back to article Phishing scum going legit to beat browser warnings

Browser-makers' decision to put big red warning lights in the faces of users when they hit sites too slack to use HTTPS is backfiring a little, as crooks are accelerating their use of encryption. So says Netcraft, which has turned its web server probes onto phishing sites in the wake of Chrome 56 and Firefox 51 adding warnings …

  1. petetp

    The phuckers.

  2. Dan 55 Silver badge

    So it just goes to show...

    ... encryption is not authentication.

    1. streaky

      Re: So it just goes to show...

      .. and certificates aren't a way to identify parties as respectable - nor validate servers as secure.

      PKI was never intended, designed or expected to fulfil that role. The problem is people trying to bend it to fulfil that role. Getting what are and should be legitimate certificates for legitimate domains is and should be easy - and cheap.

      I don't know what the solution to the other thing is but it isn't PKI or at least it isn't PKI alone. Education will play a huge role obviously. More crypto is good. We should stop trying to shoehorn more general identification technologies into the thing that seeks to provide a secure communication channel between endpoints. DNSSEC probably has a part to play in identification more than PKI.

      1. Anonymous Coward
        Anonymous Coward

        Re: So it just goes to show...

        DNSSEC probably has a part to play in identification more than PKI

        In what way??

        So long as I can register (say) "halifax-online.co.uk", then I own that domain, and I can secure it with DNSSEC just the same as I can get a HTTPS certificate from letsencrypt or any other CA.

        The fundamental problem is that if end users see "halifax" in the domain name then they assume this means that it has something to do with the well-known bank of that name; or even a similar-looking name like "hal1fax" or "hallifax".

        1. NonSSL-Login

          Re: So it just goes to show...

          The ability for anyone to get a cost free certificate through LetsEncrypt is another reason that phising and malware domains are using HTTPS more often recently too. Just as likely a reason than browser warnings imo.

          The unicode domains makes phising domains look more identical than changing a 'I' for a '1'...

  3. Martin Summers Silver badge

    An arms race they will not win. Now rather than have the casual scammer diluting the 'market' we are left with a concentration of those who have the ability to defraud you in a much more sophisticated way. They've just handed those scumbags a larger pay day.

    1. Jason Bloomberg Silver badge
      FAIL

      The approach being taken wrongly convinces the naive they are safe. They will see "https" and believe they aren't in dangerous waters while entirely innocent folk using "http" for whatever reason will be perceived as scammers or worse.

      It 'criminalises' the innocent while providing cover for the scammers.

      When there are sites which are safer than many others which a browser won't let people get to, but allows unrestricted access to very dangerous sites, something has gone badly wrong.

    2. Hargrove

      An arms race they will not win.

      @Martin Summers

      Absolutely on the mark. The internetworked system we all depend on was not designed for the current cyberthreat environment. In reality, as a system, it was not designed at all, but grown like Topsy to maximize return on investment. The fact that we all -- IT providers and customers alike --share in the benefits of that return doesn't change the harsh reality,

      Such a system is not secure. It is inherently un-securable.

      Security as a cloud computing service is not a solution, because of another harsh reality. The predominant threat to theft and expoitation, is now, and ever shall be, the insider threat.

      I believe that there are technical solutions to be had for a price. User devices will cost more and be marginally less convenient to use. IT providers are going to have to forego the business model of reselling hoovered data with no value added. It will not be cheap, but it will be a lot cheaper than the alternative.

  4. mark l 2 Silver badge

    It is no suprise that scammers have taken advantage of getting SSL certs since you can now get them with no financial cost or checks. Letencrypt.org or cloudflare.com both allow you to get SSL connections for free with nothing more than an email address needed. While there service are good for genuine website to get themselves a SSL cert they were bound to be abused by the scammers, let just hope that a solution is found before these free SSL certs end up not being trustworthy and all the existing certs get revoked

    1. Anonymous Coward
      Anonymous Coward

      "for free with nothing more than an email address needed"

      SSL certs require a domain be registered and have a valid A record, not an email address. This means that significantly more effort is required which slows things down somewhat. It also means that we (the goodies) have more things to look out for to bounce or drop crap.

      Free SSL certs are a damn good thing - I use a lot of them myself. Don't confuse encrypted with authenticated.

