Blog | G5 Cyber Security

Phishing & HTTPS: Can Attackers Copy Certificates?

G5 Cyber Security

TL;DR

Yes, a phishing website can use a valid HTTPS TLS certificate issued to the legitimate domain. However, it doesn’t mean your browser will automatically trust it. Modern browsers check more than just the certificate itself – they verify the domain name in the address bar and other security features.

How Phishing Sites Use Certificates

  1. Obtaining a Certificate: Attackers don’t usually steal certificates directly. Instead, they get their own certificate from a Certificate Authority (CA). These are relatively cheap and easy to obtain for any domain name the attacker controls.
  2. Certificate Cloning is Not Common: While technically possible in some limited scenarios (e.g., compromised CA infrastructure), it’s rare for attackers to clone an existing certificate. It’s far easier to get a new one.
  3. Using the Certificate: The attacker installs this new certificate on their phishing server, enabling HTTPS for their fake website. This makes the site appear secure (padlock icon in the browser).

Why Your Browser Doesn’t Always Trust It

Just because a site has an HTTPS certificate doesn’t mean it’s legitimate. Here’s what your browser checks:

  1. Domain Name Verification: This is the most important check. The browser verifies that the certificate is issued to the domain name you’re actually visiting (e.g., https://www.example.com). If you type in https://bad-example.com, even with a valid certificate for www.example.com, your browser will show a warning because the names don’t match.
  2. Certificate Revocation Lists (CRLs) & Online Certificate Status Protocol (OCSP): Browsers check if the certificate has been revoked by the CA. This happens if the certificate was compromised or issued in error. You can manually check using tools like:
    • Online OCSP Stapling Checkers: Several websites allow you to enter a domain name and see the OCSP stapling status.
    • Browser Developer Tools: Most browsers have developer tools where you can inspect certificate details, including revocation status. In Chrome, press F12, go to Security tab, then View Certificate.
  3. HSTS (HTTP Strict Transport Security): If a website uses HSTS, the browser will only connect via HTTPS and won’t accept connections over HTTP. This helps prevent man-in-the-middle attacks.
  4. Public Key Pinning: Some websites ‘pin’ their expected certificate or public key in the browser. If the presented certificate doesn’t match, the connection is refused.

How to Spot a Phishing Site

  1. Check the URL Carefully: Look for typos, extra characters, or different domain extensions (e.g., example.net instead of example.com).
  2. Look for Padlock Warnings: Pay attention to browser warnings about invalid certificates or mismatched domain names.
  3. Hover Over Links: Before clicking a link, hover over it to see the actual URL it points to.
  4. Be Wary of Unexpected Emails/Messages: Don’t click links in emails or messages from unknown senders. Go directly to the website by typing the address into your browser.

Technical Example: Checking Certificate Details

You can use OpenSSL to view certificate information:

openssl s_client -connect www.example.com:443

This command will output detailed information about the certificate, including the issuer, subject, validity dates, and more. Look for discrepancies between what you expect and what is shown.

In Summary

While attackers can obtain HTTPS certificates for their phishing sites, modern browsers have multiple layers of security to protect you. Always be vigilant and double-check the URL and certificate details before entering sensitive information.

Exit mobile version