SECURITY TOPICS

Dangers of Domain-Validated SSL/TLS Certificates

SSL certificates do more than encrypt data, they also authenticate websites. This is an important and fundamental function because it builds trust. Website visitors see the SSL padlock or HTTPS and they believe that the site is genuine.

What is Domain Validation?

In the fight against fake sites, phishing and fraud, trustworthy SSL certificates are essential. This is why domain-validated certificates can be dangerous. Certificate Authorities (CAs) will issue a domain-validated certificate to anyone who is listed as the domain admin contact in the WHOIS record of a domain name. They just send an email to the contact email address and that’s it.

 

It is the lowest level of authentication used to validate SSL certificates. Higher levels include organizationally-validated and extended validation certificates which require more detailed checks.

 

What is Domain Validation?

SSL/TLS Authentication

Why Can They Be Dangerous?

The problem with domain validation is that internet criminals can easily get SSL certificates for phishing sites with misspellings of a legitimate domain name. For example, if they were targeting BankOne.com they could register bank1.com and, using a free webmail account, get a domain validated SSL certificate for that site.

When a regular visitor is tricked into visiting the phishing site, they see the comforting https, SSL padlock and don’t necessarily spot the misspelled address.

How To Spot A Domain-Validated Certificate

It is actually very difficult to tell if a certificate is domain validated. Therefore users are equally likely to trust your site as the cloned phishing site, and when they find their details have been stolen, may well blame you.

Practices vary from CA to CA on how exactly they verify website owners, but Extended Validation certificates are certain to have higher levels of authentication, and this is shown to your visitors by turning their address bar green (see examples from the most popular browsers below).

 

The Trusted Alternative

With fake sites using easily-obtained SSL certificates becoming so common, website owners can’t afford to take a risk with domain-validated certificates. Especially if the site asks for particularly sensitive or personal user information, where users will be more likely to look for extra reassurance.

Choosing a certificate from a reputable CA, such as Symantec, and selecting a high-assurance validation method, such as Extended Validation, delivers a more trustworthy alternative. And certainly that can be better for your business than the alternative.

For more information about SSL, from how it works to how to set up on your servers, download our interactive resource, SSL Explained, now.

Top 3 Website Security Myths Revealed

Learn the Facts


With the many falsehoods and myths surrounding website security, how do you sort through what’s true so you can choose the right protection to keep your business, website and customers secure?

READ 3 MYTHS REVEALED
Symantec Private Certification Authority Service

Symantec Private Certification Authority Service (Private CA)

Symantec Private CA is a cost effective solution to improve the security and management of private intranet certificates while adhering to corporate and industry compliance standards. Avoid expirations—instantly issue, manage, and track your private intranet certificates by leveraging the visibility and alerts offered by the Symantec Managed PKI for SSL console.

Continue Reading

What Is EV SSL?

What Is EV SSL?

Symantec SSL/TLS Certificates with Extended Validation (EV) provide solutions that allow companies and consumers to engage in communications and commerce online with confidence.

Continue Reading

Client Certificates vs. Server Certificates

Client Certificates vs. Server Certificates What’s the Difference?

Mention PKI or ‘Client Certificates’ to many people and it may well conjure up images of businesses busily protecting and completing their customers’ online transactions, yet such certificates are to be found throughout our daily lives, in any number of flavours; when we sign into a VPN; use a bank card at an ATM, or a card to gain access to a building; within Oyster public transport smart cards, used in central London.

Continue Reading

USE CASES

Symantec Website Security Solutions In The Real World

Intrusion and Threat Protection

SSL/TLS Installation Checker

LEARN MORE

Intrusion and Threat Protection

SSL/TLS Installation Checker

LEARN MORE

Encryption

The Emergence of Certificate Transparency

LEARN MORE

Encryption

How SSL/TLS Works

LEARN MORE

Join the Community

Join Security Discussions on Symantec Connect

SYMANTEC CONNECT

Follow Threat Intelligence on Twitter @Threatintel

SYMANTEC ON TWITTER

Watch Videos on the Symantec Website Security YouTube Channel

SYMANTEC ON YOUTUBE