I have read a lot that a phishing site will not be having an SSL certificate installed.As far as I know, anybody can purchase an SSL certificate and install it in their website, irrespective of the site being genuine or fraud. In this scenario, what is the role of SSL certificates in identifying phishing ?

  • 121
  • 3
  • "As far as I know, anybody can purchase an SSL certificate and install it in their website, irrespective of the site being genuine or fraud." From where did you get that? Can anyone get a certificate for Google.com? If no one but Google can, then your claim is simply wrong. Certificate authorities have responsibilities to verify certificate requests. Phishing is a totally different things, as no phishing site is able to use Google.com URL, but its own domain names. – Lex Li Nov 29 '19 at 20:58
  • @LexLi I think you did not understand my question. I did not mean that someone can buy SSL certificate for a website which they down own. I was asking whether anyone can buy SSL certificate and install it in their website. Some people can make a deceptive website and install SSL to appear it as a genuine site. – user7282 Nov 30 '19 at 14:27

3 Answers3


SSL Certificates are not designed to be used as a way to detect phishing.

SSL Certificates are actually very cheap, even free. Let's Encrypt, offers completely free, completely automated certificate issuance. Due to this, scammers have abused this system to create phishing sites.

This very old blog post goes into more detail, but the summary is that Certificate Authorities (organizations that are dedicated to signing certificates that your browser trusts) should not be in the business of monitoring content.

Google has a "Safe Browsing API" that the Chrome browser checks against to see if the site might be a forgery. This type of monitoring and checking is better left to browsers than a CA.

  • 376
  • 2
  • 11

Yes, any website can be secured using SSL.

Issuing certificate authority only validates if you own the domain. So phishing website can obtain certificate and be secured by SSL. SSL provides encryption, it doesn’t verify or attest the content of the website.

CA can also invalidate the certificate if the site is reported as scammy in which case the browser will display error when connecting to such website.

Modern browsers use phishing databases to warn users if they are visiting bad website. This is used to protect users.

Jozef Izso
  • 196
  • 7

Something to keep in mind is Extended Validation Certificates. An EV SSL certificate is issued to an organization after verifying an org owns the domain. These certificates were designed to prevent phishing by displaying not only the lock icon but also the company owning the domain. The idea is if an end user visited bofa.com (For Example) they would know the site was owned by Bank of America. Much research however, shows that this does not prevent phishing either because most end users will put their password in any website.

More info here

  • 1,175
  • 1
  • 8
  • 11