      1. Anonymous Coward
        Anonymous Coward

        Domains can be registered by the sackful with fake identities. Crooks register them automatically without issues, little effort is require and that doesn't slow down anything. Or compromised sites can be easily be used - and a large number of badly maintained site using free SSL certs will only increase that number.

        Free SSL certs are the wrong answer to a real problem, and unluckily the end result will be that sites using SSL cannot be trusted anyway.

        1. Ben Tasker

          Free SSL certs are the wrong answer to a real problem, and unluckily the end result will be that sites using SSL cannot be trusted anyway.

          They're also the right answer to the problem they're trying to solve.

          The question is, how can I be sure I'm talking to an authorised endpoint for www.hsbc.co.uk - which SSL certificates do very well.

          The question is not how can I be sure I'm talking to an authorised endpoint for HSBC?

          The difference is, that the first is simply checking that the cert is valid for the domain you're going to.

          The second is looking to try and authenticate that the endpoint is authorised for use by a specific organisation, which is going to fall flat if you haven't noticed the URL is hsbc.evilsite.invalid.

          Certs exist purely to authenticate that you're going to a permitted endpoint for the domain you're accessing, before establishing an encrypted connection (and potentially transmitting sensitive data).

          Realising you're going to the wrong domain is down to you (though reviewing the cert can help you with that). That's an issue whether the cert is free or not.

  5. Anonymous Coward
    FAIL

    Hand up....

    ...who couldn't see this coming?

    Anyone?

    Still at least you will no longer visit that "dangerous" blog / club page that doesn't even want your details.

    No, just head along to that "safe" fake bank site instead.

    1. This post has been deleted by its author

      1. cantankerous swineherd

        Re: Hand up....

        why would i even begin to do that when it's so much easier to just not do internet banking.

  6. Anonymous Coward
    Anonymous Coward

    unless scammers also get EV certificates

    ... it is not that much of a problem. Yes, uneducated users will assume that connection is safe if "https" is present in the URL window, but they should also know to check for whom the certificate had been issued. It is very easy to do. Like most other things in computer security it is an education issue, and not something that technology can address directly.

    1. Erix

      Re: unless scammers also get EV certificates

      Why don't you enlighten us a little then? Let's take a prime example, the Reg's own SSL certificate for instance, issued by none other than CloudFlare. When viewing the certificate in Firefox, the field "issued to Organization (O)" says Cloudflare and "Common Name (CN)" is theregister.co.uk. Where can a user check "for whom" the certificate has been issued? How can you tell if this actually be a stand-up pillar of journalism or a wretched hive of scum and villainy? (on second thought, never mind...)

      1. Anonymous Coward
        Anonymous Coward

        Re: unless scammers also get EV certificates

        Assessing a certificate origin requires a good knowledge of how a PKI and X509 certificate work - outside the knowledge of most users.

        Also, because of it most applications make their best to make difficult to access those information. How many clicks do you need to access them? In Firefox it's at least four, if you know where to look. And the "Details" page for a certificate is a pain in the ass to use. You need to click every field to read its value.

        1. Erix

          Re: unless scammers also get EV certificates

          LDS: too true, but a certificate original does not necessarily say much about for whom it has been issued.

          I dare anyone to determine, only by examining the certificate in the browser, that the reg's SSL cert has actually been issued to situation publishing (or to whoever manages the site).

          The latest crop of browsers throwing fits about non-SSLed connections only makes websites bolt on free SSL just to shut up those pesky browser warnings. Does it make the net any more scammer safe? Not a bit, the problem has just been swept deeper under the carpet.

          1. Anonymous Coward
            Anonymous Coward

            "but a certificate original does not necessarily say much about for whom it has been issued."

            That's because the trust in CAs and the certificate chain has been broken by stupid greedy business practices. It's just like money, you trust the issuer, and that what is printed on the banknote is true, and it will be accepted anywhere because everybody trust the issuer.

            Unluckily the CA business has been treated as a generic business, and the focus shifted from certificating certificates, to trying to make easy money just increasing the number of certificates sold. It's clear it can't work that way. You can add more fields in a certificate to identify the owner, and you should expect the ownership is verified by the CA issuing it.

