Users are generally told that when they see the little padlock at the bottom of a website that the data that they send is safe. All the padlock shows is that the data is secure – it is encrypted via SSL and is more or less guaranteed to arrive at the destination without being tampered with. It doesn’t directly show any of the identity information of the server that the data is being sent to. It would seem like a better idea to show who the certificate belongs to along side the padlock. Many browsers don’t and this means many users never know who the site they are using belongs to.
The browser padlock bar
There is little or no checking when someone registers for their certificate signing request – occasionally someone will call you to verify your phone number. Attackers are now taking advantage of this by registering for SSL certificates in order to help convince users that their fake website is genuine when carrying out phishing attacks.
What can you do? Well extended validation (EV) certificates are becoming more and more popular. To obtain one of these its much more difficult – you have to physically prove your identity – the benefit of such a certificate is that you gain the little green bar next to your URL string identifying the owner of the site. This additional validation comes at a price – a normal non EV certificate costs about $30 for a year – the cheapest EV certificate costs $600 for the year, a 20 fold increase in price.
Is it worth it? Maybe – but only if you can educate users into questioning the identity of the websites that they use.