Sophisticated phishing attacks and the value of EV certificates

Security professionals and consultants have recently taken greater interest in a specific functionality of all modern web browsers – displaying domain names registered using various alphabets or characters. More specifically, punycode characters that have been used for registering domain names for some time now. Cleverly crafted domain names such as https://www.аррӏе.com can easily deceive users and trick them to entering confidential information (another example of this is https://www.еріс.com/). This domain is fully registered using Cyrillic alphabet, has a valid SSL certificate issued for its ASCII address, and should it contain a carefully created and compelling Apple, iTunes or shop content, even the most cautious users would be hard-pressed to spot the fraud.

The attack is only noticeable when inspecting the SSL certificate, which requires using developer tools in some web browsers.

Google has countered this new threat by publishing version 59 of its Chrome browser which displays actual ASCII values instead of punycode – this may not seem fair to users who registered their legitimate domains in other alphabets, such as Chinese, Cyrillic, or various special characters, even in some European languages. As this really is not a bug, but a feature, Mozilla has decided not to interfere with domain names and left the troubleshooting to the registrars. If you still want to disable displaying such domains in Firefox, enter “about:config” in the address field and set the “network.IDN_show_punycode” option to “true”.

Due to the size and market share of Chrome, this is not the first time that Google imposed its decisions on the market. Their reactions sometimes have positive outcomes – e.g. development and adoption of new and modern cipher suites – but other times they can cause direct disadvantages to companies that think otherwise. This is the reason why Google has stopped running the Symantec Extended Validation (EV) certificate starting with the latest version of Chrome (59), since EV certificates are similar to regular Domain Validation (DV) certificates. Veracomp also uses the EV certificate which is highlighted by green text in front of the URL of this website. Certification Authority that issued this particular certificate guarantees to all users visiting this website that they are really visiting the website of the company it is representing.

In order for the Certification Authority, in this case Entrust, to provide this guarantee to all users of this website, it has evaluated and verified Veracomp as the company and provider of potential services on this website. Related review procedure lasted for several days and included: several phone calls to various higher-ranked employees, inspecting our authority to add DNS records for this domain, legal review of the company, and checking ID documents of responsible persons.

Part of the procedure is not publicly available, but the thoroughness of the review is the only guarantee to future users that even Entrust itself guarantees that they are visiting the expected website. Most financial organizations in the world have recognized the importance of EV certificates, and the same is true in our region where all leading banks use EV certificates in their Internet banking systems. Some have separate certificates and use EV only on the Internet banking subdomain, while others use EV on the entire top-level domain. In any case, issuer of the certificate also guarantees to the user that the visited website is the valid place to perform financial transactions. Some banks have even begun to educate users how to check the domain name from which the bank is sending them email, which addresses they visit, and so on. However, especially considering the above-mentioned attack method, we can conclude that perhaps the simplest and most effective security tip would be to instruct users to look for the green text in front of the URL address when using Internet banking.

In light of recent events involving Symantec CA (and its affiliates GeoTrust, Thawte, RapidSSL) for which Chrome is expected to stop implementing EV certificates according to the aforementioned timeline, unpleasant fact is that most certificates issued in our region come from Symantec CA members. The reason for this is a very loose issuance process, especially for EV certificates, which has been bothering Google for several years, and will ultimately make them try to force Symantec to reevaluate its internal processes and strengthen the review procedure when issuing Extended Validation certificates to companies. This is another blatant example of market share power which will unfortunately affect Symantec customers and their users. We recommend to all banks (and other affected entities) in the region to contact Symantec and request a new certificate, which should be provided free of charge, before being affected by end-of-validity of existing certificates. For example, Symantec has reissued its own certificate immediately after this issue became public.

Safest decision in the long run would be to use Symantec certificates with a validity shorter than 9 months.

To ensure long-term protection and less administrative complications regarding changes and renewals of certificates, we recommend using Entrust CA (which is also out CA of choice), a company with SSL as a core business, focused on development and actively involved in SSL/TLS development and management organizations, generally involved with various communication protocols and standards.

Check general SSL settings of your website using the Entrust SSL Labs online tool and download the guide from here.

We are at your disposal for all additional information and questions.