• Skip to primary navigation
  • Skip to main content
  • Skip to footer
OpSec Security

OpSec Blog

  • Events
  • Partners
  • Brand
      • OpSec protects your entire brand continuum, covering every facet of your product’s life cycle. From conception through consumers, both online and offline, we provide you with valuable insight to protect your revenue streams, product integrity, and brand reputation.

      • Licensing
      • Fashion & Apparel
      • Luxury Goods
      • Consumer Products
      • Automotive
      • Industrial
      • Pharma & Medical Devices
      • Transaction Cards
  • Government
      • Working closely with key commercial partners, government agencies and security specialists, we have earned a reputation as innovators in combining digital solutions with optical and material sciences.

      • Revenue Protection & Tax Stamps
      • Security Foils & Labels
      • Vehicle Protection & SecureETags
  • OpSec Online
      • OpSec Online includes an industry-leading product and service line to help brands combat brand abuse across all online spaces.

      • Why Brand Protection
      • AntiCounterfeiting
      • AntiPiracy – Digital Media
      • AntiFraud – Phishing
      • AntiFraud – Malware
      • Partner Compliance
      • Online Brand Protection
      • IP Protection
      • AntiPiracy – NetResult Live Streaming Protection
      • AntiFraud – Dark Web & Cyber Intelligence
      • Managed Services
  • Resources
  • About Us
      • In a world getting more complex, OpSec helps ensure the integrity of goods and documents that build deeper and more profitable relationships.

      • Leadership
      • Associations
      • Careers
  • Contact Us

Don’t Let the Padlock Fool You! You May Not Be Safe

by OpSec Security

AntiFraud | Online Brand Protection
You are here: Home / Online Brand Protection / Don’t Let the Padlock Fool You! You May Not Be Safe

I took an informal poll of my non-industry friends on Facebook about the padlock in the address bar and what it meant to them. I either got I don’t know ” or a variation of “it means that the website I’m visiting is secure” or “it’s why there is an ‘S’ in https.” Unfortunately we’ve been led to falsely believe the padlock or the “s” in https means we are at a valid legitimate site and any communication with that website is secure.

However that is not entirely accurate. The padlock icon (or the word “Secure” or sometimes the organization name) along with the “s” in https indicates that the owner of the website being visited has purchased an SSL Certificate which encrypts the data transmitted from the user’s browser to the website.

It does not however always verify that the website itself is legitimate and well-intentioned. This is an important distinction.

What’s an SSL Certificate?

SSL is an acronym for Secure Sockets Layer and is the name for the technology used in establishing an encrypted communication channel between a web server and a browser denoted by the “s” at the end of http in the website address. Its purpose is to make sure that transmitted data remains private.

Utilizing SSL to protect user’s data is an industry standard and is widely used across the Internet. To create an SSL encrypted communication channel the website owner purchases an SSL Certificate from a certificate authority (CA).

(A note on naming conventions: SSL certs can also be called TLS certs in reference to Transport Layer Security which is essentially a newer version of SSL. Many vendors use the phrase “SSL/TLS certificate”; however it’s probably more accurate to call them “certificates for use with SSL and TLS” since the protocols are determined by the server configuration and not the certificates themselves. I’ll refer to them collectively as SSL certs for this article.)

What most consumers don’t know

There are different levels of SSL Certs available to purchase. The basic certificate provides domain validation (DV) which simply demonstrates that the applicant has control of the domain name – either by responding to an email sent to one of the WHOIS contacts on the domain name adding a particular TXT record to the DNS zonefile of the domain name or adding a particular text file to the website of the domain name.

Organization-validated (OV) certs have a more extensive validation process including confirming domain ownership and organization identity. Organization validated certs are recommended. Extended Validation (EV) certs are most commonly used for financial and ecommerce sites because the CA uses a rigorous authentication method before the cert is issued.

There isn’t any standardization across the browsers in how they display EV vs. OV or DV certs; Firefox shows the company name in the address bar for EV certs and will list the name of the website that is secured for OV and DV certs:

However Chrome makes no distinction for EV OV or DV and only indicates “Secure”:

HTTPS does not mean the site is safe

Cybercriminals have now found a way to trick Internet consumers into believing a site is safe.

Until recently most cybercriminals did not register SSL Certs for sites since it was costly and CAs vetted the organization before granting an SSL Cert. Recently organizations like Let’s Encrypt which led the initiative on this and Comodo have changed the landscape by removing fees for issuing short-validity (90 days) domain validated SSL certs and greatly simplified the process of utilizing an SSL Cert.

Their goal is smart: to convert unsecure traffic to secure traffic for a large number of sites that either couldn’t afford to purchase a cert or didn’t have the tech savvy to administer a cert. Unfortunately though while more sites are encrypted to protect legitimate consumers there has also been heavy misuse of this initiative by cybercriminals.

