As you probably already know, the web has no shortage of cybercriminals out to steal your money and/or identity. You may have gotten a taste yourself — a little over a year ago I had to deal with a bill of over $700 for a smartphone ordered in my name! What you might not know is how easy it is to create a realistic, fake website to harvest passwords, credit card numbers, and other sensitive information from unsuspecting victims. Websites like this are often set up as part of phishing schemes – if you click a link in a scam email that claims to be from a legitimate organization like a business or school, you will be taken to a phony login page where the scammers hope you will give up the juicy details.
And here’s the scary part: About three-quarters of all phishing websites now have an SSL/TLS certificate! According to the Anti-Phishing Working Group’s Phishing Activity Trends Report for the 4th quarter of 2019, 74% of phishing websites use HTTPS. It’s free and easy for attackers to set up a DV certificate on a scam website, and your web browser will happily let you know that it’s “secure.” Google Chrome will even suggest that it’s perfectly fine to enter your password or credit card number:
Sure, your connection is “private,” as long as you don’t mind that it might be all just between you and some lowlife scammer on the other end. Abuse of free DV HTTPS has gotten so bad that the FBI issued a public service announcement on June 10, 2019 that states, “Do not trust a website just because it has a lock icon or ‘https’ in the browser address bar.” A detailed 2019 study of HTTPS phishing websites, by Vincent Drury and Ulrike Meyer of RWTH Aachen University, echoes this conclusion: “the simple user advice to check whether a website is HTTPS-protected is no longer effective against phishing.”
Despite these serious problems, most major web browsers have recently moved away from displaying validated information about website owners in the browser address bar for sites protected with Extended Validation (EV) certificates. Most browsers have also eliminated the “green bar” UI that previously indicated an EV-protected website. As a consequence, some businesses and other organizations have moved away from EV certificates and are protecting their websites with cheap (or free) Domain Validated (DV) certificates.
A DV website certificate does offer users a degree of protection by ensuring that communication is encrypted and that the entity running the site controlled the domain name when it applied for the certificate, but it provides no assurance of who actually owns and operates the website. Only a CA-validated EV or OV (Organization Validation) certificate provides this information.
Here’s how you can check in these popular browsers to see if a website owner has made the extra effort to protect and inform site visitors by using EV or OV certificates:
To summarize the information shown below, Internet Explorer currently does the best job of communicating EV information to users. Safari is still using the “green bar” UI to communicate EV status to users, but it still takes a click to identify the site’s owner. Chrome, Firefox, and Edge do not present any EV indicators in the address bar, and require users to dig for any validated information about a website’s owner. Chrome for macOS is particularly bad, requiring three clicks to view this information (or even determine if it exists).
Google Chrome
These screenshots were made in Chrome 80.0.3987.149 on Windows 10 Enterprise Version 1809.
1. Google Chrome displays a closed, dark gray lock to the left of the URL for all SSL/TLS certificates (DV, OV, and EV):
2. To get more information about a website’s certificate, click the lock.
3. Chrome shows that the connection is secure (encrypted), and we can see that the certificate was issued to SSL Corp. You can get more detailed information by clicking Certificate.
4. In the window that opens, you can view details about the website owner by selecting the Subject line on the Details tab. (Note: In macOS, this information is shown in a different format that is similar to Safari.)
Mozilla Firefox
These screenshots were made in Firefox 73.0.1 on macOS 10.14.6 (Mojave).
1. Firefox displays a dark gray lock to the left of the URL for all SSL/TLS certificates (DV, OV, and EV).
2. To get more information about a website’s certificate, click the lock.
3. Now we can see that the website’s certificate was issued to SSL Corp:
4. You can dig for more information by clicking the > symbol on the right side of the dialog box.
5. Now we can see that SSL Corp is located in Houston, Texas.
6. If you’d like to see more detailed information, click More Information.
7. A page will open with full information about the certificate and chain of trust. Information about the website owner is shown under the Subject Name heading.
Microsoft Edge
These screenshots were made in Edge 80.0.361.66 (Chromium) on Windows 10 Enterprise Version 1809.
1. Edge displays the outline of a closed lock to the left of the URL for all SSL/TLS certificates (DV, OV, and EV):
2. To get more information about a website’s certificate, click the lock.
3. Edge shows that the connection is secure (encrypted), and we can see that the certificate was issued to SSL Corp. You can get more detailed information by clicking Certificate.
4. In the window that opens, you can view details about the website owner by selecting the Subject line on the Details tab.
Internet Explorer
These screenshots were made in Internet Explorer 11.11098.11763.0 on Windows 10 Enterprise Version 1809.
1. For EV websites, Internet Explorer displays the address bar with a green background. A closed lock and the name of the site owner are shown to the right.
2. For DV and OV websites, IE shows a lock but not the company name and green background:
3. To view information about the website certificate, click the lock.
4. Here we can see that the site is operated by SSL Corp, of Houston, Texas.
5. To view more information about the website certificate, click View certificates.
4. In the window that opens, you can view details about the website owner by selecting the Subject line on the Details tab.
Apple Safari
These screenshots were made in Safari 13.0.5 on macOS 10.14.6 (Mojave).
1. For EV websites, Safari displays a green lock and domain name:
2. For DV and OV websites, Safari displays a gray lock and black text:
3. To view information about the website certificate, click the lock:
4. For EV websites, information about the website owner will be displayed:
5. You can get more information by clicking the Show Certificate button:
6. Here you can get detailed information about the website certificate and the entire chain of trust leading to the root CA (in this case, SSL.com).
7. You can view details about the certificate by clicking the triangle to the left of Details.
8. You can see detailed information about the website owner under the Subject Name heading.