The Browsers Need to Stop Helping Hackers Phish
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

The Browsers Need to Stop Helping Hackers Phish

A solution for Domain Validation SSL to improve user safety.

Phishing is now more prevalent than ever. According to the APWG Internet Policy Committee, 2016 was a record year for phishing and 2017 is already on pace to top it. This growth is largely natural due to the continued growth of the internet itself. But it has also experienced a recent spike thanks to the current SSL ecosystem creating a perfect storm, which unfortunately lends itself to phishing.

This problem is actually a confluence of two trends. The first is a recent move by the browsers, led by Google and Mozilla, to change their connection security User Interface (UI) from an understated padlock icon to a more broadly appealing and obvious green “Secure”/“Not Secure” binary beginning with the release of Chrome 56/Firefox 51.

Web browsers' UI for HTTPS

This, combined with the rapid proliferation of free SSL, has created an environment where phishing websites can add SSL and be marked as “Secure.” I’m sure we can all agree that a phishing site being labeled “Secure” is a bad thing. It enhances the potency of the phishing attempt.

And regardless of initial intentions, the current UI is aiding phishing. Here is data from Netcraft outlining the rise in HTTPS phishing websites since the change in browser UI:

Netcraft Graph Showing an increase of HTTPS Phishing Sites

We reported back in February that Let’s Encrypt had already issued 15,000 PayPal phishing certificates. That number has continued to increase ever since. And with the announcement that Let’s Encrypt will begin offering Wildcards in 2018, it’s going to grow exponentially.

PayPal is not the only company being targeted

PayPal serves as an interesting case study, but it’s far from the only company being impersonated. Comodo designed a phishing detection system that scrapes data from emails. It starts by identifying the entity being abused via a multi-faceted analysis (header, text, URL and image analysis). Then, using that data, it identifies the URLs that lead to phishing sites. It finds thousands per day.

Here’s a small sampling of the websites that have turned up.

Apple-ID

Here is an example of an Apple ID phishing attempt. Notice it has been marked “Secure.”

Apple HTTPS Phishing Website

Here is another example of an Apple phishing site. Once again it has been marked as “Secure.”

AOL HTTPS Phishing Website

Here’s an AOL phishing website. Again, notice that it says “Secure.”

Yahoo HTTPS Phishing Website

Here’s a fake Yahoo sign-in page that says “Secure.”

Microsoft Login HTTPS Phishing Website

This Microsoft phishing page is more convincing because it says “Secure.”

Chase Login HTTPS Phishing Website

This is not Chase, but someone’s going to be duped into thinking it is.

BNZ Login HTTPS Phishing Website

BNZ Internet Banking is being spoofed here, again the site says “Secure.”

Orange Login HTTPS Phishing Website

Another example of a phishing attempt made more effective by the current browser UI.

Now, the natural reaction of many people will be that anyone can look at those URLs and realize that it’s not a legitimate website. And, particularly for our audience, that’s true. But our audience has a higher level of technical sophistication than the average internet user.

The average American internet user reads at about the level of a seventh grader. Considering the US is fifth in the world in literacy, it’s unfair to assume the average internet user is web savvy. More alarming, of the 33 richest nations in the world, only 5% of internet users had “high computer-related abilities” and only a third could complete medium-level tasks. We are overestimating the computer literacy of the average internet user.

Complicating matters even more is the fact that many internet users will mistake “Secure” for “Safe.” After all, people tend to trust their web browser, which is giving them some indication that they can let their guard down.

Education on this issue has been painfully misguided. For years, we’ve taught internet users to look for the indicators, but now they’ve been changed and little has been done to educate users on those changes. By creating this new binary, people are literally being lulled into a false sense of security.

Many, more sophisticated phishing websites use misleading multi-level sub-domains that take advantage of the way browsers elide URLs. Once again, given that the average internet user knows little about URLs, this can lead to confusion and mistakes.

Agree or disagree, it’s a matter of fact that the current UI is helping phishing websites. Period. The statistics that indicate a rise in phishing since the new UI was debuted confirm that. That this UI aids HTTPS phishing is undebatable. But, if you disagree, we’d love to hear why.

The Solution: It’s Time to Get Rid of Domain Validation’s UI

The current browser UI is making the internet less safe. It lends credence to HTTPS phishing websites—regardless of its original intentions.

To fix this, the browsers need to get rid of the indicators for Domain Validated SSL certificates. DV SSL does not have end user authentication. Anyone can get it—including phishing websites. This move should coincide with the browsers’ final deprecation of HTTP—when all HTTP sites begin to be marked “Not Secure.” Google aims to accomplish this within the next year.

After all, with HTTPS becoming a standard, why are we rewarding websites for simply doing what is required?

This is what is being proposed by the CA Security Council:

Proposed Universal Browser UI

Of course, this is just a suggestion for the UI. But we – along with the CA Security Council, the world’s top Certificate Authorities and some of the world’s largest companies – think it’s a good one.

Certificate Authorities that support the proposed UI

Companies that support the proposed UI

And frankly, it’s a solution where no one loses. It creates an internet where encryption is considered the norm, which is what Google and Mozilla want. Not to mention that from a user safety standpoint, it stops giving the impression that illegitimate websites are secure.

Regardless of to what degree, the current UI helps HTTPS phishing. That cannot continue. The DV visual indicator must go.

Author

Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.