This new option to register SSL certs easily and for free has given cybercriminals the ammunition they need to take advantage of the general consumer perception that a https/padlock/”secure” designation

indicates a safe site. The SSL cert conveys a false sense of security and lures more consumers to fall prey to phishing sites.

MarkMonitor has been tracking the volume of phishing sites identified using an SSL Cert and the chart below illustrates percentage of total phishing sites using SSL certs from January 2018 to February 2019. In October there was a significant spike in phishing sites with certs and as of February 2019 the volumes are nearly at the same levels.

Percentage of Phish Sites with an SSL Cert

Web Browsers Can’t Protect Against this Problem

Web browsers have long encouraged consumers to trust the https secure designation; however what was generally not made clear to the vast majority of Internet users is that the SSL Cert encrypts a communication channel but DOES NOT provide validation of how trustworthy the website is nor any indication of web application security.

Web browsers have been doing their part to further protect consumers as they do have a vested interested in establishing a secure online experience. Both Google Chrome and Mozilla Firefox began identifying un-encrypted sites (those sites with HTTP instead of HTTPS indicating no SSL Cert) as “Not Secure” in the address bar anytime credit card or password fields are on the website or with Chrome 62 when a person is using any type of data field.

The web browsers’ initiative is helpful in finding unencrypted sites however with some SSL Certs now being free and CAs not required to do any sort of validation beyond making sure the person registering the SSL Cert is the owner of the domain web browsers only provide limited protection. There are no additional checks to validate affiliation with the brand or organization contained in the domain name (if any).

MarkMonitor has Adjusted Phishing Detection to Combat the Threat

To respond to this new threat MarkMonitor has been working with some of our heavily-targeted customers to quickly turn this problem into an opportunity to expand our detection capabilities for AntiFraud Services. By monitoring new SSL Cert registrations we are now able to more rapidly detect phishing sites. We can then begin mitigation steps before the email campaign is launched thereby blocking consumer exposure and preventing damage.

Best Practices for Consumers Include:

  • Approach new websites with skepticism regardless of how you are directed to them.
  • Make sure the phishing filter is turned on in your browser. Details for Firefox are here for Chrome here and for IE and Edge here.
  • Always view SSL certs and whois (domain ownership) records when unsure if the site is valid or not (there is a whois lookup available at the foot our MarkMonitor.com home page).
  • Always install the newest updates for your software.

Additionally for MarkMonitor Domain Management customers Certificate Authority Authorization (CAA) records are fully supported by MarkMonitor Enterprise and Premium DNS. CAA records are a new type of DNS record which allow for domain owners to specify the CA(s) that are authorized to issue a cert on behalf of the domain name. See Digicert.com for more information about CAA records.

Learn more about SSL Certificates here.

antifraud, antiphishing, caa records, dns, domain management, dv certs, ev certs, online threat, ov certs, phishing, ssl certs, tls certs, whois

About OpSec Security

In a world getting more complex, OpSec helps ensure the integrity of goods and documents that build deeper and more profitable relationships.

Related Post

AntiPhishing

OpSec Security 2 Min Read May 11, 2021

OpSec® Early Warning System Identifies Email Scam Threats

OpSec Security provides world-class threat intelligence and reduces risks from fraudulent business email scams. ...

Confused businesswoman annoyed by online problem looking at laptop

OpSec Security 5 Min Read Mar 25, 2020

Prepare to be Scammed: How People Can Make the Difference

The year 2020 came in with a bang and it hasn’t let up yet. From the UK’s Brexit initiative, the US Presidential election ...

antiphishing, bec scam, business email compromise, covid, cyber security, cybercriminals, eac, eac scam, email scam, ncsc, phishing, scam, w-2

Surfers in the ocean

OpSec Security 2 Min Read Oct 25, 2019

Unpacking brand protection (in time for the holidays)

The internet has a lot to answer for. While both consumers and brands have the world at their fingertips thanks to the int...

antifraud, data protection, hospitality, online brand protection, online consumer, travel industry, travel protection

Footer

Careers

Be a part of a collaborative global team determined to fight counterfeits and build strong, lasting partnerships with our clients.

View Available Positions

Brand

  • Licensing
  • Fashion & Apparel
  • Luxury Goods
  • Consumer Products
  • Automotive
  • Industrial
  • Pharma & Medical Devices
  • Transaction Cards

Government Applications

  • Revenue Protection & Tax Stamps
  • Security Foils & Labels
  • Vehicle Protection & Secure eTags

© 2021, OpSec. All rights reserved. Modern Slavery Statement Privacy Terms Of Use Contact Us

Facebook Twitter LinkedIn YouTube Instagram