Extended Verification Certificates: Why Businesses & Governments Should Secure Public Websites

Ensure Your Website is GDPR Ready!

The Public Key Infrastructure (PKI) relies upon a root chain of trust to secure and prove the identity of an endpoint web server as authentic. Extended Verification (EV) Certificates are issued by a trusted public entity known as a Root Certificate Authority. The Root Certificate Authorities are tasked with verifying that the entity to which they are signing the public key for is authentic and really the entity they claim to be.  Typically the Certificate Authority will call the company ordering the certificate and perform some other verification steps to ensure the identity of the Certificate requester is authentic and legitimate.

DigiCert is a popular certificate authority that has a strong reputation in the United States. DigiCert recently acquired the Certificate Authority business of Symantec that had historical lapses in the issuance of Certificates. Google Chrome has begun distrusting certificates issued by Geotrust, RapidSSL, Symantec, Equifax, Thawte, Verisign and others.

When you visit a website that is effectively using encryption to protect information being sent to and from the browser and web server, you will notice a green pad lock in your browser indicating that your traffic to and from the web server is secure.

Example of what a Secure Website Padlock Looks Like

Some think the only reason a website needs a strong green padlock is if they are using their credit card or conducting online banking. There are risks associated with not having your webserver fully secured.
Users downloading webpages and other files from your website could be subjected to a packet injection attack.

 

What is a Packet Injection Attack

A packet injection attack adds additional code or redirects the user to a fake/alternate download site interfering with the session. These types of attacks have recently been profiled detailing how the Government of Turkey has allegedly been spying on journalists and other targets.  Users can be redirected to download alternate versions of software that can compromise the surfer.  This is detailed in a recent article in Forbes.

A web server that does not use a publicly signed certificate to secure web traffic is inviting all information transmitted between the web surfer and web server to be intercepted, exfiltrated or morphed into malware that can infect the web surfer.  The word needs to get out to the uneducated about the risks associated with relaxed security on public facing web servers.

The European Union’s General Data Protection Regulation (GDPR), which goes into effect May 25th, may pose additional liabilities to companies that fail to take reasonable security measures such as securing their public facing web server. GDPR violations can lead to fines starting at $20 Million Euros in organizations that fail to safe guard the privacy of European citizens as they surf the web, including U.S. websites.

Every business should spend the $500 or so it costs per year to secure their publicly facing web servers.  Not doing so may lead a firm to become embroiled in regulatory inquiries and litigation. If a web surfer becomes compromised by an rogue attacker while surfing an unsecured website, their is a potential risk exposure to the operator of the website.

Hardware and software makers continue to lag in securing their security patch updates by using encryption to secure the file downloads, leaving those firms most likely to get ensnared in the GDPR related fines.

One example of a company that is opening themselves up to Packet Injection attacks is the printer company Brother.  Brother isn’t using a certificate to protect their customers from injection attacks when users visit their support website to download software and patches for their printer products.  They are not alone! I detail others in a recent post.

Example of an Insecure Website Vulnerable to Injection Attacks

Brother’s download page for obtaining Drivers for a DCP L2520DW printer lacks any secure connection.

If you don’t see a green padlock next to the website address, but instead see a gray circle with an ‘i’ inside it, the site is INSECURE and content downloaded from that web site could cause a complete compromise of your computer by an attacker on your network or upstream. Corporate network security staff should consider blocking all sites that lack effective security.  If this happens, companies that lag behind in adopting EV Certificates for their public facing web servers may lose business.  Google already deprecates insecure websites when determining which websites to feature in page one of the keyword search results.

Websites like this make it easy for hackers to compromise their target by modifying legitimate download packages while in transit and swapping out the download for an alternate version that contains malware.  Additionally, the Brother printer support website fails to provide a cryptographic hash fingerprint for the download package that would allow the end user to verify that the software wasn’t altered or swapped out while in transit.  The same concept can applies to web pages that lack any common download files. JavaScript can be injected into the end user’s browser by an attacker to compromise the web surfer and begin using their computer to mine digital currency or spy on the keystrokes of the end user.

There simply is no excuse or reason why any company or organization should delay in implementing a secure Extended Verification Certificate on their business’s website. Call your web host today and ask them to get it done! The cost should be around $500 a year or less.  The time involved shouldn’t take more than an hour or two.

Action Steps Every Business Owner Should Take

1. Check to see how secure your website is by verifying that you see a green padlock when using the Google Chrome or Firefox browser, if not, call your webhost and ask them to install an Extended Verification Certificate issued by a reputable Certificate Authority such as Digicert.
2. Next, evaluate if the webserver has the certificate you purchased deployed effectively and that your web server isn’t using weak and vulnerable encryption ciphers. https://www.ssllabs.com/ssltest/analyze.html?d=haystackid.com&latest – Try my company’s domain, then try your domain!
3. If you aren’t able to achieve an A+ by following these steps with your vendor, drop me a line.