Fake banking websites issued with SSL certificates by Symantec, Comodo and GoDaddy
Netcraft accuses certificate issuing authorities of undermining web security by issuing SSL certificates to fraudulent banking websites
Digital certificate issuing authorities have been accused of issuing SSL certificates to fraudsters running fake banking websites.
Symantec, Comodo and GoDaddy - among others - have all been accused by web-monitoring company Netcraft of issuing the certificates for domain names and websites intended to mimic major banking groups, used in major phishing campaigns.
Certificates have been issued to cover fraudulent websites targeting PayPal, Halifax and NatWest customers in the UK, as well as Bank of America in the US. The websites support phishing campaigns, which drive users to them.
The certificates provide an air of authenticity to the websites and of false confidence for the users tricked into visiting them - especially for unsophisticated users who are constantly told that a website is "safe" if it indicates the use of SSL security in the web browser.
"In just one month, certificate authorities have issued hundreds of SSL certificates for deceptive domain names used in phishing attacks," claims Netcraft in a warning. "Despite industry requirements for increased vetting of high-risk requests, many fraudsters slip through the net," it continues.
While Symantec, Comodo and GoDaddy have all been accused of providing fraudsters with digital certificates, Netcraft points to a company called CloudFlare in particular. "CloudFlare, a content delivery network that provides free 'Universal SSL' to its customers, is a hotspot for deceptive certificates, accounting for 39 per cent of SSL certificates used by phishing attacks with deceptive domain names during August 2015," it claims.
Comodo, meanwhile, was only just behind CloudFlare, accused of providing certificates to 37 per cent of the phishing sites uncovered by Netcraft during August. Symantec and GoDaddy were accused of providing certificates to nine per cent each.
Certificate authorities commonly provide SSL certificates at three different levels of assurance:
- Domain validated, whereby certificate authorities only have to check that the certificate's applicant controls the domain name contained in a certificate. These certificates are typically the cheapest option, and can be had for free or be purchased for less than $10.
- Organisation validated, which in addition to validating the domain name in the certificate, also certifies the identity of the person or organisation applying for an organisation-validated certificate. However, most browsers do not treat these certificates any differently to domain-validated certificates.
- Extended validation in which the identity of the organisation applying for such a certificate is verified by the certificate authority. However, the verification is more stringent. These certificates also receive different treatment in major web browsers: the address bar is either partially or completely coloured green, and the requesting organisation's name and country are displayed next to the padlock. The requirements for extended-validation certificates in Chrome (and therefore Opera as well) are changing, with many certificate authorities caught out by recent changes to require certificate transparency.
"The requirement to perform additional verification of high risk certificate requests applies to all levels of assurance. However, domain-validated certificates are often issued completely automatically within minutes, making it easy for fraudsters to obtain domain-validated certificates for deceptive domain names," warns Netcraft.
Computing has contacted Symantec, Comodo and GoDaddy for comment, but as of midday, only Comodo CEO Melih Abdulhayoglu has responded.
In a statement, he said: "As the World's largest Certification Authority, we do have the largest share of the problem... Certificate issuance is a complex process and the problem with automated systems (like domain-validated certificates) is that, there is no human validation operators vetting the issued certificates...
"As a full Certification Authority, we have put resources in place to revoke these certificates instantly [the moment] that we are made aware of them.
"We encourage reporting of any suspicious use of our certificates so that we can take action on it immediately. Our concern, going forward, is that although we have resources to fight this kind evil, other new automated systems might not have the same resources to revoke in a timely manner.
"Afterall, a certification authority's job does not stop with the issuance of the certificate, but managing of its full lifecycle, and revocation is an important part of it.
"Our promise is: the malicious intent and fraudsters will always try to find new ways, but we will always be vigilant and act instantly and decisively."