“Just because something is secure doesn’t mean it is necessarily safe.” - Casey Crane Click To Tweet
The S in HTTPS doesn’t always mean safe. In this episode, I talk with Casey Crane about trust and encryption. We discussed many practical ways for you to avoid being a victim of a scam. Prevention and knowledge can help stop many attacks before they even begin.
Casey Crane is a cybersecurity writer for Hashed Out at The SSL Store. Casey is a regular contributor to Hashed Out with 10+ years of experience in journalism and writing, including crime analysis and IT security. She also serves as a Content Marketer at The SSL Store. She has bachelor’s and master’s degrees in mass communications (in journalism and media studies) from the University of South Florida and USF St. Petersburg. Casey is passionate about data privacy and wants to educate others about encryption because it plays such an integral role in our daily lives (even though many people don’t know it!).
We talk about trust and encryption and best practices for protecting you, your family, and your business. We specifically discuss what you need to look for before clicking on a link or downloading anything. We talk about different types of SSL certificates and how to figure out which one would be the best fit for your website. This episode will help you figure out if you need an SSL certificate and reputable and trusted sources that can help.“Criminals want to make this as easy as possible for themselves to save time and make the most profit or achieve their agenda most quickly” - Casey Crane Click To Tweet
- [00:35] – Casey works at the SSL Store as a content writer for the website and Hashed Out.
- [01:17] – She wrote her master thesis on the relationship between serial killers and the media in terms of how they are represented. She has always had a keen interest in learning more about crime and criminal elements and it just transitioned over time into the realm of technology and cybersecurity.
- [03:22] – What are HTTPS and SSL certificates?
- [04:15] – HTTPS is an encrypted communication channel between one party to another. Passwords and personal information are encrypted.
- [05:59] – Domain validated means that the person who requested the certificate gets an email. The email typically has a link or some files they need to upload to and that is about it. Organization and extended validation are two levels of validation above that.
- [07:29] – The Anti-Phishing Working Group reported nearly three-quarters of websites that were phishing websites used an SSL or TSL certificate.
- [08:21] – There are Unicode domains which basically pull from different languages, character, numerals, and signs. Those are now being used in web domains.
- [09:25] – Criminals tend to go for the lowest hanging fruit. They want to make this as easy as possible for themselves to save time and make the most profit or achieve their agenda quickest.
- [09:50] – If you get an email before you actually click on anything check the header in the email and see who the email is coming from. Check that the email and name match. Often the email is off by one letter or digit.
- [12:59] – Scams often create some sort of feeling of urgency, curiosity, fear, or concern so people are motivated to want to answer that email quickly by clicking on the link or calling a provided number.
- [14:25] – From a website owner perspective or an admin perspective it is about knowing which certificate you should be putting on your site.
- [15:02] – If you are collecting any financial information you should be using an OV certificate at minimum.
- [16:48] – In countries where the internet service is less reputable or you are concerned about your government snooping on what you’re doing, having the encrypted communication channel between you and the website prevents the content that is going back and forth from being seen.
- [17:57] – Sometimes an issue that people tend to run into is that they just forget to check their certificates.
- [20:40] – The shorter the validation is for a certificate the more secure it is because there would be less time for a cybercriminal to be able to crack the encryption.
- [22:14] – The current standard for validation is 2 years for public certificates. It is continually changing and will keep changing.
- [23:16] – Certificate managers are programs that can help you manage the certificate and the life cycle of the certificate. There are different programs based on your preferences and needs.
- [24:56] – When you are able to keep your certificates valid you are avoiding issues and downtime.
- [27:09] – The actual encryption from certificate to certificate is the same. It is still the standard encryption that is provided. It is just the extra features that vary per certificate.
- [28:45] – Where can people go to get an SSL certificate? What should they be looking at to decide what is right for them?
- [29:36] – Find a reputable source and then figure out what level of validation you need for a certificate. Then you need to choose the functionality of the certificate.
- [30:57] – You want to make sure to choose a warranty as well.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Hashed Out
- SSL Store
- Email Security Best Practices Guide
- Certificate Management Checklist
Casey, can you give us a little background on who you are and what you do?