            In the beginning, probably, with only a few actors using certificates, it was a smaller issues. Today, being able to identify the owner of a certificate, and spot spoofing attempts, is a clear big issue. IMHO CAs should be regulated, and the issuing of certificates as well. Free certificates with minimal vetting could still be used, but they should be identified as such - "limited security".

            Simple encryption of transmissions can be achieved without the need of certificates, session keys exchange algorithms work without certificates, the only reason to use a certificate is exactly the need to authenticate the endpoints.

    2. Ben Tasker

      Re: unless scammers also get EV certificates

      Yes, uneducated users will assume that connection is safe if "https" is present in the URL window, but they should also know to check for whom the certificate had been issued.

      Clearly, the Chrome developers would disagree with you, given they've moved "view certificate" from being

      - Click on the padlock

      - View certificate details

      To

      - Open developer tools

      - switch to the Security tab

      - Select view certificate

      And when challenged on it, explicitly said that they didn't feel it was something a regular user needed.

  7. DropBear

    Frankly, it's about time people realize "https" only means you're really talking to the site your address bar says you're talking to on an encrypted channel and not some middle-man impersonating it - it says nothing whatsoever about said site being actually legit in its intent (or being that other site a letter difference away that you think you're talking to)...

    1. Robert Baker
      Devil

      Frankly, it's about time people realize "https" only means you're really talking to the site your address bar says you're talking to on an encrypted channel and not some middle-man impersonating it - it says nothing whatsoever about said site being actually legit in its intent (or being that other site a letter difference away that you think you're talking to)...

      Case in point:

      www.emaildiscussions.com — good (tech forum about email, on which at least one member has been asking for https: as if that's a magic wand that will cure all that forum's ills)

      www.еmаіІdіѕсuѕѕіоnѕ.соm — bogus (unlike the first link, this one is mostly in Cyrillic characters which look like ASCII but aren't); which is why I haven't posted it as a hyperlink.

  8. Spudley

    Looking at that graph, there's one question that jumps out at me.

    What is the difference is between Firefox being "released" and Chrome being "rolled out".

    1. Anonymous Coward
      Anonymous Coward

      "What is the difference is between Firefox being "released" and Chrome being "rolled out"."

      I suppose it could be because Firefox is a dog and Chrome is a fat bastard 8)

      (I use both)

  9. Kevin McMurtrie Silver badge
    FAIL

    El Reg fail

    The obvious solution is blacklisting certificate authorities supporting phishing sites. The CAs will start screening customers more carefully or they'll stop being in business. Google would probably do it since they'd only be blocking non-customers.

    Sorry Reg, but you'd definitely go offline with this blacklist because you're using Cloudflare. I can't think of any other business in the US that knowingly, even eagerly, provides services for phishing web sites.

    1. SImon Hobson Bronze badge

      Re: El Reg fail

      The obvious solution is blacklisting certificate authorities supporting phishing sites

      Yes, the obvious but wrong solution.

      If you do that, then inherently you are saying that all certificates must be something above domain validated, but not necessarily fully EV. Once you go above domain validated (ie you have sufficient control to receive an email to the hostmaster, or create a specific TXT record, or put a file on the web server) then you cna kiss cheap or free certificates goodbye. And then you can kiss goodbye to "everything on SSL" since for probably the vast majority of people, the cost of an SSL cert is just something they can't be bothered with for their club blog that gets half a dozen hits a day.

      But I suspect that will be the next target - the big guys like Google really don't understand or give a s**t about the little guys. They are quite happy to change the rules and the rest of the world has to tag along with them. Just look at how enthusiastic they (along with so many others are) for breaking email - demanding SPF even though it's known (and was known while still in incubation) to be fatally broken in several ways.

      1. Kevin McMurtrie Silver badge

        Re: El Reg fail

        I would say that Google isn't using certificates correctly. Google says they're encryption and protection. They're primarily meant to be identification.

        That's why a blacklist should work - you want to not honor any CA that's not correctly identifying a responsible administrator for a web site. When a phishing site gets a certificate, either the identity is wrong or it's identifying somebody who is not properly responsible for the domain. For example, Cloudflare gives out certificates but they don't give a rat's ass where the content comes from or who provided it as long as they get their money. There's not naming a responsible identity.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like