3

The website is verified by the Certificate Authority Symantec according to my Firefox browser; however, when I went to the website and foolishly bought a gift card, I then got a notification from my bank that someone spent over $400. The fees were refunded and everything was resolved; however, I am confused why the website says it's verified by a CA if it's known for scamming customers. The reviews are filled with other people saying the same thing or something similar.

Why would Symantec verify that this is a secure website, when it's not? I am no expert in IT Security, I am still at entry level and would like to know or understand this better because I am kind of confused.

Website: https://www.cardpool.com/

Milt
  • 39
  • 1

1 Answers1

16

Symantec is verifying only that the website is who they say they are. They make no judgements based on whether or not the owners of the website are running a legitimate service or not.

CAs are not supposed to sign a certificate if that certificate could be misinterpreted as a different site: https://www.citibank.com would be verified by the actual Citibank company; but https://www.citibamk.com should not be issued to anyone else because it's probably a thief using typosquatting in order to dupe people. (Note that Citibank could in good faith register citibamk.com in order to redirect people to their real site; some sites will buy up typosquatting domain names in order to prevent these attacks.

So, if the site you visited was named https://www.ARealLegitStoreAndNotAScammer.com and you got scammed by them anyway, it's not Symantec's fault. However, if you got duped by https://www.walmert.com into thinking you were at the very large retailer's web site, then they should never have signed the certificate, and it's their fault.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • 2
    Note also that Let's Encrypt has a habit of just signing things with little regard for whether they are potentially confusing. – Kevin Jun 21 '17 at 15:31