Untrustworthy Certificates

Many have been taught that the way to determine if a site is secure is to look for the padlock next to the URL in their browser. While that may have been true at one time, it increasingly is not true today. That is because a high percentage (over half) of phishing websites now have certificates (and the padlock). Simply having a certificate no longer equates to trust. This has ramifications for how institutions select their certificates and how they train their employees to browse safely. The trust level of a site depends on the type of certificate that the site uses. We'll review three main types of certificates today.

1. The most trusted sites use Extended Validation (or “EV”) certificates. EV certificates can be trusted more because they require the purchaser to prove that they are a legal entity with a physical presence and that they own the domain being protected. The certificate authority is required to rigorously verify credentials provided by the requester. 
   
   Similar to obtaining a driver’s license, the requester of an EV certificate normally needs to provide articles of incorporation, bank statements, or other documents that prove that the requestor is legitimate. Somebody performing a phishing campaign would never want to be identified, so are very unlikely to have an EV certificate. We believe that all financial institutions should try to obtain EV certificates for their publicly-facing sites which handle customer information.
   
   
2. The second level of certificates are Organization Validated (or “OV”). To obtain this type of certificate, the certificate authority performs some simple validation that the requesting organization exists. They will likely verify the address of the organization and that the person requesting the certificate is associated with the organization. These certificates are appropriate for less critical sites of an institution.
   
   
3. The least trusted certificates are Domain Validated (“DV”). These certificates simply require the requester to exhibit that they control the domain being protected. These types of certificates are generated automatically with no validation of the requesting party, so a phishing campaign can establish a domain that sounds legitimate and can quickly obtain a certificate for it, hoping to fool anyone who clicks on a link that the site is legitimate.
   
   Recently, providers have started providing these certificates for free, so there is no longer any cost to the attackers. We do not recommend that financial institutions use DV certificates, as we believe the institution should demonstrate a higher level of trust to customers.

Internally, financial institutions should start training employees how to tell the difference between different types of certificates when they are suspicious of a site. This will vary based on the browser in use, but normally an EV or OV certificate will show the company name next to the URL or display the URL in green. If employees are not sure of a site, they should be instructed to contact IT for help before clicking.

We hope this helps you feel more confident to safely browse the internet. If you have any questions or would like further information on how to implement a strategy to promote safe browsing, drop us a line and we'd be happy to help. If you found this information helpful could you do us a favor and share it? The more the merrier!