Will Certification Transparency Help to Rebuild Confidence in Certificate Authorities?

With research suggesting an increasing trend towards SSL certified phishing websites (some up to 58%), users are increasingly at risk of malware, phishing and “watering hole” attacks. Some cyber security specialists cite this issue as perhaps the biggest challenge facing secure, encrypted browsing. This growing potential risk vector forces us to ask: how can users trust HTTPS?

SSL Certificates and HTTPS

An authentic SSL (Secure Sockets Layer) certificate not only theoretically authenticates the identity of the website, but likewise encrypts the data being transmitted between the user and website.

With a valid SSL certificate, users are assured by the all-important ‘green padlock’ (not always green), displayed next to the URL, as well as adding the S to the HTTP. Without these indications of authenticity, educated users are now largely conditions to avoid entering any sensitive information into websites without this encryption protection.

How Secure is SSL?

Thanks to advanced cryptography, standard browsers can typically detect malicious websites, differentiating between those which are secure, and those which are not. Though in the cases of forged of fake SSL certificates, this can become a lot more difficult.

Certification Authorities (CAs) are the widely trusted parties who issue these SSL certificates, but as we know from other areas of information security, no system is entirely fool proof and beyond the exploitation of malicious actors. With a growing number of CAs across the world, the fallibility of organisations and the exponential incentives that may attract a nation state to authorise less-than-legitimate certificates, experts have been struggling to tackle this pressing information security issue.

This is not to say users aren’t protections, in fact the Certification Authority Browser Forum (a voluntary professional consortium), upholds CA members to specific certification standards, via annual audits as well as close communication with browsers and operating system developers. Meaning, those not upholding said standards, are unlikely to be deemed trustworthy by internet browser software vendors.

At the heart is this problem is the matter of identity. False SSL certificated are issued on the basis that the entity requesting the certificated genuine exists, though who that certificate is actually going to, may not always be who they appear. To make matters worse, a CA has no reason not to issue the owner of ‘Goog1e.com’ a SSL certificate, despite the fact the URL will undoubtedly be used for nefarious purposes. 

Transparency of Certification

Thankfully, Google’s Certificate Transparency project hopes to remedy this situation by shining as much light on the issue as possible. By providing an open framework for monitoring and auditing HTTPS certificates, site owners will be able to search their domain names to help ensure there have been no incorrect issuances of certification relating to their domains.

By encouraging CAs to share their certifications to publicly verifiable, append-only, tamper-proof logs, browsers will be able to cross reference against these logs, to help ensure users are requesting safe and legitimate websites. As well as the browsers potentially utilising these logs, it is on a voluntary basis that CAs submit the certificates they are granting.

Obviously, this doesn’t solve the problem entirely. Maybe the worldwide network of CAs won’t see the value in this project and thus not bother, perhaps browsers will follow suit, and maybe even rogue certificates will temporarily pass into the logs undetected.

But despite all these possibilities, Certification Transparency is certainly a step in the right directions of being able to detect false or forged SSL certificates and reduce the chances of average users being phished or worse.

 What are the Threats?

Usernames, passwords, bank logins, credit card details and answers to security recovery questions. All this information represents high value targets for cyber criminals, who exploit, share and sell this sensitive data across underground networks.

Should a legitimate looking website be credentialled with a seemingly authentic SSL certificate, it makes it virtually impossible for an average user to distinguish between a secure and insecure website. The difference between which can be extremely important when it comes to sensitive information.

Earlier this year, a sophisticated phishing campaign was discovered to be targeting several NGOs around the world, including the UN and UNICEF. By directing individuals to nefarious cloned sites, criminals hoped to steal login credentials; a process that can be aided by mobile browsing since URLs can be truncated and less obviously fraudulent.

Until we can vouch for every single SSL certificate out there (which may be never), when it comes to browsing and confidential information, it’s best for all users to adopt a standardised best practice policy.

Four basic rules to consider:

Be suspicious of unexpected emails, emails which try and impress urgency and a call-to-action. Check for spelling mistakes, inconsistencies and anything that doesn’t seem quite right.

Check the URL of any link by hovering over it. Emails can often contain links, though before you click, you should know where it’s pointing. If you’re expecting a typical URL, and instead see inexplicably long strings of characters or gibberish – be suspicious and avoid clicking.

Look for HTTPS and the green padlock. Though an imperfect system, the vast majority of websites with this SSL certification will indeed be encrypted, authentic and secure.

Avoid entering any sensitive or personal information anywhere you think may not be secure. This rule goes for any HTTP-only websites, as well as websites accessed via public networks. If you’re not using a VPN, public networks can be very easily monitored by criminals and are thus not secure.

There are many other precautions that you and your organisation can take to avoid an information security breach, by following these basic rules, you can help to mitigate a great deal of the risk that phishing represents. And though it is possible a website may have an inauthentic SSL certificate, the vast majority of CAs go to great lengths the verify the authenticity and security of their certificate holders; hence, the chances of being phished via a HTTPS website are slim.