Why Web Browser Padlocks Shouldn’t Be Trusted

2020-09-29 23:34

Rogue domain certificates have been mostly limited to bad actors acquiring what are called domain-validated certificates acquired for free from services such as Let's Encrypt.

Domain-validation certificates are a bare-bones solution for securing communications between a web browser and a server using TLS encryption.

"Interestingly, we found 27 web sites that were using extended-validation certificates," according to John LaCour, founder and CTO of digital risk protection company PhishLabs.

Hackers behind the extended-validation certificates didn't acquire the certificates legitimately, rather they hacked the sites that already had them, the report states.

Unsuspecting users might think they're communicating with trustworthy sites because the identity of the site has been validated by a certificate authority, without realizing that these are either hijacked extended- or domain-validated certificates.

News URL

https://threatpost.com/why-web-browser-padlocks-shouldnt-be-trusted/159659/

#browser #WEB