Site Authentication

For several years users have been bombarded with warnings about rogue web sites set up to steal their credentials. Threats from phishing attacks through to spoofed sites have spawned the creation of several technologies to assist users in ‘Remaining Safe Online’. These include browser plugins/addons and 3rd party security offerings ranging from URL filtering to content inspection.

Such technologies are definitely a good idea. They do help to protect users from threats (and themselves). Problems can occur however when there is too much of a good thing. So much information, so many warnings, so many technologies that the user enters a state of numbness. They become utterly reliant upon the ‘good things’ that keep them safe.

This fact was brought home yesterday, whilst investigating a web based threat. The web site of an online music/DVDs/books retailer (no, not that one, something a little smaller) was noticed to have been compromised. Statistics on the site suggest a fairly continual flow of several hundred users online and browsing (see bottom left-hand corner of image). Content served up from the site carried a malicious script to silently pull content from a rogue site (registered by someone based in Albania, server residing somewhere in Malaysia, mmm…). Nothing new here, we have recently reported on the upsurge in the volume of legitimate sites becoming compromised (1,2,3). The interesting thing with the site in question here was the use of website authentication.

When you browse the site, a small logo reassuring the user that the site’s identity has been authenticated is visible in the bottom right-hand corner:

(Ironically, JavaScript has to be enabled for the logo to appear, which also means the malicious script will be able to run as well.)

So what’s the problem? Don’t get me wrong – it is not the site authentication, in this case from Comodo. That is doing it’s job perfectly, and provides a valuable tool against phishing attacks. The problem lies with the user, more specifically with the user’s understanding of what site authentication actually means. It confirms the site is authentic, nothing more. Users who regard that label as some ‘badge of perfection’ if you like, open themselves up for problems. As was the case here, the site’s security had indeed been breached, and its users exposed to malware. (In fact, despite email contact 16 hours ago, the site is still compromised and serving up the malicious script. Thankfully, the remote rogue server seems to be down.)

I am an avid NoScript fan (security plugin for Mozilla-based browsers) and use it to prevent JavaScripts on all but trusted sites. Failure to understand the limitations of site authentication may lead users to treat it as a tool to trust the content of a site, bypassing protection that may be provided by the browser or plugins such as NoScript.

This is one of the reasons that the use of compromised sites by hackers to attack users is so nasty. Aside from gaining a potentially huge pool of victims, such attacks also play on the trust relationships people have with sites.