A solution for Domain Validation SSL to improve user safety.
Phishing is now more prevalent than ever. According to the APWG Internet Policy Committee, 2016 was a record year for phishing and 2017 is already on pace to top it. This growth is largely natural due to the continued growth of the internet itself. But it has also experienced a recent spike thanks to the current SSL ecosystem creating a perfect storm, which unfortunately lends itself to phishing.
This problem is actually a confluence of two trends. The first is a recent move by the browsers, led by Google and Mozilla, to change their connection security User Interface (UI) from an understated padlock icon to a more broadly appealing and obvious green “Secure”/“Not Secure” binary beginning with the release of Chrome 56/Firefox 51.
This, combined with the rapid proliferation of free SSL, has created an environment where phishing websites can add SSL and be marked as “Secure.” I’m sure we can all agree that a phishing site being labeled “Secure” is a bad thing. It enhances the potency of the phishing attempt.
And regardless of initial intentions, the current UI is aiding phishing. Here is data from Netcraft outlining the rise in HTTPS phishing websites since the change in browser UI:
We reported back in February that Let’s Encrypt had already issued 15,000 PayPal phishing certificates. That number has continued to increase ever since. And with the announcement that Let’s Encrypt will begin offering Wildcards in 2018, it’s going to grow exponentially.
PayPal is not the only company being targeted
PayPal serves as an interesting case study, but it’s far from the only company being impersonated. Comodo designed a phishing detection system that scrapes data from emails. It starts by identifying the entity being abused via a multi-faceted analysis (header, text, URL and image analysis). Then, using that data, it identifies the URLs that lead to phishing sites. It finds thousands per day.
Here’s a small sampling of the websites that have turned up.
Here is an example of an Apple ID phishing attempt. Notice it has been marked “Secure.”
Here is another example of an Apple phishing site. Once again it has been marked as “Secure.”
Here’s an AOL phishing website. Again, notice that it says “Secure.”
Here’s a fake Yahoo sign-in page that says “Secure.”
This Microsoft phishing page is more convincing because it says “Secure.”
This is not Chase, but someone’s going to be duped into thinking it is.
BNZ Internet Banking is being spoofed here, again the site says “Secure.”
Another example of a phishing attempt made more effective by the current browser UI.
Now, the natural reaction of many people will be that anyone can look at those URLs and realize that it’s not a legitimate website. And, particularly for our audience, that’s true. But our audience has a higher level of technical sophistication than the average internet user.
The average American internet user reads at about the level of a seventh grader. Considering the US is fifth in the world in literacy, it’s unfair to assume the average internet user is web savvy. More alarming, of the 33 richest nations in the world, only 5% of internet users had “high computer-related abilities” and only a third could complete medium-level tasks. We are overestimating the computer literacy of the average internet user.
Complicating matters even more is the fact that many internet users will mistake “Secure” for “Safe.” After all, people tend to trust their web browser, which is giving them some indication that they can let their guard down.
Education on this issue has been painfully misguided. For years, we’ve taught internet users to look for the indicators, but now they’ve been changed and little has been done to educate users on those changes. By creating this new binary, people are literally being lulled into a false sense of security.
Many, more sophisticated phishing websites use misleading multi-level sub-domains that take advantage of the way browsers elide URLs. Once again, given that the average internet user knows little about URLs, this can lead to confusion and mistakes.
Agree or disagree, it’s a matter of fact that the current UI is helping phishing websites. Period. The statistics that indicate a rise in phishing since the new UI was debuted confirm that. That this UI aids HTTPS phishing is undebatable. But, if you disagree, we’d love to hear why.
The Solution: It’s Time to Get Rid of Domain Validation’s UI
The current browser UI is making the internet less safe. It lends credence to HTTPS phishing websites—regardless of its original intentions.
To fix this, the browsers need to get rid of the indicators for Domain Validated SSL certificates. DV SSL does not have end user authentication. Anyone can get it—including phishing websites. This move should coincide with the browsers’ final deprecation of HTTP—when all HTTP sites begin to be marked “Not Secure.” Google aims to accomplish this within the next year.
After all, with HTTPS becoming a standard, why are we rewarding websites for simply doing what is required?
Of course, this is just a suggestion for the UI. But we – along with the CA Security Council, the world’s top Certificate Authorities and some of the world’s largest companies – think it’s a good one.
And frankly, it’s a solution where no one loses. It creates an internet where encryption is considered the norm, which is what Google and Mozilla want. Not to mention that from a user safety standpoint, it stops giving the impression that illegitimate websites are secure.
Regardless of to what degree, the current UI helps HTTPS phishing. That cannot continue. The DV visual indicator must go.