Warning! SSL Certificates on Malicious Phishing Sites
Did you know that even though your Chrome browser tells you a website is secure, in reality the sites certificate may already have been revoked? Chrome will still show the site as ‘Secure’. The fact that the certificate is revoked is buried so deep in Chrome developer tools that most people will never find it.
I feel this is something every online user should know about and I’ll explain how to protect yourself and your friends and family against the growing number of phishing sites that are now installing free valid SSL certificates and are shown as ‘Secure’ by Chrome.
- SSL certificates are being issued by several certificate authority (CA) to malicious phishing sites disguising themselves as Microsoft, Google, Home Depot, Apple and many other well-known companies.
- When they get a valid certificate, it causes your Chrome browser to show that a website as “Secure”.
- When a CA realizes they should not have issued it, the certificate is revoked. The problem is that Chrome still shows the site as “Secure”. To find the “revoked” status you must dig into Chrome’s developer tools.
- It takes some time for malicious sites that have been issued valid SSL certificates to appear on Chrome’s malicious site list. This shows that you can’t rely on the safe browsing list as a reliable tool to protect you from malicious websites with valid SSL certificates.
How Can a Valid SSL Be Used Maliciously?
Companies will go to the free SSL CA site LetsEncrypt and get a certificate for a domain name that may include something like www.play.google.com-index-secure.com. Well you can see that it has two dot comes in the address which is a bit of a clue. When they get the certificate they can add hundreds of other domains under that certificate. Even top CA’s like Comodo aren’t exempt from this problem. — What a mess!
Take a look at the address bar and make sure you can clearly see the domain name you are going to and that it’s not just a familiar name with other words stuffed before and after the domains address.