A couple of months I wrote here about HTTPS and website security from a user standpoint. I need to add to that because bad guys can also use the digital certificates that make browsers show green padlocks or avoid notices about unencrypted sites.
The issue here is that the certificate that lets a site use https: doesn’t verify that the site itself is legit; it just means that the communication with that site is encrypted. As such, while it is an important protection for the user, it is nowhere near enough to ensure that the site is not a scammer, fraudster, or another type of bad actor.
Longtime readers of this blog will likely expect me to enjoin users to constantly beware, perform due diligence, etc. I’m not going to that this time because I’ll be teaching another of Learning Tree’s Security Awareness courses soon, and because I’ve talked about these things before.
Instead, I want to stress the importance of Extended Validation (EV) certificates. In my earlier post I wrote:
This type of certificate requires extensive validation and provides the most trust. The issuer of the certificate does significantly more rigorous checks of the applicants for these certificates. … Different browsers convey the information that the site is using an EV certificate in different ways. Most involve showing the name of the owner of the site in green.
There are two important things that make these certificates especially valuable in determining the safety of a website:
A critical feature of EV certificates is that the onus for verifying certificate status is moved from the browser to the server through something called “OCSP must-staple”. OCSP stapling means the server checks the status of its own certificate regularly and includes that information as an extension to the certificate when it is sent to the user.
Unfortunately, this can be complicated: servers may not properly check the OCSP information, browsers may not check for the stapling information, and users may not notice or care that a site name is not green. The idea is good, but the implementations often fall short.
The use of EV certificates can and should significantly increase user confidence in a site’s ownership and security. Sadly, the web has a long way to go to help less-aware users not just feel secure, but be secure.
To your safe computing,