The beauty of the golden lock icon has been that it simplified complex security concepts into a single symbol that non-technical users could understand and trust. Phishing scams designed to prompt security warnings raise the stakes, requiring users to understand what the browser warning is telling them, and how they should respond. Upcoming SSL-related interface changes in Internet Explorer 7 and other browers updates make a good start toward providing users with clearer information. But as we noted earlier this year, many banks are shifting their online banking logins to the unencrypted home pages of their websites, further muddling the issue of training customers to trust only SSL-enabled sites. The non-SSL presentation of these bank logins is already being incorporated into spoof pages.
As we noted earlier, phishing sites have incorporated SSL into their scams since late 2004. Some examples:
- Attacks in which SSL certificates are purchased for “sound-alike” domains, allowing sites spoofing major institutions to sport a locked icon. An example is a phishing attack from last October using the domain visa-secure.com.
- Phishes using cross-site scripting to insert content into poorly-coded financial web sites, enabling attacks to be delivered over SSL with the attacker’s code being served as part of a url from the bona fide bank’s own secure server.
- Attacks using frame injection attacks to insert spoofed content into bank web sites, which also run under https with a secure lock icon.
- Browser security holes, such as Firefox spoofing flaw from last July, which allowed a malicious website to use another site’s SSL certificate to present a secure spoofed page with a “locked” icon.
Do Internet users pay attention to browser warnings alerting them to problems with a site’s SSL certificate? The question got an unintended field test earlier this year when New Zealand’s BankDirect accidentally allowed a certificate to expire. The mistake was fixed within 12 hours, during which about 300 customers were presented with a security alert when they visited the bank’s website. Server logs show that all but one of 300 users dismissed the warning and logged in as usual.
Those results, coupled with the growing number of phishing scams invoking SSL, should motivate certificate authorities and browser developers to redouble efforts to educate Internet users about certificates and SSL security warnings.