Extended Validation SSL’s Role in Combatting Phishing

Extended Validation (EV) SSL is an important component in any online business’s fight against phishing. Phishing is a form of social engineering attack (otherwise known as a con) in which the phisher fools the victim into thinking he or she is visiting a trusted website.  Usually a communication like email or text message is used in the con luring victims to an online experience that can be confused for the real experience with the goal to obtain confidential information, login credentials or credit card numbers.  With free Domain Validation (DV) SSL certificates now available, phishing attacks using certificates have risen exponentially as they can now display their phishing site as “Secure” in hopes that victims will think the web site is safe.  A browser’s definition of secure (which really means encrypted) is not the same as the common definition of safe.  That’s why more businesses are relying on Extended Validation (EV) SSL to up their levels of both consumer protection and confidence online.
Now, counterfeiting as a practice depends on making a fake item that can be confused for the original, counterfeited item.  You won’t take a fake $20 with the wrong president on its face, and no museum bought a fake Da Vinci painted on a piece of cardboard.  The way counterfeiting is effective is to replicate the genuine experience as closely as possible.  And just as with counterfeit money and counterfeit paintings, counterfeit web sites need to be as mimetically accurate to the real thing they can be.  One important difference between counterfeiting web sites and counterfeiting money or paintings is that counterfeiting web sites is extremely easy.  The full HTML of the site is there for the scraping, making it a very small trick to present a site that, inside the HTML display window, looks exactly like the real site in question.

EV TLS/SSL green address bar

By placing an identifier of the site operator’s genuine identity in the interface of the browser, EV SSL complicates the phisher’s task considerably.  Assuming the code of the user’s browser hasn’t been compromised (and if it has then all bets are off), only the true content of a CA’s trusted EV certificate displays adjacent to the address bar. You can’t just screen scrape an EV certificate and throw it on your site.  So instead the phisher is forced to present a site with a clearly visible difference from the real thing.  That gives the user a chance to spot the difference and know the real from the fake.  And that’s a very important weapon in our arsenal against phishing.  As EV SSL has been in the IT department’s toolkit for more than a decade, the strategy behind it has been tested in a number of ways.  Here are the most common concerns that are raised and an explanation of why EV nonetheless is a good idea.
Concern:  Not everybody will notice the missing green address bar.
Here we see the “perfect is the enemy of good” fallacy.  Because it’s possible for some people to fail to notice that the green company name is missing from the phishing site, we should deny everyone the opportunity to spot the difference.  That’s a lot like saying because seat belts don’t save everyone’s life in every automobile accident, we should stop building them into cars.
The right approach to the problem is to give users the opportunity to distinguish a real site from a fake and to educate the public about how to do so.  Including the authenticated company name in the browser interface is a great way for users to make this distinction, and it’s something everyone can learn.
Concern:  A criminal could set up a fake business and get an EV certificate.
It’s possible that a criminal with enough resources, expertise, and time could create a fake business and use it to get an EV certificate to put on a phishing site, just as it’s possible that a criminal with enough resources, expertise, and time could get a fake passport that would pass for the real thing.  But in practice most of us cannot.  Getting a convincing fake passport is difficult enough that almost nobody does so.  The same situation exists for phishing sites.
Just as passports are incredibly effective in combatting identity fraud, so too are EV SSL certificates.  The fake-business EV scenario would be incompatible with well in excess of 99% of the phishing attacks that happen today.  Most phishing comes from automated programs that screen scrape sites and send emails with links to them.  The vast majority of these scams are run by “script kiddy” attackers who buy a ready-to-go phishing attack kit and implement it.  These attackers mostly operate out of regions of the world where law enforcement against cybercrime is weak and attack regions where wealth and online usage are relatively high.
These phishers up their chances of success by enabling lock icons through the use of free Domain Validation certificates.  These sites stay up for as little as a day and have a low hit rate during that time, and the whole venture depends on efficiency.  This kind of phishing site mill is cheap and easy to run and requires a pretty basic computer skill set.  One you introduce the need to incorporate a new business entity for each attack, you have fundamentally changed the game.  The business model simply won’t support it.
At the same time, CAs still should continue to push authentication techniques to make this kind of thing as difficult for the criminals as possible.  Just as the government continues to update its techniques for creating money and identifications to make them harder to counterfeit, so too should we continue scrutinizing and improving on the EV standards to keep these certificates as secure as possible.  The good news is that we have industry groups to do exactly that, and the EV standards have continued to evolve since they first were introduced in 2007.
Concern:  EV hasn’t eliminated phishing, so it must not work.
Let’s return to the seat belts.  Take the above statement and replace EV with seat belts and phishing with vehicular deaths.  “Seat belts haven’t eliminated vehicular deaths, so they must not work.”
We all see the fallacy in that statement.  It’s another variation on “perfect is the enemy of good.”  EV makes phishing much harder and gives users more opportunities to save themselves from falling for social engineering attacks, without meaningful downside.  That means it is a best practice and should be part of every serious IT professional’s security plan.
Concern:  Online businesses with EV certificates might have other security holes or poor business practices.
Yes, EV SSL focuses on one specific part of creating a safe online ecosystem.  There are many, many other security needs and business practices that EV doesn’t influence in any way.  Fortunately, EV is effective in its part of the overall security spectrum.  Other solutions focus on the many other security needs that online businesses face.
And if a business does engage in behavior that requires some kind of redress, it’s handy to have its official name and location clearly identified right on the web site.
Concern:  We should eliminate phishing in a more comprehensive and perfect manner.
That would be great.  If that utopian ideal ever comes about, everyone except the criminals will be happy about it.
In the meantime, we have to use the real-world solutions we actually have available to combat phishing.  EV is an indispensable part of that effort.
Of course, tools have not benefit if they aren’t used.  For EV SSL to make a difference to phishing it needs to be adopted by sites.  Stay tuned for part two of this discussion:  How Extended Validation SSL Is Good for Online Businesses – and Why That’s Important.