Sure. I work at The SSL Store, which is an SSL TLS Certificate provider and digital certificate provider for companies around the world. Essentially, what I do is I write content for the website and I also write content for Hashed Out, which is our industry publication. My background is in journalism, public relations, and marketing. I work in a variety of different industries, including higher education.
I got into cybersecurity within the past few years because I always had a love for technology and also for crime. As weird as that sounds, I've been passionate about trying to understand it and learning more about it. Obviously, not from a practitioner standpoint, but essentially I had written my master's thesis on the relationship between serial killers and the media in terms of how they're represented. How the media represents the relationship between the killers, law enforcement, and different entities within a particular case. I just always had a keen interest in learning more about crime and criminal elements. It just transitioned naturally over time into the realm of technology and cybersecurity as well.
I love hearing people's backgrounds and how they got to where they are. It's very seldom a very straight line—usually lots of curves at the last minute with me launching whatismyipaddress.com. That was 20 years ago. It was never planned as being a business. I never planned on starting a podcast, but this is just where life led me.
Having dealt with so many people who’ve been victims of cybercrimes, wanting to provide them with education on how to prevent that from happening in the future, or prevent that from happening to their friends and family is what really brought me to the podcast, and wanting to talk to people like you so that people can be educated and hopefully reduce significantly the opportunity for them to be a victim of a criminal. We don't want anyone to become criminals here.
Exactly. No practitioners here.
No practitioners. I know it used to be the case that people are going online and you got an email. You weren't sure if it's from your bank or not. The general practice was if it's an S, then it's secured. S means safe. You click it, there's this nice green bar at the top of the screen and everything is good and happy. That's what people are used to thinking.
We know that over the last year, it's gone from saying secure to not secure, to a green bar, no green bar, a red x, no red x, a padlock, no padlock. Who knows where it's going to be a couple of months from now. I suppose it's probably important for us to talk about what is https, what is an SSL Certificate in layman's terms so that we don't all have to be computer science graduates.
Sure, absolutely. In the most basic sense, HTTP is essentially a hypertext transfer protocol, so it's how information transfers between different parties. For example, if I'm on a website and I type in apple.com and I go to Apple, that connection between my browser—what’s known as the client—and the webserver, where the website is hosted, essentially that connection is not secure.
Over time, from the time that HTTP came out—that was back in 1990, I believe—it morphed where we developed https, which is the secure version of it. I say “secure” in the sense that it's an encrypted communication channel between one party to another. When you have an SSL or TLS certificate, for example, what you're doing is you're enabling that website to have that secure connection, which is great because that means that any information that you're transferring between your keyboard and your browser to the server essentially is encrypted.
By that, you mean important things like credit cards, passwords.
Exactly. Personal information. Anything that you don't want in the hands of cybercriminals. Essentially, it's great, but the problem is, just because it's secure in the sense of being encrypted doesn't actually mean it's necessarily safe. The reason that I say that is you can have somebody get a domain-validated free certificate, which sounds great, and put it on their website. But because it's the lowest level of validation, that means that nobody is actually checking to make sure that the organization itself is who they claim to be. I could create a website, chuck a DV certificate on there and call it a day. Whether or not it's a real site or not, that's the question.
Someone could create a bankofamerica.com with an L instead of an I or an I instead of a common misspelling. If I'm not an observant user, the person who's running the site can just go out and get a certificate, which basically says yes, the person who requested the certificate is the person who is running the site, but not that it's an illegal entity or anything of that nature.
Exactly. So domain-validated essentially means that the person who requests a certificate gets an email and that email might have a link or it might have some files that they would have to upload to that web server and that's really about it.
There are two levels of validation above it, which are organization validation and extended validation. I know there's a lot of back-and-forth in the industry about the value of extended validation versus organization validation. Basically, what it does is it helps to validate that the organization is who it says it is because they have to go through a series of checks and balances. The issuing CA, or what's known as a Certificate Authority, actually has to essentially do a background check on the organization requesting a certificate for both the OV certificates and the EV. It's just that the EV ones require additional background information.
Got you. So it's more complex than just sending out an email and getting a response back. There's some additional documentation proving that the person who's requesting the certificate actually works for the entity as a legal representative of them. That sort of stuff?
