The Dangers of HTTPS and Extended Validation Certificates

Extended Validation (EV) certificates are an advanced type of digital certificate that websites use to enable HTTPS. Their purpose is to help fight phishing sites by allowing the official websites of legitimate companies to show the name of the company in the URL bar. In practice, though, EV certificates can be dangerous when dealing with phishing sites.

Introduction to HTTPS and EV Certificates

Before getting into the specifics of how Extended Verification (EV) certificates can be a threat, let’s briefly discuss what HTTPS and EV certificates are.

What Is HTTPS?

Pretty much everyone has heard of HTTPS. They know that when they’re using the Internet, it’s important to make sure that the address bar has that “green padlock.” As long as a website has the lock, it’s reputable and perfectly safe.

Not really. HTTPS doesn’t actually provide any guarantee that a website is safe or even who it claims to be. The only thing that HTTPS promises is that the owner of the website has a trusted digital certificate for that website and that your connection to that website is encrypted. This makes it an improvement over ordinary HTTP, which does not provide authentication or encryption; but while HTTPS is necessary to browse the Internet securely, seeing the green padlock doesn’t mean that you’re safe.

To get a green padlock, all someone has to do is get a digital certificate for that domain. Services like Let’s Encrypt make this quick and easy, allowing anyone to set up a site protected by HTTPS. The only obligation for these services is to make certain that the person requesting the certificate actually has control over the website.

This means that phishing websites can have certificates too. In fact, over a quarter of phishing sites now use HTTPS. The burden is on the (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Howard Poston. Read the original post at: