The Fraud Problem with Free SSL Certificates

SSL Certificates are the defacto standard for online trust today. SSLs are such a critical backbone to online security that Google gives a ranking boost to sites that secure their content with HTTPS.

Savvy Internet users have come to recognize and expect that any website asking for sensitive or personal information to display the universal symbol—the padlock—before typing in any sensitive information.

In a Tech-Ed survey, users reported that without knowing the identity of the organization conducting business, over 35% would reconsider entering a credit card number from a site using a plain SSL Certificate.

Differences between SSL Certificates

Are SSLs less trustworthy than we think? To answer this question, we have to consider the fact that not all SSL Certificates are created equal.

Domain Validated (DV): No identity verification is done. The Certificate Authority (CA) sends an automated challenge email and the site owner clicks on a link to approve the certificate. Information is encrypted, but no assurance is made that the organization should be trusted.

Because of the lack of trust and the frequent use for fraudulent purposes, DigiCert does not issue cheap domain validated certificates.

Organization Validated (OV): Basic identity verification is completed. In the case of an OV certificate, the CA conducts a much more substantial validation process. This includes checking the applicant’s business credentials (through government and business databases) and verifying that the website is a legitimate organization.

DigiCert validation experts are online 24/7 and can complete basic verification in less than 10 minutes on most certificates.

Extended Validation (EV): Extended identity verification is completed. This is the highest level of validation and strict standards for identity verification. The validation process includes physical location checks, phone calls to ensure the applicant is authorized to order the certificate on behalf of the company or business represented, and more.

DigiCert EV is issued in less than 24 hours for most EV Certificate requests.

Although all SSLs ensure that information online is encrypted, only OV and EV SSL Certificates actually certify the website is being operated by a legitimate organization, keeping users safe from fraud and phishing scams online. 

The Problem with Free SSL Certificates 

Let’s be honest, no one can give something away for free and remain in business for very long.  Some organizations today provide free SSL Certificates, relying solely on automated systems that skip authentication to keep costs extremely low. These organizations often provide add-on services for a fee, or are funded by third-party organizations with deep pockets.

Authentication is critical to online trust. Authentication provides the assurance that you’re at the real PayPal.com, and not a fake PayPal phishing site. CAs that include identity authentication in their certificates follow strict rules for verifying identity of organizations, individuals, and the authority to request SSL Certificates on behalf of organization. Free SSL Certificates don’t rely on performing authentication checks or identify verification, making them a prime candidate for fraudulent websites today.

Jerome Segura of Malwarebytes reported on an email campaign that leveraged a site benefiting from a free CloudFlare certificate in order to deliver malware to users online.

The malicious email message claimed to be a notice from cloud-based, remote connectivity service provider LogMeIn, about an alleged problem with extending the service subscription due to insufficient funds.

The HTTPS link included in the email claimed to point to an invoice showing the details of the transaction. Since the website had an SSL Certificate installed, users were more likely to trust it and download the malware file.

Fortunately, CloudFlare has since revoked the certificate for the website and the location is now flagged as malicious in all major web browsers.

However, this is only the tip of the iceberg and cyber criminals are taking notice. With free SSL Certificates or cheap SSL becoming more readily available, it’s likely that cyber criminals will continue to exploit the lack of identity verification to take advantage of users online.

EV SSL Certificates for All

In working with the CA/Browser Forum industry group create EV SSL Certificates, DigiCert set out to ensure that any organization could qualify for an EV certificates.

We continue to work with the group to make amendments to the EV verification process to ensure that more organizations can take advantage of the higher level of trust the EV provides, while ensuring that the process remains cyber-crime proof.

Tech-Ed’s EV survey showed that 67% of web users said they would not buy from an unfamiliar website that did not have an EV SSL Certificate to confirm the identity of the organization. Microsoft even adopted EV as their code signing standard for application security and require all UEFI code submissions must be signed by an Extended Validation (EV) Code Signing Certificate.

Enterprise Benefits of Extended Validation

EV SSL Certificates ensure that users can communicate securely with a website. Websites using an EV SSL Certificate gain immediate trust in the eyes of users because it reassures the user that the data is secure and the organization receiving the data is a reputable entity.

Since technical requirements prevent EV SSL Certificates from being forged, large enterprises especially benefit from using EV certificates as an easy anti-phishing indicator or that data being secured cannot be intercepted by a malicious third party.

Keeping users safe online and staying ahead of cyber criminals and scammers requires going above and beyond in online security. Identity verification is the clear answer to the problem of online trust.

Posted in Best Practices, Security, SSL, Uncategorized