If you want your employees to browse the Internet safely you should try to restrict access to websites that have a valid SSL certificate. It is now common knowledge that SSL certification means a website is secure and can be trusted; but is that true?
Does a SSL Certificate mean a website is safe to use? The answer is a definite no. The HTTPS or a SSL certificate alone is not a guarantee that the website is secure and can be trusted.
Many people believe that a SSL Certificate means a website is safe to use. Just because a website has a certificate, or starts with HTTPS, does not guarantee that it is 100% secure and free from malicious code. It just means that the website is probably safe. In the vast majority of cases the sites will be. Just not always.
Unfortunately, phishers and other cyber criminals have discovered how to exploit trust in SSL certificates. Some phishing websites have valid SSL Certificates in place. This means even when you think your employees have been restricted to safe websites, they are still not protected from phishing sites. Relying on a block on sites that do not use SSL certification is a mistake, and potentially a very costly one.
It is a good idea to restrict access to unsecure websites, but further protections will be required if you want to be sure that your employees and your network are properly protected.
What is a SSL Certificate?
In short, an SSL Certificate is a file that permanently binds a key to a company’s website. When an SSL certificate is installed on a company’s web server, connections with that website will be secure. Information will be sent via port 443 using the https protocol.
SSL Certificates are used by websites to secure sessions with web browsers. You will be able to tell which websites have an SSL certificate in place because they will have a padlock next the web address. This means that the connection with that website is via a secure connection. The information you enter when connected to the website can be used with confidence, and most importantly, it gives an indication that the site is not malicious.
The SSL Certificate lets a website visitor know that the site is trustworthy and informs those who look that the site belongs to a specific organization. It is important never to enter credit card details or bank information if a website does not have a valid SSL certificate. That would be an unacceptable risk to take.
Facebook, Twitter, and Google use SSL certification. When you visit those sites you will see a padlock next to the URL. If you click on the padlock, you will see the owner of the site and will know that ownership has been verified.
Some phishing websites have obtained SSL Certificates – How is this possible?
Unfortunately, it is possible to obtain a SSL Certificate for a phishing website and to operate that website for a short period of time. Many certificate authorities do not have a particularly strict vetting process. There have recently been a number of banking websites set up that use the certificates even though the sites are not genuine.
One recent scam involved the Halifax Bank in the UK. A phishing website was set up using a variation of the real website which is halifax-online.co.uk. The phishing site in question was halifaxonline-uk (do not visit this website). A very similar name, that would likely fool many account holders. Similar scams have been operated using variants of PayPal, and even Symantec has issued 30-day certificates to phishing websites.
The certificates are valid for long enough to allow a phishing campaign to be conducted. The phisher can then repeat the process with a different website, hosted with a different provider with a different SSL certificate.
Unfortunately, these certificates are one of the main ways of checking whether a website can be trusted. With a domain name that looks close enough to the real thing and an SSL Certificate and a padlock, many visitors will be fooled into thinking the website is genuine. When they enter in their login information, the data will be recorded by the site owner and can be used to login to the real website.
Some certificate authorities are better than others and can be trusted more, but unless they can all be trusted it makes a mockery of the SSL certificate. Unfortunately, all the SSL certificate does is confirm that the certificate owner owns the website, not that the particular website can be trusted.
Blocking access to websites without a valid SSL Certificate
A website with a valid SSL certificate means the website can be trusted more than a site without one. All employers should implement controls restricting access to websites that do not have a valid SSL Certificate, or at least configure settings to alert the user that they are about to connect to a website with an invalid certificate or without one entirely.
It is a simple process to block access to websites that do not have a valid SSL certificate. You can do this through your browser settings or you can modify the hosts file for instance. The former option would be fine for individuals or small businesses with just a few computers. It is not practical do this if you have 1,000 computers, run BYOD, or if your end users have multiple browsers installed.
Make your life easier by implementing a cost effective web filtering solution
By far the easiest solution to protect yourself and your network is to use a web filtering tool. There are many to choose from, but WebTitan from SpamTitan Technologies is one of the best and a highly cost effective solution for SMEs.
Since some disreputable sites have SSL certificates in place, it can be virtually impossible for end users to tell if they are safe or at risk. WebTitan offers the additional protection your business needs to ensure access to malicious websites is blocked, phishing scams are avoided and malware is not downloaded. Without a powerful web filter in place, blocking access to malicious websites will be an uphill battle, and it will only be a matter of time before your network is compromised.