The True Cost of Certificate Authority Trials: Can You Trust Them?
By Rodrigo Calvo, CISSP
Recently, some colleagues and I were able to verify a phishing attack that used a valid TLS certificate and a powerful name (Microsoft) as a cover. The chosen attack vector was Office 365 (aka O365) and the goal was to gain users’ credentials by sending a targeted campaign to specific user groups.
The attack began as a counterfeit email requesting user information on behalf of Microsoft support to authenticate a new device or to provide an “important document.” In other words, the email provided a false requirement to take advantage of users (see Figures 1 and 2).
For millions of people using this platform, the exposure is not simply email, but content (personal, corporate, financial, etc.), communication and online calendars (a priority for professional lifestyles). What made this attack standout (to us, anyway) was how the criminal organization behind the threat used two elements to generate trust from its target: a well-designed webpage with logo included and an SSL certificate (free or trial). The latter component — now easier than ever for bad actors to obtain — deserves wary scrutiny.
Figure 1. Phishing Attack: Initial Stage
The average user has been taught that seeing “https” next to a website’s URL means that the site is secure, particularly when conducting online transactions. The general recommendations/best practices available point to the fact that encrypting webpages serves as a failsafe. Very often we hear suggestions such as: “When asked to send sensitive personal information, a genuinely secure web address should start with https://,” “Check the website address: the login page on your bank’s website should start with https,” or “When logging into banking, shopping and email sites, always look for https at the beginning of the URL. The ‘s’ stands for secure.”
Users have consistently been warned to be on the lookout for phishing scams, and to closely examine the URLs or domains that accompany suspect messages. A very familiar example of a phishing attack is an email allegedly from Microsoft that is, in fact, coming from a stranger’s convoluted Gmail or other address.
The next stage orchestrated by the hackers required the end user to click over an action button available on the email. A new web browser session immediately opened requesting the user’s O365 credentials. The session would appear secure to a regular user, as it included https and a padlock icon. The identifiable indicator is that the domain is not related to the official Microsoft O365 site, but it is not explicitly clear that the intent is to steal the user’s credentials (see Figure 3 for an example of the situation).
Figure 3. Second stage: User visits the phishing website
In this specific case, the SSL certificate appears to be domain validated and has a special feature: an SSL certificate at zero cost for 90 days. A regular certificate will show that is valid on a range of not less than one year.
We found other use cases completely free of charge, provided by the Internet Security Research Group and their initiative called Let's Encrypt that provides digital certificates for free (is one of their key principles):
Touting SSL and TLS as trustworthy
The above information is mindful of an April 12, 2017 article from Robert Duncan, “Let’s encrypt and Comodo issue thousands of certificates for phishing.” He mentions, “The use of TLS by these phishing sites is particularly dangerous, as websites that use TLS are marketed as being trustworthy and operated by legitimate operations. Consumers have been trained to look for padlocks, security indicators, and https:// in the address bar in their browser before submitting sensitive information, such as passwords and credit card numbers to websites.”
I asked technical support from a well-known certificate authority (CA) for their thoughts on situations like this and they replied, “A properly installed and configured SSL/TLS certificate makes sure that transactions through a vendor’s website are secure and are made in a fashion that is safe from third-party influence. CA does not regulate, control or monitor the business practices of any website operator, nor do our services relate in any way whatsoever with the content of a particular website. We cannot guarantee that the sites’ actual operators are always acting with integrity and honesty in [their] business with the public. Ultimately, consumers must still decide which vendors should be trusted and dealt with online before conducting any sort of business there. CA’s warranties cannot cover transactions where you have misjudged the intentions of the site owner or where the site owner has acted badly.”
Offering SSL 30- to 90-day trials is clearly a business incentive for the certificate authorities. From a cybersecurity perspective, this can complicate web security if enough bad actors are taking advantage of the free offers.
Cons of Domain Validated (DV) SSL trials or completely free options
- If the company wants to enable an e-commerce site, request personally identifiable information or receive confidential information, a trial or free SSL should not be an option because the ownership validation is basic and limited.
- Obtaining free SSL does not guarantee support for the most updated internet browsers.
Pros of EV SSL
- Extended Validated SSL is the new normal; the cost per year is between $225 and $600 per certificate.
- According to the Certificate Authorities/Browser Forum (aka CA|B), additional benefits of EV SSL are to:
- Make it more difficult to mount phishing and other online identity fraud attacks using certificates.
- Assist companies that may be the target of phishing attacks or online identity fraud by providing them with a tool to better identify themselves to users.
- Assist law enforcement organizations in their investigations of phishing and other online identity fraud, including (where appropriate) contacting, investigating or taking legal action against the subject.
- Receive a warranty, which certain paid certificates offer.
- Use a perimeter-based technology such as a secure proxy and/or cloud-based technologies capable of identifying and preventing suspicious URLs inserted on an email.
- Use two-factor authentication integrated with your O365 to make it more difficult to access an account by just using a password.
- Provide training to your users and, if possible, test users with simulated phishing attacks.
- Report any suspicious email to your corporate IT security department.
- IT Security: Report any certificate being used in a phishing attack to the sender’s certificate authority and request revocation of their certificate.
- Enable Google Safe Browsing and Windows Defender SmartScreen on all computers to increase the defense against deceptive sites (examples below).
Google Safe Browsing warns users when they attempt to navigate to dangerous sites or download dangerous files. This works in Firefox and Chrome. New phishing attempts can be reported at https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en
Another option is Microsoft Windows Defender SmartScreen.
Criminals and the digital underground continue to use existing technology to implement malicious tactics. Trial SSL certificates have existed for more than 10 years and were initially offered for only 30 days. Most recently, the offerings increased to up to 90 days, making it easier to run longer phishing campaigns before disappearing.
While it’s true that domain-validated SSL certificates are not the root problem, the free use of them results in open risk to the general user community. Users must stop thinking that a padlock and https on the browser offers enough proof of security to enter their credentials, payment or private information without further investigating if the owner is real.
Rodrigo Calvo, CISSP, PCIP, CEHv8, is a senior security engineer at Infolock.