Netcraft says SSL certificates offer very limited protection from phishing
A PayPal phishing page has been discovered on the official portal of the Malaysian police force for Johor region. It was used to trick the users into surrendering their login information, despite the website having a valid SSL certificate.
The alarm was raised by Netcraft, an Internet services company from Bath.
The page in question looks like the PayPal login page, recreated in painstaking detail and available over HTTPS. The illusion of safety is created by an SSL certificate which is unconditionally accepted by several major browsers, including Firefox and Safari.
According to Netcraft, phishing pages often “piggyback” on top of compromised legitimate websites, abusing trust of the visitors towards the organisation. For cybercriminals, this cuts down on hosting and certificate costs, and looks a lot less suspicious.
Just last month, the company identified 234 trusted SSL certificates on websites with at least one known phishing page. 67 of them were issued by Symantec, including the one for Johor police department. Comodo issued 42 certificates which were used for phishing, and GoDaddy – 46.
“The SSL certificate for polisjohor.gov.my was issued by GeoTrust (a Symantec brand) back in 2011 and is valid for several more months. If Symantec wished to revoke the certificate to make the site inaccessible over HTTPS it could do so by updating its Certificate Revocation List or by providing on-demand OCSP responses noting its revocation,” explained Raz Popescu from Netcraft.
However, since the certificate doesn’t contain OCSP URL, a feature included in the majority of SSL certificates since 2005 and used to periodically check their status, it cannot be revoked in Firefox. In Safari, the OCSP URL checking is set to ‘off’ by default.
Netcraft notes that even the Extended Validation certificates, which are supposed to be applied to completely secure services, have been used to host phishing pages in the past. In May 2013, it found five such cases. Two of the misused certificates were signed by Symantec, and one each by Comodo, DigiCert, and Go Daddy.
Can you look after your personal data online? Take our quiz!