Can You Really Trust a Site with the Green Padlock in the Address Bar?

 The green padlock that appears on safe sites simply means that the site you are connected to is the true site and not one that has been spoofed to look like the real thing. It also means that traffic to and from the site is encrypted.

 green padlock

 

Here is a good explanation video made by certificate authority, GlobalSign, for those who want more details on what goes into making a site secure.

 

 

So, does this mean it is safe to enter personal or credit card information on these sites? Well, that’s where the problems begin.

 The green padlock means that only those people in control of the site can decrypt and read your credit card details. That’s nice. But the real question to ask is: Who is allowed to get such a green padlock for their site? The answer: Anyone.

 But what about the cost? Surely, if someone has to pay a lot of money for these certificates, they will not be so ready to buy one for their site. That’s true. And some certificates are expensive. But before I get into the cost versus safety debate, I need to briefly explain what those who give out these certificates, the certificate authorities, do.

Certificate authorities insure how trustworthy a site is. They verify a domain. This verification has a number of levels. The more levels of verification, the higher the price the user must pay for the SSL, or verification certificate. These price differences are often reflected in the site’s address bar. Low level certification may simply change the http to https, often with a gray padlock, while more verification will change the address bar or padlock green. I should note that there is no law that the padlock will change green with more validation, though most certificate authorities are trying to make this a standard. The green padlock generally means it has something called EV certification. EV means extended validation.  It is also not true that all browsers will give you the green padlock, though that, too, is a standard that is being established. You have to pay more for an EV SSL certificate because the certificate authority has to do more work to certify the site.

 So, certificates are granted by certificate authorities but who is qualified to be a certificate authority? Well, sadly, almost anyone. So am I saying that you may be lured to a site that seems to be secure but really isn’t? Yes, that can and does happen and certificate authorities know it. Since they do realize that criminals can run sites that can use the https and padlock to steal information, certificate authorities have tried to take actions to prevent this. The best certificate authorities thoroughly check those websites who want one of their certificates. They may do more frequent malware scans of the sites that use their certificates. If the site has malware on it, they will notify the site managers and remove the certificate until the site manager fixes the malware problem. If a certificate authority does a good job in vetting websites, those who manufacture operating systems and browsers (like Microsoft and Mozilla) will list them among trusted certificate authorities and will not warn users about websites that use their certificates for validation. Here is a list of trusted certificate authorities that is included with the FireFox browser, for example. To become a member of Mozilla’s trusted certificate authority community, a certificate authority will have to meet certain standards. Most of the time, you will see the certificate authority’s name after the padlock and clicking on this will give you more information about the certificate it issued.

 Let’s say I have a retail website that I want to certify so that my customers will trust me with their personal information. To get any degree of certification, all certificate authorities must at least be convinced that I own a particular domain. I will usually have to pay a fee to be certified. That fee varies, but can be as much as $1,200 a year and, perhaps, more. Often, the price is less and a few sites, such as Let’s Encrypt, will certify me for free. Yes, that’s correct. If I set up a free, or at least low-priced, valid website, I can get a free SSL certificate for it, and most people will assume it is safe. I will have a padlock and I will have an https address. But there is one problem. The certification information will not be in green. This will mean that I have only attained the lowest level of certification and that communication with my site is encrypted, which, most of the time, is better than nothing. If only I could get a free green padlock with its accompanying certification.

 Although some sites claim to give free EV SSL certificates, they usually come at a price. Some sites hide this price under some term like ‘general verification fee’, which still means you have to pay something even though it might not be for the EV SSL itself. However, there is now intense competition in the EV SSL market as everyone who wants to set up a retail site wants the trust implied in the green padlock. This being the case, I have seen prices as low as $46, and my guess is that even a poor hacker could afford this fee if he/she wants to make some easy money.

Hackers, however, don’t usually care to go to these extremes. They usually just want someone to go to a site that appears connected to a trusted site like Amazon. Most people seeing the https or gray padlock will look no further. I investigated this angle by using the Censys search engine with Let’s Encrypt and found that they certified over 500 sites with ‘amazon’ in the name. Now, some of these, like amazon-fish.com, seem to be legitimate. This site lists fish in the Amazon River. Other sites that Let’s Encrypt certified, like amazon-cloud-computing.com, led me to a Chinese site. It is not clear what this site does, however, it has recently received a sharp increase in visitors almost entirely from the US (see graph below), which is somewhat suspicious.

 amazon graph

 Many of these amazon-labeled sites have mysteriously disappeared, leading one to believe that they were used in phishing campaigns. Some pseudo-Amazon sites, which I will not name, have clearly been set up to steal personal information using Let’s Encrypt to establish their validity. In fact, Let’s Encrypt has been connected to a serious malvertising attack which installed the Angler Exploit Kit when victims visited Let’s Encrypt-certified sites. This exploit installed a banking Trojan on the victim’s machine.

Trust is not quantifiable. Certificate authorities do their best to give trust, but there is never any guarantee. A comprehensive study undertaken by the Department of Computer Science at Stony Brook University came to the sobering conclusion that “a moderately motivated attacker can discover high-risk vulnerabilities in most certified websites, in less than one working day”. They give an example of such an exploit based on the security scanning protocol of the certificate authority. “We witnessed that the scanning requests of seal providers were always originating from the same IP range, often a block that is registered to the seal provider. It would thus be straightforward for an attacker to only expose his malware in case a request does not originate from an IP address related to a seal-provider. This way, an attacker could easily compromise a seal-utilizing website, while the website owner would remain under the impression the website was still secure as a consequence of the daily or weekly successful seal scans.” This is but one technique that the investigators discovered.

 In short, trust on the internet is under siege and it is reflected in the percentage of people who worry about identity theft, credit card compromise, and banking fraud. This can be seen in a recent US Government report.

internet trust

 Such low trust levels will certainly not be aided by the recent discovery of flaws in Symantec’s SSL system: a system that was considered among the best on the market. The severity of the problem was signaled when Google announced it may take Symantec off of its trusted certificate list. So it is that the preponderance of evidence leads to the conclusion that phishing scams and major industrial and governmental compromises are likely to be perpetrated through the manipulation of SSL certificates and , especially, the green padlock.

About Steve Mierzejewski

Marketing consultant for InZero Systems, developer of the next generation in hardware-separated security, WorkPlay Technology. I've worked in Poland, Japan, Korea, China, and Afghanistan. I'm a writer, technical editor, and an educator. I also do some work as a test developer for Michigan State University.
This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s