GlobalSign Blog

14 Apr 2017

Identity Matters for SSL…Why Secure Doesn’t Necessarily Mean Safe

Encryption is great! Encryption is necessary. We simply cannot conduct business online without encryption. As consumers, many of us have been trained to recognize what a secure HTTPS website looks like and to only trust those that display those traits. This is all good, except: is a secure website actually a safe website? Is encryption simply enough?

Free SSL/TLS certificate services, like Let’s Encrypt, have done of a great job of preaching the need for encryption. Let’s Encrypt has made it extremely easy to get a Domain Validated (DV) Certificate, a basic SSL/TLS Certificate for enabling encryption. DV Certificates, whether they are free or paid for, benefit millions of websites today that now have encrypted sites. Additionally, Google has started marking sites without HTTPS as not secure. And, the online business landscape has taken notice of the need to encrypt everything as well. In fact, encrypted internet traffic has recently surpassed the volume of unencrypted traffic.

So, more encrypted websites are a good thing…right? Well, maybe, maybe not. Because of how easy Let’s Encrypt has made it to get a free basic DV Certificate, anybody can quickly acquire a SSL/TLS Certificate for any type of website. There is nothing to stop somebody from using a DV Certificate from Let’s Encrypt or any other Certificate Authority (CA) for that matter to make their site look secure. But, going back to my earlier question, is that secure site safe and trusted?

Recently, there has been a lot of press about how phishing and other malicious sites are using DV Certificates issued from Let’s Encrypt to appear as legit and secure. Hey, they pass the secure sight test that we’ve been trained to identify. You see that Google has marked the site as secure and the padlock symbol is evident in other browsers as well. At first glance, these phishing sites look like they can be trusted. To quote Admiral Akbar, “it’s a trap!” So now, you really need to think twice whether that PayPal, bank, online retailer site is actually a legitimate site.

Example PayPal phishing site

Example PayPal phishing website using a free DV Certificate

How Can You Know for Sure If a Website Is Secure and Safe?

DV is only one type of SSL/TLS Certificate. Most Certificate Authorities (CA) offer DV certificates. As with all SSL/TLS, a DV Certificate encrypts communication between a browser and a web server and the site will show as HTTPS. They are generally low cost (or free) and easy to acquire since you only need to prove ownership of the domain. That means there’s nothing in the certificate that says a certificate issued to www.mycompany.com is actually operated by My Company.

Example DV Certificate appearance

Even with the greatest of intentions of making the internet safe, bad people have taken advantage of Let’s Encrypt’s free service and Let’s Encrypt is now unfortunately a victim of malicious activity and enabling these types of phishing sites. The argument is who is at fault, the CA for issuing the certificate or the browser for allowing the site to be presented as secure, but that’s a debate we’re not going to address here. What we will highlight today is the importance of identity in the certificate and what that means.

The Importance of Identity

Even though a site is encrypted, that alone doesn’t mean it is safe. When you couple encryption with identity, it becomes much harder to spoof a site. There are two other certificate types, aside from DV mentioned above, that bind identity to the domain, Extended Validation (EV) and Organization Validated (OV) Certificates. To acquire EV and OV Certificates, the issuing CA checks the right of the applicant to use a specific domain, plus it conducts vetting of the organization to prove the identity of the owner.

EV Certificates provide the strongest encryption level available and enable the organization behind a website to present its own verified identity to the website visitor. EV Certificates offer a stronger guarantee that the owner of the website passed a thorough, and globally standardized, identity verification process defined within the EV guidelines (a set of vetting principles and policies ratified by the CA/Browser Forum). The EV Certificate identity verification process requires the applicant to prove exclusive rights to use a domain, confirm its legal, operational and physical existence, and prove the entity has authorized the issuance of the certificate.

Example EV Certificate appearance

While OV Certificates require some proof of identity, they are not as desirable as EV Certificates since this identity information isn’t displayed directly in the address bar and they get the same browser treatment (e.g. standard padlock and https) as a DV Certificate. The difference between an OV Certificate and a DV Certificate is that the additional vetted company information is displayed to the visitor when clicking on the Certificate, giving enhanced visibility into who is behind the site and associated enhanced trust.

Who Should Use EV SSL Certificates?

EV SSL Certificates should be used in all applications that require identity assurance, visible trust and strong encryption. High profile websites often targeted for phishing attacks, such as major brands, banks or financial institutions, should use EV SSL Certificates for all public facing websites, but any website collecting data, processing logins or online payments can also benefit from the increased trust provided by this higher class of SSL/TLS.

EV SSL Certificates also allow less well-known brands to use a standardized level of trust to compete against the more familiar brands already established on the Internet. Digital commerce relies on trust and EV Certificates provide the highest level of assurance that the site is both secure and safe.

How to Make the Right SSL/TLS Certificate Choice?

When choosing the right SSL/TLS Certificate for your site(s), you need to consider a few factors. Is your brand and reputation important? Are you collecting personal information? Do you enable sensitive data or financial transactions? If you answered “yes” to any of those questions, you should look at an EV Certificate to provide the level of trust your visitors/customers need. Now, if you are simply providing information such as a blog site, a DV Certificate may be all you need. An OV Certificate will provide a greater level of trust than a DV if you need it.

This past January, the PCI Security Standards Council issued its Best Practices for Securing E-commerce guide. In the guide, it has a section on Public Key Certificate Selection (i.e. SSL/TLS Certificates) that outlines criteria on how to select a CA and choose the right certificate type for ecommerce sites. The PCI Security Standards Council is recommending the use of OV and EV Certificates if you are conducting online transactions.

PCI Standards TLS Certificate Level Summary

Source: PCI Security Standards Council Best Practices for Securing E-commerce, page 38

As one of the industry’s leading CAs, GlobalSign is here to help you make the right SSL/TLS Certificate choice. We’ve been doing this for 20+ years and have helped organizations of all sizes. We also offer managed solutions so that you can reduce the burden of managing multiple certificates in your environment from discover, issuance, revocation to renewal. Talk to us today.

Share this Post