Exactly. It takes several days to get an OV or an EV certificate. With a DV, which is that minimal level, you can get a certificate within a few minutes. That's an issue that we've run into within the industry as an SSL or a TLS certificate provider, is we've seen the rise in phishing sites.
The Anti-Phishing Working Group (APWG) reported essentially in their Q4 report that nearly three-quarters of websites that were phishing websites used an SSL or TLS certificate.
That's really important to know. That old rule of thumb that if it has an S, it's safe and secure really doesn't apply anymore.
Right. There are other things that you need to be able to do as a web user to stay safe. Part of that is actually just knowing how to read the browser. For example, if you're searching Google, you're looking at stuff, you want to pull up a website, and it looks like it says apple.com, it may not actually be apple.com.
You have issues. There's something called Unicode. There are Unicode domains which basically pull from different languages, all these different characters, numerals, and signs. Those are now being used in web domains.
It used to be only ASCII characters, which were based on the English language, US English characters, numbers, symbols and all that. You could use Cyrillic language, for example, as part of Unicode and come up with a domain that looks just like apple.com.
They had sub-characters in their language that look very similar to an L, or maybe exactly the same as an L. But because it's not technically an L, it's a different domain name and a different website.
Right. Thankfully, those are more few and far between than traditional phishing sites, which would just be switching out the L in apple for an I, or switching it out or something else, like number one.
There are ways that people go around it, but realistically, criminals tend to go for the lowest hanging fruit. They want to make this as easy as possible for themselves to save time, make the most profit, or achieve whatever agenda they might have most quickly.
Usually, it's just swapping out a character here and there. For example, if you are checking your email and you get an email from what looks to be your boss, what you'd want to do is before you ever click on anything, check the actual header information within the email. See who the email is coming from. It may list their name, but the email may not match and the email may be off by just one letter or one digit if there's a number in the URL or the domain.
We know that that happens. That actually happened with one of the hosts of Shark Tank. Her bookkeeper got an email that looked like it came from Barbara's assistant, but it was just one letter that was different in the domain name or the email address, and so the bookkeeper went ahead and wired several hundred thousand dollars to the scammer.
Unfortunately, yeah, and she's not the only one. This has happened to big companies and organizations. There are different forms of phishing. I won't get into all the different types, but Google and Facebook, for example. They were taken for more than $100 million between the two of them. A couple of years ago, somebody was impersonating a vendor that they worked with and essentially there were invoices sent back and forth that they paid. They had these wire transfers and it was somebody in another country that had nothing to do with the vendor that they were pretending to be. These are definitely areas of concern for anybody, both as a consumer and as a business owner or manager within an organization, that kind of thing.
Another recent example—timely—is the coronavirus. Johns Hopkins University had a website that a phisher decided to scam. They created this fake website. I'm not going to give you the URL because actually somebody is probably going to type it in. But essentially what ended up happening is they created this fake site for people to go to, trying to find out where's the spread of the virus, what countries has it hit, how many people are affected. What ended up happening is a piece of malware, a Trojan, was actually downloaded from this website onto the computers of unsuspecting users.
Yeah, it really is. I know the Health Sector Cybersecurity Coordination Center, they had put out a report saying beware of any sort of phishing site that's trying to essentially pretend to be a coronavirus tracker.
I probably get a half a dozen emails that are getting through the spam filter every day now saying click here for coronavirus news. Click here to log into your health provider to schedule your coronavirus test. Or click here for important information about locking down your city. Click here. All these things that people want to be aware of are really all these very emotional, stressful, urgent sorts of situations going on that the scammers are really just trying to take advantage of.
You hit the head on the nail there in that essentially it's all about urgency. It's creating some sort of feeling of urgency or curiosity or concern where people are motivated to want to answer that email quickly, or to click on the link, or to call a specific number that's provided. It's essentially just creating that feeling of fear or urgency to get someone to do something. That's the tactic that a lot of cybercriminals will use in addition to social engineering and other tactics as well.
I know, definitely over time, the cost of SSL certificates has come down significantly. A long time ago, I remember buying SSL certificates, and I think they were $300-$400 a year for the least amount of validation there was. I don't think anyone did domain validation at the time, but it's come down to very small numbers, which makes it easy for the scammers to get the certificates.
You've got platforms like Let's Encrypt which create free SSL certificates, which is good for the technical cases where that works. But unfortunately, when something becomes free, you've eliminated a barrier to entry. You've limited the scale barrier and now I can get a thousand certificates on a thousand domain names that are all set up to scam people, and I don't have to lay out a dime, which is kind of one of those scary things about when prices go down.
Exactly. From a website owner perspective, it's just knowing which certificate you should also be putting on your site. When is a DV certificate applicable versus an OV or an EV certificate? If you're running a blog where you're not collecting information, handling information, doing transactions, anything like that, you can get away with a DV certificate. If you're collecting personal information, credit card information, doing anything financial, any sort of PII or financial info that you don't want out there, that's when you should be using an OV certificate as a minimum.
I know there used to be kind of this mindset of, “It's just my personal blog. Why do I even need an SSL certificate if I'm not collecting usernames, passwords, and credit cards? Why even have an SSL certificate?” Is there a reason for people to have an SSL certificate even if they're not collecting personal information?
Absolutely. It's changed over the past few years. You never used to have one or were required to have one. But now Google essentially will penalize websites that don't have a certificate because they are viewed as being insecure. That's why if you type in any URL and that little padlock doesn't come up, it might say not secure on there.
Essentially, Google is going, “You don't want to be here.” It's going to post up one of those really ugly warning signs. It's going to drive users away from your site. You have every reason to want to put that on there.
Another benefit that's been tossed around in recent years is the advantage of what they refer to as SEO or Search Engine Optimization. So as part of Google's algorithm to essentially weigh the value of your site and deem whether it's a reputable, authoritative site, is checking to see whether there is, in fact, a certificate that's assigned to that site and is valid.
I've read several instances in news stories over the year of some small boutique Internet service providers, that when people using their service would visit a site that wasn't secure, the Internet service provider would actually change the content of the website. They would remove the website’s ads and insert their own ads where they would be making money off of people visiting the site.
I know for people in countries where maybe the Internet service providers are less reputable or you are concerned about your government snooping on what you're doing, having that encrypted communication channel between you and the website prevents, not the fact that you were visiting the website from being seen, but at least the content of what's going back and forth between the website that's secure, and people aren't adding payloads into that unless the server’s been hacked. But we won't talk about that.
That's a whole ‘nother ball of wax. But yeah, it does help to prevent those man-in-the-middle attacks and eavesdropping attacks.
And to me, those are the, like you talked about, the low-hanging fruit. Well, okay, there are plugins for browsers that will check to see if the website actually supports SSL and give you the SSL version of the securest of the site as opposed to the insecure if the site operates and supports both.
There are some tools out there that actually help to make sure that we're at least a little bit safer wherever we can be because sometimes things aren't configured quite correctly and those little things help out.
Absolutely. Sometimes an issue that people will run into is they just forget to check their certificates. They aren't properly managing them or they're trying to use manual methods, like an Excel spreadsheet to manage a few hundred certificates. It's just not ideal. It's not optimal. What's going to happen is that site is going to become invalid and expire, and that site is going to be marked as not secure. It's going to drive everybody away. You're just going to run into a lot of different issues, both in the admin sense and from the user sense.
Yeah. I've definitely seen those scenarios where the SSL certificate has expired. You go to the site, you get this big red notice from Google or whichever browser you're using that basically says this site isn't secure. Are you really, really sure that you want to do it? And you're kind of like, “Really? It's not a good idea. Are you really sure?”
Depending on your settings, you can occasionally get through it. Sometimes, if you're in an office building where your IT department is more concerned about security, they'll actually prevent you from getting to sites like that where the certs have expired.
Absolutely. That's kudos and hats off to the IT admins who make that happen. Unfortunately, not all companies do that, though. If you have employees who are on their lunch break, decide to surf the web and check things out, that could obviously lead to a lot of potential security issues for organizations.
Yeah, and they know even from having been in the administration, those things you said, it can be very difficult to remember, “When did we renew the certificate? When is it supposed to be renewed? We actually physically migrated it to a different box, so it’s out of sequence, we had to get a new certificate issued.” It really can be difficult to manage all those things if you have more than one website.
