SEARCH

How-To Geek

HTG Explains: How Browsers Verify Website Identities and Protect Against Imposters

image

Have you ever noticed that your browser sometimes displays a website’s organization name on an encrypted website? This is a sign that the website has an extended validation certificate, indicating that the website’s identity has been verified.

EV certificates don’t provide any additional encryption strength – instead, an EV certificate indicates that extensive verification of the website’s identity has taken place. Standard SSL certificates provide very little verification of a website’s identity.

How Browsers Display Extended Validation Certificates

On an encrypted website that doesn’t use an extended validation certificate, Firefox says that the website is “run by (unknown).”

image

Chrome doesn’t display anything differently and says that the website’s identity was verified by the certificate authority that issued the website’s certificate.

image

When you’re connected to a website that uses an extended validation certificate, Firefox tells you it’s run by a specific organization. According to this dialog, VeriSign has verified that we’re connected to the real PayPal website, which is run by PayPal, Inc.

image

When you’re connected to a site that uses an EV certificate in Chrome, the organization’s name appears in your address bar. The information dialog tells us that PayPal’s identity has been verified by VeriSign using an extended validation certificate.

image

The Problem with SSL Certificates

Years ago, certificate authorities used to verify a website’s identity before issuing a certificate. The certificate authority would check that the business requesting the certificate was registered, call the phone number, and verify that the business was a legitimate operation that matched the website.

Eventually, certificate authorities began offering “domain-only” certificates. These were cheaper, as it was less work for the certificate authority to quickly check that the requester owned a specific domain (website).

Phishers eventually began taking advantage of this. A phisher could register the domain paypall.com and purchase a domain-only certificate. When a user connected to paypall.com, the user’s browser would display the standard lock icon, providing a false sense of security. Browsers didn’t display the difference between a domain-only certificate and a certificate that involved more extensive verification of the website’s identity.

Public trust in certificate authorities to verify websites has fallen – this is just one example of certificate authorities failing to do their due diligence. In 2011, the Electronic Frontier Foundation found that certificate authorities had issued over 2000 certificates for “localhost” – a name that always refers to your current computer. (Source) In the wrong hands, such a certificate could make man-in-the-middle attacks easier.

image

How Extended Validation Certificates Are Different

An EV certificate indicates that a certificate authority has verified that the website is run by a specific organization. For example, if a phisher tried to get an EV certificate for paypall.com, the request would be turned down.

Unlike standard SSL certificates, only certificate authorities that pass an independent audit are allowed to issue EV certificates. The Certification Authority/Browser Forum (CA/Browser Forum), a voluntary organization of certification authorities and browser vendors such as Mozilla, Google, Apple, and Microsoft issues strict guidelines that all certificate authorities issuing extended validation certificates must follow. This ideally prevents the certificate authorities from engaging in another “race to the bottom,” where they use lax verification practices to offer cheaper certificates.

In short, the guidelines demand that certificate authorities verify the organization requesting the certificate is officially registered, that it owns the domain in question, and that the person requesting the certificate is acting on behalf of the organization. This involves checking government records, contacting the domain’s owner, and contacting the organization to verify that the person requesting the certificate works for the organization.

In contrast, a domain-only certificate verification might only involve a glance at the domain’s whois records to verify that the registrant is using the same information. The issuing of certificates for domains like “localhost” implies that some certificate authorities aren’t even doing that much verification. EV certificates are, fundamentally, an attempt to restore public trust in certificate authorities and restore their role as gatekeepers against imposters.

image

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 07/23/12

Comments (8)

  1. TheFu

    Website certificates are based on DNS being correct. If your DNS is hacked (or even your /etc/hosts file) or redirected, then any website can create a certificate for any other website. If your DNS isn’t correct or is telling lies, you are screwed and SSL means NOTHING.

    It isn’t exactly a secret, but most companies don’t want to mention it since it can scare end users into trusting enough to enter their buying method (paypal or creditcard).

    Redirected DNS is a huge issue. The FBI turned off an entire network of DNS redirection servers http://news.cnet.com/8301-1009_3-57468436-83/fbi-kills-dnschanger-network-but-how-many-will-be-affected/ on July 9th. It was believed that over 600,000 PCs were impacted.

    A web browser pointing to the wrong web server will likely see a perfectly good SSL cert and think it is the correct server. There are browser plugins that track SSL certs and notify users when they are changed, but some websites are constantly changing their certificates which makes this tool less useful. Google has many thousands of servers and their SSL certs change multiple times every day. It is an annoyance it has become so bad.

    I’m babbling now. Sorry.

  2. D. L. Sinkler

    Obviously PayPal is no criteria for me. They recently allowed a person to hijack my account in the amount of $876.00. Of course I attempted to close my account with PayPal, but although I notified them that I had NOT made these purchases they made two more efforts to withdraw money from my account depleting my checking account and costing me over $200 by my bank. It took more than two weeks before PayPal “allowed” me to close my account. Needless to say I will NEVER use PayPal or E-Bay again.

  3. sorinc

    Sorry to seem picky, but according to http://dictionary.reference.com/browse/imposter, there is no such word as “imposter”.

    The correct word is impostor (http://dictionary.reference.com/browse/impostor): a person who practices deception under an assumed character, identity, or name.

    The French version is closer to what you used: imposteur.
    No wonder you have spelling bees ;-)

  4. SatoMew

    @sorinc, how about using a more reliable source such as Oxford Dictionaries? The spelling “imposter” is a valid variant of “impostor”.

    My source(s): http://oxforddictionaries.com/definition/english/impostor [Worldwide English] and http://oxforddictionaries.com/definition/american_english/impostor [American English].

    Even the page from the URL you linked to in your comment has a reference to “imposter” as an alternative spelling to “impostor”.

  5. spike

    @TheFu: Exactly! This points up the need to know that you aren’t infected with malware pointing your DNS to rouge DNS servers. Also, when this happens to users, they aren’t likely to notice that the site is suddenly using a barebones SSL instead of an EV cert. Good time for a wake up call for everyone to make sure their DNS is good.

    @sorinc: Wikipedia says that both are acceptable spellings (impostor/imposter), also, (I just followed the links you posted), those links say so as well.. ? Although impostor is the preferred spelling.

  6. Nathan Osman

    @TheFu: I’m afraid you are incorrect. The browser will know something is amiss when a certificate is returned that does not match the domain name you are connecting to.

    Here is an example scenario:

    1. A user’s browser issues a request for the home page of paypal.com over HTTS.
    2. Although not known to the user, they have malware on their computer that is returning corrupt information for DNS lookups. The rogue DNS resolver points the browser towards another server that was set up by a malicious party.
    3. The browser requests the SSL certificate for the domain name and instead of receiving a certificate that is valid for paypal.com, it receives a certificate for some other domain name (for example, paypol.com).
    4. Any browser worth its salt will display a warning to the user (in big red letters) letting them know that something is wrong because the certificate does not match the domain name that the user was trying to access.

    Someone could easily create a self-signed certificate for paypal.com, but again – all browsers will immediately display a warning that the certificate was issued by an unknown authority.

    So in summary, if you view pages over HTTPS, you are essentially immune to DNS poisoning.

  7. spike

    @Nathan Osman: Ouch- you are right! My bad as well- must have been overtired as usual :-). A hacker cannot get even a domain-verify only SSL for a domain they don’t have, without hacking the the SSL provider’s DNS as well, so they would have to use a self-signed certificate, which as you said, doesn’t fly with any modern browser.

  8. DNS-PWNER

    Hello SSL Strip and Arp Spoofing

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!