GlobalSign Blog

The innovation of hacking: How cyber actors use fake website security

The innovation of hacking: How cyber actors use fake website security

Website security has become a standard in internet protocol and it’s important to be informed on the different types of TLS certificates (or widely known as SSL certificates) as well as the current trends that surround it. TLS certificates aim to protect a website from security breaches such as phishing and hacking. However, having a TLS secured website does not necessarily mean a website is safe, as various cyber criminals use this belief to trick people into obtaining sensitive information.

HTTPS? Better trust it… Right?

For an average internet user with limited knowledge regarding cyber security, seeing a “secured” website may give them the assurance that the website is safe and trustworthy. However, this idea is extremely dangerous because it allows phishing websites to use free TLS certificates to seem credible. The danger with free TLS certificate from an untrusted CA is that it still shows a “secure” padlock icon beside the web address giving the impression that the website is protected. Cyber criminals prey on this and phishing has rapidly grown into a huge problem. To mitigate the issue, Google started depreciating the “Secure” visual indicator that was appearing anytime a website used HTTPS.

While it is true that a TLS certificate should not be the determining factor on whether or not a website is fraudulent, it is still important to take a second glance on the Certificate Authority (CA) of the issued certificate before you go on putting your details into a website. Is it something acquired from a free certificate provider or a trustworthy one?

Get your free TLS certificates for more chances of getting hacked

According to the Anti-Phishing Working Group (APWG), 74% of the reported phishing websites use TLS and are aided by free offerings. HTTPS Phishing is a major problem for the internet, and almost 100% of the reported phishing websites use DV TLS certificates instead of Organization Validation (OV) and Extended Validation (EV) TLS Certificates.

We can then relate this whole phenomenon to free DV TLS certificates, which is why many SMBs and companies have decided to shift to OV and EV certificates.

Types of Paid TLS Certificates

Paid TLS certificates provide more security and credibility, especially when they comes from a trusted CA. In this section, we will break down the three types of validation levels.

Domain Validation (DV) Certificates

DV is an entry-level solution that provides affordable basic validation. DV certificates are issued very quickly and no company information is checked or displayed on the certificate. Since DV certificates are easy to obtain, this also means that anyone can acquire it with little to no background check. Because these certificates offer the most basic security, they also can sometimes invoke doubt with site visitors due to a lack of visual indicators that the website is secure aside from the padlock next to the web address bar and a static site seal. Ideally, these certificates are best used for blogs and informational websites that do not collect or use customer data. It is recommended that this type of certificate should be avoided for those of whom might be at risk for phishing or fraud, particularly websites that handle sensitive data.

Organization Validation (OV) Certificates

OV provides more security compared to DV. The validation process includes the ownership of the domain name, the CA carries out a vetting of the organization and the individual applying for the certificate, as well as the organization’s existence as a legal entity. This option is perfect for public-facing websites dealing with less sensitive transactional data.

Extended Validation (EV) Certificates

Lastly, the highest of all TLS certificates is the Extended Validation, and it requires a rigorous vetting and validation process. As such, websites with EV certificates are also the most reliable to end users. Because of their no-compromise standard of functionality, they are often seen as "premium" TLS Certificates. EV TLS Certificates are often acquired by large corporations, banks, and online stores. Moreover, they come with warranties which are worth up to millions of dollars.

GlobalSign offers a range of TLS options ensuring your public servers and sites are in line with industry best practices, but also offers cost effective-options for internal servers and special use cases. You may visit our official website for more details, or check out our free guide to help you get started on learning what TLS can do for your online brand

Share this Post