Exactly. It's also—I’m sure you've probably seen or heard about this issue from other guests on your show—is the concern about Shadow IT certificates. Somebody else might have installed it or somebody installed it and then they forgot it or didn't write it down, and there was this certificate that nobody's tracking.
Yup. Then you occasionally see the concerns of that. I think the Safari browser is now starting to be concerned about certificates that are valid for really long periods of time. The thought for a while was we know renewal is difficult. So let's make this certificate valid for 10 years. Now Safari, and I assume Chrome, will probably fall in line as well, that if someone hasn't touched this in five, six, seven years, are we really sure that this is what it is supposed to be? Maybe we should shorten up these dates. What's the reasoning behind that?
Essentially, the idea is the shorter that the validation is for a certificate, the more secure it is because it would be less time for a cybercriminal to be able to crack the encryption that's involved. Essentially, SSL certificates or TLS—we just use the terms interchangeably within the industry; it’s technically a TLS certificate, though—use public-key encryption. There's a public key, there's a private key. They're used to essentially work together, though they're mathematically different keys.
What they do is they help to create an encrypted environment where you can transfer that data back and forth. What the issue is if somebody had the right computer technology, or they were somehow able to find the exact combination of bytes to break this, they could eventually crack the encryption. That's the concern. With the current encryption standards, it would take millions and millions and millions of years realistically to do that. The concerns would be with the upcoming quantum computing and post-quantum cryptography not yet being available. Those are the concerns for a lot of people.
Apple is going, we want to shorten this lifespan to a little bit more than a year, essentially. I don't remember the exact number of days, but it's essentially a year and the renewal period. That's what it boils down to. The current standard for validation—it’s two years for public certificates. It was for three years. It previously was five years. It's continually changing. I'm anticipating that it's going to keep changing. We've seen the writing on the wall. We knew this was coming, but it's a matter of how quickly and to what extent that validity period will be shortened.
I suppose as that time period shortens down, the need for management tools come into play because I can't be having a feeler on my calendar every first day of the month, I've got to go out and do this process to renew a certificate—that just becomes incredibly onerous. Imagine if I've got 100 sites I'm doing three of those a day, every day of the month, every day of the year. That could just be crazy. Are there tools out there that help people to manage larger volumes of certificates in this renewal process?
There are certificate managers. These are basically programs that you can use to help you manage certificates and manage the lifecycle of a certificate. You can renew certificates. You could discover what certificates you have on within your environment. Those sorts of tools can help you do that. There are a variety of different tools out there. With our company, we do sell one, but it's just a matter of what your preferences are, of course, and what your needs are. There are different levels, of course.
I would definitely recommend not using manual methods like an Excel spreadsheet to try to manage these. I believe it was a key factor. They just did a study or released a report that was talking about the number of certificates that a lot of enterprises believe that they have. I say believe because they're not even certain how many certificates they have.
I could be wrong. I want to say it was 30%-something said that they had 10,000 or more certificates. So you're talking a significant number. Even if you wanted to put a notification on your calendar once a month, they're all going to have different expiry dates.
That looks like a full-time job just renewing certificates, if not longer. It's not multiple people.
Exactly. That's when a certificate manager would really come in handy.
And that reduces the amount of time and effort that it takes to regenerate keys and—I forget the technical lingo—to make sure that you're actually doing both ends of the process.
Absolutely. Another benefit too, is that, when you're able to keep your certificates valid and you're not having to deal with expired certificates, you're helping to ideally avoid downtime with your site. You're helping to avoid any issues that could come from that, including potential financial penalties.
I've definitely run across that where there was a site of mine that I was running. I'm not sure why at the time I got an SSL certificate for it. It wasn't collecting any information, but maybe it's a sign of that best practice mindset of “That's a good thing to do.” Certificates are relatively inexpensive compared to what the site was doing. It wasn't a site that I was updating or really doing anything content-wise.
At some point, someone emailed me and said the certificate for your site expired a month ago. I go back and look at my analytics and, lo and behold, traffic has dried up. It wasn't getting any more traffic from search anymore because it was one of those things that I probably got the email saying, “Don't forget your certificate is renewing or needs to be renewed.” I went, “Okay, I'm sure I'll remember that.” I didn't do it. And, lo and behold, the site…
Exactly. That's an unfortunate issue that a lot of people run into. Our customer experience team is always trying to help people. With our company, for example, we sell the certificates. We send out notifications ahead of time saying your certificate is expiring. You still haven't done it. You've got to renew your certificate. We'll just keep reminding them. Ultimately, it's down to the individual to do it and that's where that certificate manager just really shines.
