Secure and Trusted Phishing

Eric Lawrence:

One unfortunate (albeit entirely predictable) consequence of making HTTPS certificates “fast, open, automated, and free” is that both good guys and bad guys alike will take advantage of the offer and obtain HTTPS certificates for their websites.


By December 8, 2016, LetsEncrypt had issued 409 certificates containing “Paypal” in the hostname; that number is up to 709 as of this morning. Other targets include BankOfAmerica (14 certificates), Apple, Amazon, American Express, Chase Bank, Microsoft, Google, and many other major brands. LetsEncrypt validates only that (at one point in time) the certificate applicant can publish on the target domain. The CA also grudgingly checks with the SafeBrowsing service to see if the target domain has already been blocked as malicious, although they “disagree” that this should be their responsibility. LetsEncrypt’s short position paper is worth a read; many reasonable people agree with it.

Josh Aas of Let’s Encrypt writes in that position paper:

Let’s Encrypt is going to be issuing Domain Validation (DV) certificates. On a technical level, a DV certificate asserts that a public key belongs to a domain – it says nothing else about a site’s content or who runs it. DV certificates do not include any information about a website’s reputation, real-world identity, or safety. However, many people believe the mere presence of DV certificate ought to connote at least some of these things.

The impression that a site with a DV certificate is, technically speaking, secure is largely the fault of the browser UI. Specifically, it’s the fault of Chrome’s UI, which displays a green lock icon and the word “Secure” in the address bar for sites with DV certificates. A site with an EV certificate — the kind of certificate that “guarantees” that a site is from a specific company — is displayed in the same green, but the “secure” text is replaced with the company name. This treatment is overly generous towards vouching for DV certificates, to a misleading extent. And that’s a problem, because Chrome is the world’s most popular browser.

Other browsers treat the two types of HTTPS certificates with a little more care. Both Safari and Microsoft Edge display a grey lock icon in the address bar when a site has a DV certificate, and a green lock icon with the company name when the site has an EV certificate. Firefox, on the other hand, displays the same green lock icon for sites with DV or EV certificates, but EV certificates also display the company name; DV certificates have no additional wording at all.

I think the approach that Apple and Microsoft are taking here is much clearer than what Google and Mozilla are offering in their browsers. In that sense, Aas’ position is correct. But I think that there’s more that certificate authorities could do as well. For instance, Let’s Encrypt could automatically flag any signing attempt with words like “bank”, “PayPal”, or the names of well-known companies and their products — “Google”, “iCloud”, and so forth. Let’s Encrypt could then revoke that certificate if it is being misused.

However, even with better protections in place to restrict the use of HTTPS certificates on phishing sites, I’m not sure how much difference it will make. Plenty of people who should know better have been convinced by phishing attempts.