The number of lower-security SSL certificates is increasing at twice the rate of the more secure organisation-validated certificates - a situation some industry observers say could lead to increased online fraud.
Domain-validated certificates, a lower-assurance form of certificate that many Certification Authorities (CAs) have begun issuing relatively recently, are one of several emerging controversies affecting Internet security and e-commerce.
For example, security experts recently warned that support for International Domain Names (IDNs) could lead to the counterfeiting of legitimate websites, including the sites' SSL certificates, leading browser makers to modify the way they handle IDNs.
A quarter of the SSL certificates in use are now domain-validated, according to Netcraft, and over the last six months their numbers grew at twice the rate of organisation-validated certificates. Domain-validated certificates guarantee only that the issuer of the certificate legitimately owns the domain name, and do not address whether any business operating out of the site is legitimate. The certificates cost less than high-assurance certificates but appear the same to users, usually causing browsers to display the familiar padlock.
Some industry observers have long been concerned about the potential of lower-security certificates to mislead users. A 2002 study from KPMG argued such certificates "may give Internet users a false sense of security" and described scenarios in which scammers could use them to masquerade as an existing organisation or a non-existent company.
If a certification authority (CA) doesn't authenticate the organisation, a malicious individual could establish "a false level of trust... by associating the malicious individual's domain name with the name of an existing organisation," KPMG said in the study.
The rapid increase in the numbers of lower-assurance certificates means such scenarios are no longer hypothetical, according to Comodo, a New York-based CA specialising in high-security certificates. "An SSL certificate without an authenticated, validated entity is worthless," the company said in a statement on Friday.
Opera Software will begin notifying users of low-assurance certificates by default with its forthcoming Opera 8 browser. Support is growing for adding such functionality to other browsers - for example, the TrustBar extension for Mozilla browsers offers such information. Comodo offers similar functionality with its Verification Engine for Internet Explorer.
Browser makers recently altered the way they handle IDNs, after publicity over a website counterfeiting technique called a homograph attack. Homographs are different characters that appear identical, for example Unicode's Cyrillic "a" and the ASCII "a" appear the same to users.
This means a malicious user could use international characters to create a domain name appearing to be a trusted address, such as www.bank.com, security experts said. Homograph attacks have recently become practical with wider browser support for IDNs, industry observers said.