The world of SSL certificates is changing, as the certs become easier to obtain and more frequently used. In general, having a secure HTTP-based website is a good thing: the secure part of the protocol means it is more difficult to eavesdrop on any conversation between your browser and the web server. It isn’t impossible: if someone is determined to break that encrypted traffic, they have to work hard but they can do it with the right tools and lots of effort.
Despite their popularity, there is a dark side to them as well. Let’s take a closer look.
There are several different kinds of SSL certs:
-- Domain validated (DV), which involve minimal checking of credentials,
-- Extended validated (EV), which involve more vetting to ensure that the owner of the cert is whom they say they are, and
--Wildcard certs, which allow anyone operating a domain to link a single certificate to multiple subdomains and host names within that domain.
Last year, a non-profit organization called Let’s Encrypt began offering free SSL DV certs. The reason why Let’s Encrypt could offer DV certs for free is that they built automated processes to make it easier to get them. Since then they have issued certs for more than 46 million websites. Earlier this summer they issued their 100 millionth certificate. That is a lot of certs. Recently, they announced that starting next January, they would begin providing free wildcard certificates for Internet domains. This could help lower entry costs for smaller businesses that operate multiple subdomains. The non-profit organization hoped this announcement will spur donations to its efforts.
Having more wildcard certs will also spur fraudsters into using them too. Scammers want to apply certs to a lot of phony domains. Let me rephrase that more accurately. Scammers want to present a domain in a phished email, say, that lights up the green “lock” icon in a browser, or that shows the domain with a “secure” label. They want this because users will trust that they are connecting to the domain over an encrypted channel. The only trouble is that they are really having a private conversation with a bad actor. While the cert provides that visual feedback, it does nothing to ensure whether the domain owner is trustworthy or a scammer.
But it isn’t just the criminals’ cert usage. A bigger issue is that browsers show the presence of the EV cert in different ways, and the subtleties are often lost on the majority of the general user population. Take a look at the two screens shown below: can you tell which one is fake and which one is legit?
Understanding certs requires some knowledge, and even many IT professionals don’t always have this knowledge. This piece by Troy Hunt has some research about the perceived vs. actual value of SSL certs. Hunt’s analysis in determining trust and preventing phishing attacks is worth reviewing, and his attention to detail is commendable. Hunt cites several studies about perceived security over certs, such as only seven percent of the top million websites who are currently using HTTPS have EV certs. Many banks and other financial organizations don’t have HTTPS-based home pages, only protecting their subsequent login pages with SSL.
So should you secure your site with an SSL EV certificate? The short answer is yes, but with some qualifications, and only if you understand what you are getting into. As Hunt says, “the uncomfortable truth with encryption is that regardless of how many certs any vendor issues to malicious parties, you cannot change the fact that in doing so it protects more traffic more of the time.” He ends his screed with the statement, “By all means, go and grab an EV cert if you think there's benefit because at the absolute worst, they're not going to do any harm and at best, some people may trust you more and that could translate into sales.” Until we get better and more uniform notifications from our browsers, that sadly is the best we can expect for now.
David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 25 years. He has had several editorial management positions for both print and online properties and currently writes for Dice, Techtarget's SearchSecurity.com, ITworld.com and Network World. Find him on Twitter @dstrom and on his website strominator.com.