The January 2009 issue of Money magazine published a quiz entitled "Are you Phish Food?" The purpose of the quiz was to gauge your knowledge on whether you are being targeted for a phishing attack. If you don’t get the print magazine, you can take the quiz online too.
Overall the quiz is basic, but that’s acceptable given the target audience (general consumers). It's nice to see articles like this, as consumer education about security threats still has a long way to go (but we're making good progress: most consumers now know, even if they do not understand why, that they need some kind of anti-virus protection on their systems). There was, however, one question that made me cringe a little.
The question was whether using HTTPS was a good or bad thing, and Money's response was that it was a good thing assuming the SSL certificate is valid (which they explain as the little lock icon in the browser not reporting any problems). In other words, if the URL is using HTTPS, and the certificate is good, then don't worry--you're safe. This is actually a bit misleading.
In this day in age, basic SSL certs are tied to hostnames (or, in the case of wildcard SSL certs, root domain names). The process of vetting SSL cert recipients has diminished over the years; nowadays you can be immediately issued a domain-only SSL cert if you control the web server for that domain. In fact, this diminished accountability for normal SSL certs is one of the reasons for the introduction of the newer crop of EV (Extended Validation) SSL certs (a.k.a. the 'green bar' SSL certificates). EV SSL certs (re-)establish a level of recipient review and validation.
Anyways, let's bring this back to phishing. Money magazine says that a valid HTTPS cert means things are OK. But what's to stop a phisher using 'www.evil.com' from getting a valid SSL cert for that hostname? Absolutely nothing, other than the financial cost acting as a barrier to entry. But domain-only SSL certs are now as cheap as US$15, and I have to imagine such a cost is negligible if the phishing site has even a minimum level of success. Sure, phishers treat their sites as disposable, and buying a new SSL certificate for every site could become expensive; but if valid HTTPS connections contribute to the success of the phishing attack, then there might justifiable ROI. At that point, the SSL cert is just a cost of doing business for the phisher (or, as I like to refer to it, a 'cost of doing evil').
But let's take this one step further. Getting an SSL certificate for www.evil.com has minimal value, because it is very clearly evident that www.evil.com is not a possible phishing target, such as www.paypal.com. And perhaps every certificate authority (CA, the people who sell SSL certs) in the world checks and denies SSL certificate requests that include derivations of the word 'paypal' in their SSL certificate requests...although that is highly doubtful. But even if they did, wildcard SSL certificates can bypass this check to a certain degree. An attacker would just purchase a '*.evil.com' wildcard certificate from the CA, and then set up a site such as 'paypal.evil.com'. The CA would never know the final hostname in use. Does the hostname still look suspicious? What if the attacker gets the domain name 'cgi-bin-webscr.com', and requests a wildcard certificate for '*.com.cgi-bin-webscr.com'? The SSL-validated URL "https://paypal.com.cgi-bin-webscr.com/?cmd=login" could look convincing to some folks...
And just for fun, I took at look at all of the reported phishing sites on Phishtank.com for the past month. There was only one site using HTTPS; it was posing as an eBay site, and it did, in fact, have a valid SSL certificate issued for the phishing domain name. So this discussion isn't speculation...it's actually occuring.
Overall, the mere presence of a valid SSL certificate does not imply a safe site. You could, in fact, be (securely) talking to an attacker. EV SSL efforts help with this situation, but they are cost-prohibitive for many sites and will take a long time before the majority of the world is using them (if ever). So end users must still remain vigilant about verifying which sites they are visiting...and the presence or absence of a standard valid HTTPS/SSL certificate is a negligible factor in that process.
Until next time,