Extended Validation (EV) certificates are an advanced type of digital certificate that websites use to enable HTTPS. Their purpose is to help fight phishing sites by allowing the official websites of legitimate companies to show the name of the company in the URL bar. In practice, though, EV certificates can be dangerous when dealing with phishing sites.
Introduction to HTTPS and EV Certificates
Before getting into the specifics of how Extended Verification (EV) certificates can be a threat, let’s briefly discuss what HTTPS and EV certificates are.
What Is HTTPS?
Pretty much everyone has heard of HTTPS. They know that when they’re using the Internet, it’s important to make sure that the address bar has that “green padlock.” As long as a website has the lock, it’s reputable and perfectly safe.
Not really. HTTPS doesn’t actually provide any guarantee that a website is safe or even who it claims to be. The only thing that HTTPS promises is that the owner of the website has a trusted digital certificate for that website and that your connection to that website is encrypted. This makes it an improvement over ordinary HTTP, which does not provide authentication or encryption; but while HTTPS is necessary to browse the Internet securely, seeing the green padlock doesn’t mean that you’re safe.
To get a green padlock, all someone has to do is get a digital certificate for that domain. Services like Let’s Encrypt make this quick and easy, allowing anyone to set up a site protected by HTTPS. The only obligation for these services is to make certain that the person requesting the certificate actually has control over the website.
This means that phishing websites can have certificates too. In fact, over a quarter of phishing sites now use HTTPS. The burden is on the user to make sure that the verified site that they’re looking at is actually the one that they want. Attackers use deliberate misspellings (microsft.com instead of microsoft.com), plausible websites (paypal-support.com instead of paypal.com) and punycode (using a Greek alpha instead of an “a” to make a site “look right”) to get certificates for domains that users will mistake for a reputable one. With a lookalike domain, a tool to clone the reputable website (freely available on the Internet) and a certificate for their domain, a phisher can get that green padlock on a website that looks just like the real thing.
What Is an Extended Validation (EV) Certificate?
Extended Validation (EV) certificates are special certificates designed to help users identify trusted websites. Instead of making users remember a company’s official URL, an organization can get an Extended Validation certificate that puts their company name in the URL field instead of, or in addition to, the URL.
To get an Extended Validation certificate, an organization needs to go through a few more steps than a traditional certificate. The verification process for EV certificates requires that an organization prove that they are a legally registered corporation and that they control the domain that they are requesting a certificate for. If they meet these requirements, they get the certificate that puts their company name in the address bar.
The Dangers of HTTPS and EV Certificates
Extended Validation Certificates seem like a great idea. By proving that a URL belongs to a company, an organization helps fight phishing by making it a little bit harder for an attacker to create a plausible-looking phishing website.
There’s just one little problem: It’s actually quite easy and relatively cheap to legally register a company. Also, there is no rule that says that you can’t have the exact same name as another company as long as you’re registered in a different jurisdiction. In the U.S., this means that there can theoretically be fifty companies with the same name, one for each state. That doesn’t even consider the numbers internationally.
So assume that a phisher registers an Extended Validation certificate under the same name as a legitimate company. How similar would that make their URL bar look? In some versions of Safari, the name of the company completely replaces the URL in the address bar. The image below shows the result of a security researcher registering a company named Stripe, Inc., getting an EV certificate for their company and comparing their URL bars.
Can you tell the difference? There isn’t one. If the security researcher wanted to launch a phishing campaign using their new site, it would probably work. And this isn’t the only way that EV certificates can be used maliciously.
Another security researcher created an organization named Identity Verified and created a site using it. A screen capture of their site in a vulnerable version of Safari is shown below. Unless you know how EV certificates work, that’s pretty convincing.
The major difference between the EV certificate of a legitimate organization and one set up by a phisher is the location where the company is registered. By looking at the certificate, you can check the details of the organization and ensure that you’ve got the right one before entering sensitive data. It’s a pain and you need to know where each company is officially registered.
This may be tougher than you’d think. Take Facebook, for example. If you see an EV certificate registered to a Facebook, Inc. from California, would you think it’s legitimate? If so, you’d be wrong. Despite its Menlo Park, CA headquarters, Facebook is incorporated in Delaware (like two-thirds of Fortune 500 companies). With a plausible URL and an EV certificate to match, a phisher can make a website that would pass most people’s inspection.
What to Do About EV Certificates
Extended Validation (EV) certificates seem like a great idea. By having businesses prove that a certain URL belongs to them, the burden of remembering which URLs actually belong to a company is removed from the user. However, the specifics of how EV certificates work have made it a danger since they create a false sense of security and, in some cases, hide the only real giveaway of a phishing site: the URL.
Luckily, Extended Validation certificates are on their way out. The obvious issues have caused major browsers to stop showing them with the green lettering designed to show their authenticity. The screenshot below shows one of the example sites from above using a current version of Google Chrome.
Notice that the padlock is still there (since the certificate is valid), but the company name isn’t shown anywhere, and the URL bar doesn’t look any different from any other HTTPS site. The best way to protect yourself against phishing sites with EV certificates is to update your browser and keep an eye out for anomalous URLs.
First part of phishing with EV, Typewritten