The Risk in Free SSL Certificates

Friday, October 23, 2015

Free Domain Validated SSL certificates are dangerous and don’t live up to its security expectations with its low level of authentication.

domain validated dv risk

Seeing the word ‘FREE’ excites us. Perhaps psychologically, we know it costs nothing for the use of a good or service. What’s even better is if the product fulfills our needs, wants and expectations. ‘FREE’ is all around us; free meals, free accessories, free samples. You name it, you got it. Every industry has its own play with this marketing gimmick.

In the SSL certificate industry, it’s no different. There are Certificate Authorities (CA) giving free SSL or use of free shared-SSL by hosting providers. I mean what for pay when there’s free options out there right?

Well, free has its risk – we all know it – and it’s how big a risk appetite you have. Free SSL are often domain validated (DV) in nature and is the lowest type of assurance you’ll have for encryption and authentication. It’s easy to get and is also the biggest problem for such digital certificates.

Behind Domain Validated (DV) Certificates

The sole criteria for a DV certificate is proof of control over a domain and is often issued by SSL automated systems without requiring any human intervention. You might be thinking… how is that bad? You own the domain, you control it and you self-declare ownership of the site. It’s also an efficient way of getting what you need – an SSL certificate.

Sad to say, that’s from an administrators’ point of view.

Now let’s start thinking from a cyber attackers’ perspective. Maybe you own domain ‘www.julabee.com’, setup an e-commerce store and get a free DV SSL for encryption needed for the check out page or for all-site SSL. Cyber attackers similarly can register a domain ‘www.juIabee.com’ with ‘l’ spelled with a capital ‘I’, steal your website design interface simply by looking at your website source code (it’s ctrl + U) and get a free DV SSL. Simply put, this is called a phishing site (derive from the word ‘fishing’) used to ‘fish’ for confidential data and they do appear alongside with your legitimate site on search engine rankings.

Unbeknownst to you, cyber attacks are silently stealing your customers information and money away, leaving you with a bad reputation to dealt with when customers start knocking on your door asking for the goods they never receive. Not to mention the cost of a data breach that may break a hole in your wallet, leaving your business handicap overnight.

Non-Ecommerce Perspective

Maybe it’s not an e-commerce site you own, it could be a finance site, membership site or a service site. In such scenarios, cyber attacks can ledge on subscription email data base to contact your customers, deceiving them to click on a link to change their password or use an anchor text (with a phishing link) to direct you to their page.

Cyber attackers are coming up with more tricks on their sleeves and may attack in new forms and directions. Yet, if inferior security implementations are used, this will give attackers a good opportunity to hack into your database servers. Thus, knowing these threats, it is better to take precautionary measures by avoiding the use of free low-assurance digital certifications.

Other Better Alternatives: OV and EV

Organisation Validated (OV) Certificate is the next best alternative to DV because every domain owner needs to undergo an organisation background check – making sure the website belongs to its rightful owner. However, as DV and OV both displays the green secure padlock and https, visitors may not be able to differentiate between 2 identical sites with different certification used.

That is why Extended Validation (EV) certificate is recommended regardless of business type and nature. EV certificates display the registered name of the organisation on the address bar of the website together with a green bar of assurance, informing your visitors’ that they are on the right site and all content display on the website is legitimate.

Know what Security is and Avoid Free SSL

Free things are often too good to be true and in the case of SSL, it certainly is. Using a free DV certificate may deceive visitors/customers into thinking your site is safe but definitely not for hackers. Be a smart security-savvy owner, start adopting good security habits and go for OV and EV certificates for basic encryption and authentication.

ashleeAbout Ashlee Ang

Ashlee is a content writer at Cyber Secure Asia where she writes about introductory topics on cyber security and cyber-related happenings in Singapore & South East Asia.

Share :    


Back to Blog