Use EV Certificates to secure your Webmail and Login pages
In recent years the ease of obtaining an SSL/TLS certificate has become much easier and much cheaper. At Servertastic we supply DV Certificates (Domain Validated) for just a few dollars. To obtain this type of certificate you just need to prove ownership of the domain. This is often done automatically via email or by uploading a file to the website.
DV Certificates and Phishing
When purchasing a DV Certificates there is no validation of the organisation behind the certificate. Certificate Authoritys do have systems in place to flag orders that are using high risk keywords and contacts. But the ease in obtaining a DV certificate makes them a target for fraudsters to use in phishing attacks. The fraudster can grab a cheap domain and request a DV Certificate and be up and running in less than 15 minutes.
The examples below show how Tesla Motors was the target of a phishing attack on their corporate webmail.
Looking at the screenshots you can see that the genuine login uses the subdomain xmail.teslamotors.com and is secured by a non-EV certificate. The Chrome browser shows a green padlock in the address bar highlighting the connection is secure.
The phishing site is using the domain xmail-teslamotors.com. A quick glance and they look similar. This site is secured using a DV Certificate. All the domain owner had to do was prove they own the domain via automated methods. This allowed them to also show a green padlock in the address bar. The increased prevalence of DV Certificates has lead to security apathy. The visitor sees the padlock and believes it is a genuine site.
Going Beyond Encryption
In these scenarios it is important to consider that it is not just about encryption. Identity plays a key role as well. The site needs to prove its identity to the visitor so they have greater confidence when logging in. The best way to achieve this is with an EV Certificate. With an EV Certificate the browser also shows the identity of the site owner in green next to the URL.
As you can see in the above example using Chrome. When logging in to your account with Servertastic we show identity information to the user. This ensures the user is confident they are logging in to the correct website.
Using an EV Certificate on your own webmail provides identity assurance to your users. If your users ever end up on a phishing site the lack of identity will be a significant indicator that all is not well.