I know that I've gotten different entities to call me as certificates are getting close to expiration. Sometimes it's the issuer saying we're calling just to let you know it's expiring tomorrow. Are you sure? Other times, unfortunately, it's competitors of theirs calling, saying, “We notice that you haven't renewed. If you switch with us….” And then they go on to lie about, your security will be better if you use our certificate. They make up some mumbo-jumbo or say, “Our certificates are more trusted by Google.”
That's actually something people don't oftentimes realize is the actual encryption from certificate to certificate is the same. It's still the standard encryption that's provided. It's just the additional benefits that you get or the additional features that you get that vary from each certificate.
Yeah, I remember that. It was just so funny because my thought process, as soon as the guy said our certificates have better encryption, I'm like, “Okay. I'm never going to use your company, I'm never going to ever recommend anyone use your company because you're just flat out lying to me.” If the salesperson is lying to me, what other places are they cutting corners on the backend? Are they not maintaining their database securely? Are they not keeping everything else secure? What other things are they not doing? Which was incredibly concerning to me at the time.
Absolutely. Well, the good thing is, at least you're a knowledgeable user. You were able to identify essentially the BS. Not a lot of people can.
Yeah, and most people that are doing mom-and-pop sites are not. Luckily, I have a background in IT and have been working in IT for many years. Any time anyone has tried to talk technically, or someone from an IT perspective has called, one of my bosses who is not an IT person just assumes that everything that's being told to them is legitimate and correct. It could be concerning at times.
If people want to know, they'll be convinced that, “Oh, my gosh, my blog is not secure. I want to secure my blog.” Where can they go to get an SSL certificate? What should they be looking at in making that decision of what's right for them?
Sure. They can choose from a variety of different options. They can go to a certificate authority itself. There is Sectigo, which is formerly Comodo CA. You have DigiCert, which transitioned from Symantec. You've got Intrust. You've got GoDaddy. There are a lot of different companies out there. With my company, The SSL Store, we work with several of the major certificate authorities. We work with Sectigo. We work with DigiCert. We work with a lot of different organizations. We also sell their sub-brands. You've got Positive SSL. You've got Instant SSL, Essential SSL, things like that.
You've got essentially what you would consider different tiers of certificates. What you would want to do is you want to find a reputable source, whether it's the CA or a reseller, somebody that you would feel comfortable working with, somebody you can trust. Then, what you want to do is figure out, “What level of validation do I need for a certificate? Do I need the domain validated because I'm not handling anything sensitive or anything of concern?”
If something were to fall through the cracks, in a sense of like a man-in-the-middle attack, it's nothing that you'd have to worry about being out there. That could be just a DV certificate. We might want to go with the OV because yeah, you're working with some personally sensitive information or financial information. Same with the extended validation, which is the even higher level of validation. Once you decide what level of validation you need, you also need to choose essentially the functionality of the certificate.
You can have a certificate for single domains, for multiple domains, and there are wildcards. Then you could also have it for just wild cards, which would be the subdomains on a single level. Depending on what it is that you're looking for, you would pick that validation level. You pick the functionality of the certificate. You want to also choose a particular brand and you want to choose the warranty because these certificates actually do come with a warranty as well. It's just all these different factors together help you to determine which certificate you might want to buy.
That's great. That's really helpful information. I think it gives people enough to at least start their journey and get their foot in the door, and figure out what direction they need to go, and figure out what's right for them. If people want to find out more about you, how do they get to The SSL Store?
We're actually on social media and we have our website. For our website, it's thesslstore.com. For our blog, which is Hashed Out, it's thesslstore.com/blog, the blog. They can follow us there. They can subscribe to our blog, and furthermore, we actually have some industry resources that might be useful to people so they can download our complimentary email Security Best Practices Guide.
There's also a certificate management checklist that we have on there as well. If people are wanting to know, “Where do I really stand with regard to certificate management, am I checking all the boxes?” We literally have the checklist for you.