Thursday, December 7, 2023

Why Are DV Certificates Hot Favourites Of Hackers?

SSL Certificates and their data encryption capabilities are indispensable to website security. However, not all SSL certificates are equal. SSL Certificates are of three types – DV Certificates, OV Certificates, and EV Certificates.

Even though the level of encryption is similar for all three types of SSL certificates, the vetting, verification, and validation process differs majorly. These authentication processes define the reliability of the website. DV SSL Certificates are considered particularly dangerous.

In this article, we will help you understand why they are dangerous and what alternatives exist to DV Certificates.  

DV Certificates: An Overview

DV or Domain Validated SSL Certificates are the most basic security certificates. As the name suggests, these security certificates are issued by the Certificate Authority (CA) after verifying and validating the domain ownership. DV Certificates are recommended only for personal blogs or static websites. Businesses must not opt for DV SSL as it does not inspire trust among users.

Reasons why Domain Validated SSL Certificates are Hot Favorites for Hackers

Data suggests that 58% of phishing websites leverage SSL certificates establish ‘legitimacy’ as hackers and users both understand the risk of not using SSL. And DV SSL are hot favorites for hackers!

Typically, the CA would send an email confirmation to an authorized email id found in the domain’s WHOIS records. For instance, admin@, webmaster@, administrator@, postmaster@, etc., or other domain contacts. The domain owner must follow the process in the email to confirm the domain ownership.

To vet and verify the domain ownership, the Certificate Authority may also use alternate authentication methods such as

  • DNS CNAME lookup for the domain (domain owner creates a DNS record verifying control of the domain)
  • File lookup over HTTP (the domain owner must place the verification file on the website seeking SSL protection).

If the applicant completes any of these verification processes, they have proved that they have control over the website that needs to be protected with SSL. They will be given a DV SSL Certificate. The entity does not need to submit any other documentation or company paperwork. They do not need to establish that they are a legal entity. Further, it is quick, hassle-free, and economical to obtain.

Hackers, looking to defraud users or commit phishing attacks, can simply create a website and buy a DV SSL without too much trouble. DV certificates only demonstrate that the website owner has administrative control over the domain. This security certificate divulges the least amount of information about the website owner or the entity that the user is interacting with while visiting a website.

Hackers could create a phishing website with misspellings of a legitimate domain name, use the free webmail account to complete the verification, and get a Domain Validated SSL Certificate. The user may notice the padlock sign and not the misspelled address. They may end up divulging confidential information, passwords, download malware or make payments to the hacker, among others.

Which Type of SSL Certificate Should a Business Choose?

Businesses must consider OV or EV SSL certificates to nurture greater levels of trust among website visitors and users.

OV or Organization Validated SSL Certificates provide a high level of assurance to users. These certificates are issued by CAs only after business ownership is vetted, verified, and validated along with the domain ownership. The CA would authenticate legal information, company paperwork, check the physical location, and so on along with the domain validation. It tells the user that they are dealing with the same entity whose information is listed on the certificate.

EV or Extended Validation SSL provides the highest level of assurance to users. It’s no-compromise features, warranties and thorough vetting and authentication processes make users feel much more secure.

In addition to organization verification, they include a third-party verification as per EV protocols. Unlike OV certificates, they also provide visual cues such as display of Company Name on clicking the Padlock, dynamic site seals and so on. They come at a premium price, but it is an investment worth making for e-commerce and other dynamic websites.

A word of caution: You must choose the right Certificate Authority. If the CA uses mix validation protocols, they may issue OV SSL Certificates to hackers. If the domain name consists of a mixed character set, the CA must check the mixed character sets with known high risk domains and the certificate request must be flagged as high risk. They must conduct further authentication to ensure that the applicant is a legitimate organization.

The Way Forward

Given the fast-paced growth in fake websites, phishing and fraud, trustworthy SSL certificates are vital. It enables you to nurture greater trust in users by assuring them that they are dealing with a legitimate brand and not a hacker. So, Extended Validation or Organization Validated SSL Certificate from a reputable CA like Entrust is an investment you must make for your websites. Entrust has collaborated with Indusface to be the Authorized Distributor of their SSL/TLS certificates in India. Through Entrust’s SSL Certificates, Indusface provides strong encryption and browser trust with round-the-clock support for your business.


Latest articles

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...

Hackers Deliver AsyncRAT Through Weaponized WSF Script Files

The AsyncRAT malware, which was previously distributed through files with the .chm extension, is now being...

BlueNoroff: New Malware Attacking MacOS Users

Researchers have uncovered a new Trojan-attacking macOS user that is associated with the BlueNoroff APT...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles