Hidden e-commerce hazards and valid SSL certificates

In order to conduct business on the Internet, consumers and businesses need a reliable way to exchange credit card numbers, passwords and other personal information. We at Cloud4Y provide SSL certificates of some manufacturers, and therefore we decided to give a little help and a few interesting facts on the types of certificates, their advantages and pitfalls.

SSL is a technology that protects most of the Internet and essentially makes e-commerce possible. Users can identify it by the lock symbol in the browser, which means the following: all data sent to the recipient is encrypted in a way that no one else can decrypt. There is one catch: encryption is only useful when you are sure that the recipient is sending the data that the recipient is not a fraudster, but a trustee who can decrypt it.

SSL certificates: transactional security

To enable encryption , websites use digital certificates issued by certification authorities (for example, Symantec). A certification center is a third party that verifies information about an applicant using various databases, phone calls, and other means. Note that the certification authority does not check the reliability of the business, its role is to make sure that the business exists and issue credentials (digital certificates).
Currently, there are three types of SSL certificates: domain validation (domain validation - DV), organizational validation (OV) and extended validation certificates (EV).

Not so long ago, only the OV type certificate was available. With this type of certificate, the certificate authority could confirm the compliance of certain business information of the domain name, thus ensuring that the applicant is exactly who he claims to be. For example, in order to purchase a certificate for www.amazon.com , Amazon would have to send certain information from the server to the CA that it is a real company.

Then in the 2000s, DV-type certificates appeared. Such a certificate was given as soon as possible because it required the applicant only to confirm his right to use the domain name - and no confirmation of other business information . For example, if someone acquired the domain www.myfavritestore.cm , he could receive a DV-type certificate by simply requesting it from a certification authority and responding to an e-mail from it. As soon as the certification center received a response, a certificate was immediately issued, which allowed to instantly create the online store MyFavoriteStore.com and begin accepting credit cards. Obviously, there is no confirmation of the legitimacy of the business, and no one can guarantee that this online store does not belong to fraudsters.

The figure below allows you to compare the browser window when using these two types of certificates for amazon.com:

As can be seen in the figure, a DV-type certificate does not provide any information, except for the domain name (carbon2cobalt.com). There is no information about where this business is going from and who owns it. The certificate of the same type as the OV certificate for amazon.com shows the name of the company and its location. In the browser window, the certificates look the same:

Extended SSL

The next certificate type that appears is the Extended Validation Certificate (EV). In this case, the CA performs the extended verification of the applicant to increase the level of trust in the business. The following is an example of an extended verification certificate:
In this example, it is clear that the certificate (and the site) belong to the Bank of America in Chicago, Illinois. This information was confirmed by the certification authority as part of the verification process, which included the examination of corporate documents, verification of the identity of the applicant and verification of information on the certification authority database.

In all browsers, when using this certificate, a visual indicator is lit, usually a green lock in the address bar. This makes the consumer understand that the website data is thoroughly verified. All browsers display the organization name to the left or right of the URL. The figure below shows how EV certificates are displayed in popular browsers. Extended validation makes EV certificates more difficult to obtain:

EV certificates help establish the legitimacy of a business and provide a tool that can be used to help solve phishing, malware, and other online fraud problems. EV certificates have the following advantages:

1. They make it harder for phishing and other types of online fraud ;
2. Help companies that can become objects of phishing and online fraud , providing them with a tool to better identify themselves in the eyes of users;
3. Assist law enforcement agencies in the investigation of phishing and other types of online fraud .

What are the bad basic certificates?

It's simple: MyFavoriteStore.com site from the example we have already reviewed is not a real business. This is a phishing site. How does this happen?

1. A fraudster buys a domain from a domain registrar using fake information and stolen credit card information. The registrar clears the domain myfindstore.com to a fraudster.
2. Having obtained the rights to the domain, the fraudster applies to a certification authority for a base level certificate (domain confirmation). The certificate authority only requires the applicant to reply by e-mail, upon receiving which, issues a certificate.
3. The scammer creates web pages that advertise popular products, makes credit card data entry pages.
4. Buyers are attracted to the site through the mailing list and false advertising.
5. When a consumer sees a lock in the browser line, he calmly enters his credit card information to make a purchase.
6. The fraudster steals credit card information, and the consumer loses money and does not receive his goods. When viewing the SSL certificate, it does not find anything except the domain name. No verified address and no other information.

The latest study conducted by Symantec showed that more than 1/3 of all e-commerce companies protect sites with DV certificates. This is not surprising, given the relative ease, speed and low cost of obtaining such a certificate. Although all certificate authorities must perform basic fraud checks, fraudsters easily adapt their methods to bypass these checks. For example, the name PayPal is a common subject of fraud and, therefore, the certificate authority will conduct an automated check of similar names, such as pay-pal , securepaypal, p @ ypal , etc. But not so long ago, a case of issuing a certificate to the paypol-france domain was registered .com, which was then used to phishing attacks and steal user credentials. Obtaining certificates like OV and EV with this site name would be more difficult for fraudsters.

Compare the two certificates below. On the left is a certificate for bookairfare.com, on the right for ebookers.com. A consumer who is looking for cheap flights through a search engine can be directed to both of these sites, but how can he understand that the business has been verified? Having studied the certificate on the left, the user will not see any business information, that is, in front of him a certificate of the type DV. The certificate on the right, unlike the left, contains valid business data .

Criminals often create fake websites for identity theft and fraudulent websites . To add legitimacy to the site, they add detailed graphics to simulate a real site and get an SSL certificate that gives the user a visual security indicator. As mentioned earlier, the certificate of the domain check is relatively easy to obtain. The figure below shows an example of phishing via a link in an email:

The site has compelling web pages and a security icon is shown:

Nevertheless, the verification shows that we have a DV type certificate:

Instead of conclusion

As they say, no one on the Internet knows exactly who you are:

However, over the past couple of years, online shoppers have become much more experienced, starting to pay more attention to security issues. Basic-level certificates gradually fade into the background, since many users no longer trust sites with such certificates, preferring to give their personal data only to trusted companies.