4

Usually, websites will say "don't sign in unless you see the secure icon". If the user hasn't noticed that the URL is wrong (or is misleading like this recent security firm has discovered), and purely trusts that icon, they may fall victim to a phishing attack. In this case, would a CA revoke the phishing site's certificate, or am I missing the point of revocation? Also, if CAs do revoke certificates for phishing sites, are there any well known examples?

duper51
  • 233
  • 1
  • 5
  • See also [Who is responsible for revoking a certificate?](https://security.stackexchange.com/questions/127988/who-is-responsible-for-revoking-a-certificate) – Sjoerd May 03 '17 at 07:15
  • See also [The CA's Role in Fighting Phishing and Malware](https://letsencrypt.org/2015/10/29/phishing-and-malware.html) – Sjoerd May 03 '17 at 08:42

1 Answers1

2

First of all, this differs for each CA. According to a Technical Support Specialist at GlobalSign:

GlobalSign does not revoke certificate without the permission of the owner. [...] For phishing sites, our vetting team will perform security checks on the domain prior to issuance.

On the other hand, DigiCert has some other rules:

DigiCert revokes certificates for the reasons stated in the DigiCert CPS, including the following:

  • [...]

  • DigiCert obtains evidence that the certificate was misused;

  • DigiCert is made aware that a subscriber has violated one or more of its material obligations under its agreement with DigiCert;

  • A third party provides information that leads the DigiCert to believe that the code signing certificate is compromised or is being used for suspect code;

Furthermore, a certificate is meant to indicate that you are really connected to the right site. It does not give a judgement about the content or quality of the site. A certificate for fake-paypal.com is valid and correct if you are really connected to fake-paypal.com, even if that site impersonates the real PayPal.

Edit: DigiCert revokes certificates that have been "misused", but what this exactly means is open for interpretation. I think using a certificate for a man-in-the-middle attack is definitely misuse, but I am not sure about using it on a phishing site.

Community
  • 1
Sjoerd
  • 28,707
  • 12
  • 74
  • 102
  • 1
    Which of the points do you feel would be relevant for DigiCert to revoke a certificate for a phishing site? For example, does the DigiCert agreement include terms like "you agree not to make a site that appears overly similar to some other site", and who is the arbitrer of that? – user May 03 '17 at 08:10
  • 1
    I actually don't think DigiCert generally revokes phishing site certificates. But they could, because "misuse" could mean a lot of things. – Sjoerd May 03 '17 at 08:42