Certificates and trust
Just having an SSL certificate, especially one that’s only domain validated, doesn’t make a site trustworthy. It could be a near-lookalike for a well-known domain (e.g., micros0ft.com). Let’s Encrypt has reportedly issued over 14,000 certificates to domains that impersonate PayPal.
Some domains allow users control of subdomains (e.g., mydomain.example.com). They can obtain certificates for their subdomains. This can give the impression of approval by a well-known site. The subdomain may redirect to a different domain, on an independent server which the primary domain has no control over.
The most trustworthy SSL certificates are EV certificates. EV stands for “extended validation” and signifies that the CA has met certain standards for checking the applicant’s identity. It has checked and confirmed that the applying organization legally exists and is who it claims to be. Browsers generally indicate an EV certificate with a green symbol, such as a padlock.
Unfortunately, most people don’t recognize the nuances. If they see a padlock, they’re likely to assume the site is trustworthy. Since Let’s Encrypt doesn’t even require a payment method, its bar to registering a certificate is very low. It plans to check the Google Safe Browsing API for known phishing or malware sites, but that’s about the extent of its checking. There have been confirmed reports of malvertisers using its certificates. When certificates are free, it’s easy to set them up with throwaway domains.
We hope that in time, Internet users will better understand the difference between a secure site and a legitimate one. When the large majority of sites display a padlock in the address bar, browsers will need to make a clearer distinction among the levels of validation. Eventually they may warn users about sites whose certificates are only domain validated. If a browser did that today, though, it would have to issue a constant stream of warnings.
For the present, it’s a good habit to click on the padlock symbol of a secure site if there’s any doubt about it. The browser should give information about the site’s level of validation and its owner of record. Some browsers, though, will say nothing more than “This site is secure.”