A scam referred to as a phishing attack occurs when someone uses a spoofed email and/or fraudulent website designed to fool users into divulging personal and/or confidential information, such as financial data, credit card numbers, expiration dates, passwords, mother's maiden name, and account numbers. For example, a perpetrator of such a scam sends out a spam email that appears to come from a reputable institution. For example, the sender of the email appears to be “support@bank.com”. At little cost, such an email could be sent to millions of recipients, of which some percentage will likely be customers of the particular bank. The email tries to induce the recipients to enter personal information, as an example, by telling the users that there have been fraudulent charges to their credit card and that the users should enter their account number and password information to fix the problem.
In a variation on this approach, the email has a link that is supposedly a link to the bank's website. The website can have a name that is similar to the bank's name, or there can be ways to overlay text to block the website name to make it appear to be valid. A user can find himself or herself viewing a website that is made to look like the one that the bank actually uses. The user thinks he/she is logging in normally to the bank, but the user is actually divulging personal information. The perpetrator of the scam can thus obtain the account number and password not only to use for that particular bank, but the password may be useful for the perpetrator to use for other illegal purposes.
Many parties can suffer losses, directly and indirectly, as a result of such activity. Users are harmed by false charges to their bills, and also by the inconvenience of having to get new cards and change passwords. The company with the spoofed website may have to absorb some of the costs of fraudulent charges, loses some creditability with customers and thus may lose customers, and also loses time and expense in helping the customer address the problem. Additionally, all electronic commerce could be susceptible to a lack of confidence in transactions over the internet.
Currently, confidential communications can be maintained over the internet through the Secure Sockets Layer protocol (SSL), also known as Transport Layer Security (TLS). SSL allows users to securely exchange information over the Internet during a session between the user and a website. After a set of introductory messages, a website sends a certificate containing a public key to the user, while the website maintains a private key. The user uses the public key to encrypt a coded message to the website with a secret key. The website decodes the message to derive the secret key, and then the user and the website use the secret key to send information back and forth as long as the user and the website are in the same session.
The SSL process of establishing a secure communication occurs without the steps being readily apparent to the user. To the user there are two indications that SSL is being used: (1) the web address includes “https” instead of “http,” and (2) a padlock icon appears at the bottom of the web browser. For users who are more advanced in their knowledge about security, this padlock can be used to view certificate information, such as the certificate serial number, certificate validity dates, public key information, and various other details about the certificate. This information can indicate to the advanced user that communications are secure and that the user is communicating with the party that the user thinks he/she is communicating with (i.e., that the site is authentic). Such information, however, can be circumvented by perpetrators of a phishing scam to deceive even the advanced user. For example, the https address can be doctored; and/or the certificate that is being provided could be out of date, a shared certificate, or a certificate that has been revoked.
The certificate authorities that issue certificates each maintain a certificate revocation list (CRL) or some additional mechanism that shows if a certificate has been revoked before its scheduled expiration date. A certificate can be revoked for one of a number of reasons, such as at the request of a certificate holder or because of a concern that the private key associated with the certificate has been compromised. The certificate authorities typically provide a service that allows access to their CRLs or other certificate status mechanisms.
Even an advanced user who accesses a secure website typically does not check the certificate or perform further checks to make sure that the certificate is valid. These advanced users generally have confidence that the information that they are sending is safe and secure. This confidence helps to allow commerce to be done over the Internet. If that confidence is lost, and if the procedure for a user to confirm the validity of a website is time consuming or complex, internet commerce could suffer significantly.