV certificates are not cheap, but the vetting process is strictly regulated, more complex and gives the visitor the best degree of insurance that the site is effectively linked to your company. EV certificates are commonly used by financial institutions, e-commerce platforms and other sites working with transactional data.
You’ve got a multitude of servers that must be secured by one single certificate, all with the same domain and subdomains? Then the Wildcard SSL certificate is your best choice: these certificates allow you to secure *.yourdomain.com, often against a much better price tag then picking individual certificates per subdomain..
The only disadvantages: they are only available as domain validation and only work for subdomains (so myserver.domain.com and my2ndserver.domain.com but not myserver.domain.com and myserver.2nddomain.com).
If you are really on the hunt for a bargain when securing your website, the cheapest option is a standard SSL certificate with domain validation.
These certificates are cheap, fast emitted (getting a certificate within 5 minutes is possible, if you follow the steps correctly) and they are often valid from 1 to 3 years.
Since 2016 you can also get “free” SSL/TLS certificates. These are offered by Let’s Encrypt, created by the non-profit Internet Security Research Group (ISRG).
There are advantages when using these certificates: the validity is limited to 90 days, so the certificate must be renewed every 90 days.
True, this can be done automatically, but requires specific server settings or other creative tweaking solutions. Let’s Encrypt certificates only work with domain validation, have no wildcard certificates and will require more work then a “simple” domain validation certificate.