This post is going to be a bit more technical than the most, but I will try to keep it as simple as I can. Last month I wrote about how domain owners can mask their identity by purchasing extra-cost private domain services. Today I want to talk about the opposite: where domain owners want to prove who they really are by making use of special encrypted certificates, called Secure Sockets Layer Extended Validation or SSL EV certs. It is something whose time has finally come.
One of the many problems with the average website is that you don’t necessarily know if the server you are browsing is for real or not. Scammers do this all the time when they send you a phished email: they copy the “real” site’s images and page design for say your local bank, and then try to trick you to login using their scammy page, where they capture your credentials and then steal your money. Rinse and repeat several million times and even if just a few folks take the bait, they can grab some significant coin.
So along came the SSL certificate many years to try to solve this problem. They did, for a while, until the scammers figured out a way to spoof the certificates and make it look like they came from the “real” site operator. So the certificate issuers and several other interested parties got together and formed two efforts:
First was a standards body where they would up the ante for how certs were vetted, to make sure that the real owner was who they say they were. This involves checking the domain ownership and making sure there actually is a Real Corporation (or some other trackable entity) behind the Internet registration. Now there are three different levels of certs that are available: the regular, old-school cert called domain validated (DV), a medium grade one called organization validated, and the most stringent of them all, the EV cert. Only the EV cert will turn the URL address bar of your browser green, showing you that you are connecting on the real site. Steve Gibson has a nice explanation on his site of how this works under the covers and how it is tamper-proof, at least so far.
That is nice and welcomed, but the second effort is also interesting, and that is a non-profit corporation is just getting ready to issue their own SSL certs for free. Called the Let’s Encrypt Project, they have begun with a few test accounts and will be ramping up over the next couple of months. The cost is nice — some of the issuing authorities such as Thawte and Digicert charge $300 per year for their SSL EV certs, and GoDaddy has recently discounted their SSL EV certs to $100 per year. (Wikipedia has a more complete list of those vendors that offer the EV certs.) But the real issue is that installing the certs is a multi-step process that requires some care. If you don’t do it very often (and why would you), it is easy to mess up. The Let’s Encrypt certs are supposedly easier to install.
One downside is the free Let’s Encrypt certs aren’t EV-class ones: they are just the old school DV low-level certs. So if you are serious about your certs and want that nice green label in your browser, you still have to buy one. But at least the issue has been raised, and one of the reasons why I am writing about this arcane topic today. If you own a domain and are doing ecommerce from it, look into getting at least the free certs when they are available or pay for one of the EV models.
One thing to watch is the fraudsters picking up DV SSL certs and using them in phishing scams:
http://www.itworld.com/article/2992643/phishing-websites-look-more-legit-with-ssl-certs-from-major-companies.html
A new service from HiTech Bridge that will check your SSL certs is now available here: https://www.htbridge.com/ssl/
For more info on the SSL cert issue, see an article that I wrote for IBM’s blog here about how you can test your SSL server:
https://securityintelligence.com/testing-your-ssl-encryption-can-provide-important-security-insights/