Logo

PKI Consortium blog

Posts by tag Phishing

    Chrome Will Show Not Secure for all HTTP Sites Starting July 2018
    February 15, 2018 by Bruce Morton (Entrust) Android Chrome Google HSTS Phishing SSL/TLS Vulnerability

    Through 2017 and into 2018, we have seen the use of HTTPS grow substantially. Last Fall Google announced the following status:

    • Over 68% of Chrome traffic on both Android and Windows is now protected
    • Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
    • 81 of the top 100 sites on the web use HTTPS by default

    Google helped to drive this growth by implementing the “Secure” and “Not secure” status in Chrome’s status bar. “Secure” was provided for HTTPS sites. “Not secure” was implemented progressively, first resulting for HTTP pages requiring a password or credit card number. Then resulting for HTTP pages where text input was required.

    How Browser Security Indicators Can Protect You from Phishing
    June 6, 2017 by Chris Bailey (Entrust), Kirk Hall (Entrust) Chrome DV Encryption EV Google Identity Phishing SSL/TLS

    The media is full of stories about how phishing sites are moving rapidly to encryption using anonymous, free DV certificates they use to imitate login pages for popular sites, such as paypal.com.

    As noted in the article PayPal Phishing Certificates Far More Prevalent than Previously Thought, more than 14,000 DV SSL certificates have been issued to PayPal phishing sites since the start of 2016.  Based on a random sample, 96.7% of these certificates were intended for use on phishing sites.

    Think Twice Before Using DV for E-Commerce
    March 12, 2014 by Dean Coclin DV Encryption EV OV Phishing SSL/TLS

    In a previous blog (What Are the Different Types of SSL Certificates?), we described the various types of SSL certificates available from publicly trusted Certificate Authorities (CAs).  CAs are often asked by their customers which certificate type should be used for websites conducting E-Commerce, rather than for just encryption of sensitive data. For the latter case, a Domain Validated (DV) certificate will work fine. A DV cert allows for encryption to take place between the browser and the server. However, because DV certificates do not contain any identification information, they SHOULD NOT BE USED for E-Commerce.  Why? Let’s look deeper at the differences between these certificates.

    How Organizations Are Authenticated for SSL Certificates
    November 22, 2013 by Kirk Hall (Entrust) CA/Browser Forum CSR DV EV Identity OV Phishing Policy SSL/TLS

    Certification Authorities (CAs) are trusted third parties that authenticate customers before issuing SSL certificates to secure their servers.

    Exactly how do CAs authenticate these organizations? And where are the rules that determine what CAs must do during authentication?

    The Rules on Customer Authentication

    In the past, there were no common rules applicable to CAs as to minimum steps required to authenticate a customer before issuing an SSL certificate. Instead, each CA was permitted to create its own authentication processes, and was only required to describe the process in general terms in its public Certification Practice Statement (CPS). In many cases, the CPS authentication description was vague and hard to understand, and some CAs were less diligent than others during authentication.

    What Are the Different Types of SSL Certificates?
    August 7, 2013 by Dean Coclin DV Encryption EV Identity Phishing SSL/TLS

    Domain Validation (DV)

    A Domain Validated SSL certificate is issued after proof that the owner has the right to use their domain is established. This is typically done by the CA sending an email to the domain owner (as listed in a WHOIS database). Once the owner responds, the certificate is issued. Many CAs perform additional fraud checks to minimize issuance of a certificate to a domain which may be similar to a high value domain (i.e. Micros0ft.com, g00gle.com, b0fay.com). The certificate only contains the domain name. Because of the minimal checks performed, this certificate is typically issued quicker than other types of certificates. While the browser displays a padlock, examination of the certificate will not show the company name as this was not validated.

    Participate in our community discussions and/or join the consortium