Thursday, May 15, 2008

Certificate Dangers?

The German Import House has a catalog where you can by a Dirndl dress or an Oktoberfest Party Hat.

The catalog gives its visitors the added sense of security by turning the address bar in my Firefox browser yellow, and adding a padlock to the address bar. When I float my mouse over the padlock, I get the "Authenticated by Equifax" popup.

When I click on it, it says:

SSL Server Certificate

Issued to
Common Name *
Serial Number: 08:90:D2

Issued By
Equifax Secure Certificate Authority

Issued On: 1/11/1008
Expires On: 2/10/2010

Unfortunately, someone put a Meadows Credit Union phish in a subdirectory of the catalog.

Visitors to that phishing site will see the same "warm fuzzy" yellow bar, and the same "Authenticated by Equifax" message.

Which brings me to the point of this article. We are all talking about Extended Validation Certificates, which will turn your address bar green, "proving" that the site is legitimate. What proof do we have that someone hasn't hacked the legitimate site and used it for an illegitimate purpose. That's what we see here with a "pre-" EV Certificate. German Import House is a legitimate site, and paid for an Equifax Certificate to prove so. However, the visitor to the Meadows Credit Union phishing site is ALSO going to see the Certificate behavior. But what does that prove?

How much danger are we in when we train our users that a colored address bar means they are safe - and then phishers hack those sites to host phishing content? The user sees a colored bar and a padlock -- one that really has a corresponding certificate on file -- and decides that its a safe site. Are EV Certs the answer? or just another way to train users that they don't have to think?


No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.