One of the current trends in malware is that of ID Theft. Most people think of it as stealing credit card or banking details or using an individual’s personal details to defraud government agencies. That’s not the whole story. Stealing a company’s ID or website is becoming more and more common.
A common technique is that you find an email that seems to come from your local bank in your email. It usually asks you to confirm your online banking details and redirects you to a website. You go to the website, do the needful and forget about it until you go to the ATM to draw money and find that your account has been emptied.
Another is that you go to a well-known website in response to an email offering goods or services at an amazing price. You pony up the cash, and never see your purchase. You didn’t in fact go to the well-known company, but to another web address created by fraudsters.
How do you not fall for this, and how does a legitimate organisation implement website security on its business website to prevent hijacking of their name and website?
First, hover over the link. If it doesn’t look legitimate, don’t follow it. If it, for example is from the XYZ bank or company, and the website url in the email doesn’t point to the XYZ domain, be very suspicious.
Second, most legitimate companies now identify their business websites as secured websites, which gives comfort to the user that they are in fact who they say they are.
The technology they use is the Secured Sockets Layer (“SSL”) technology. What is SSL and can you be sure that SSL is adequate protection for you?
SSL is a global industry standard setting out the standards and protocols to enable an encrypted conversation between two parties. It is used in secure email, but mostly between a web server and a web browser.
How do you recognise that you are dealing with a websites with SSL Certificate?
Your web browser displays the padlock and uses the https:// site prefix rather than http://. If you don’t see both then the site is not secured by a SSL Certificate.
How is security established?
If one party to a connection is a web server, it is provided with a SSL certificate by a trusted third party, the Certificate Authority (“CA”). The SSL certificate allows the other party to verify the identity of the website and to set up a secure encrypted connection.
The CA has a self-generated certificate called a root certificate that identifies the CA. Many browser and operating system suppliers including Microsoft, Mozilla and Java include CA root certificates in their certificate store, enabling a browser to very quickly tell if a root certificate is valid. If it isn’t then the browser treats the connection as untrusted.
The process is that after the connection is verified as trusted, a process called the “SSL Handshake” establishes the secure connection:
- the server sends a key to the browser;
- the browser creates a new key, encrypts it according to the server key, and sends it back;
- the server decrypts the browser key and creates a new key, the symmetric key, which is used by both sides of the connection to encrypt and decrypt the information passing between the two.
The key is unique to the session. If the session is closed and reopened, a new key is generated.
There several types of certificate and three levels of trust.
- A single certificate secures one website;
- A wildcard certificate secures a website and any sub-sites. For example abc.com and anything.abc.com; and
- Multi-website certificates.
The three levels of trust are:
- Domain (website) validation. This is the basic level, certifying encryption and ownership of the website name;
- Ownership validation. In addition to the domain level of trust, other aspects including some details about the owner are validated. The additional information can include details such as name and address;
- Extended Validation. The highest level of security. In addition to the domain details, a range of offline information is validated, usually including the physical and operational status of the organisation registering the domain. In this case the address bar at the top of the browser turns green and the web site owners name is displayed in it.
In theory therefore, it should be impossible to impersonate a website because the fraudsters cannot duplicate the root certificate, the SSL Certificate and symmetric key. A further assurance is that the root certificate is issued and managed by a trusted third party, the CA.
The only way is for a user to click on a link that holds a different web address from that expected.
In answer to the question “Are SSL certificates an assurance you are browsing a secured website”, the answer is yes.