Information displayed in the security field should be approached with caution. – Opera Security Advisories

Summary

 

Even though a Certificate Authority has verified and signed it, a usershould not trust the Organization name without checking the domain name.A fraudulent site can carry a misleading Organization name.

 

Severity: Low

 

Problem description

 

A secure site is served over an encrypted connection,and has a digital certificate that has been verifiedand signed by a trusted third party (TTP), known as aCertificate Authority (CA).

 

Among other things, the server’s certificate containsthe server name of the secure site, the organizationname and country, the expiry date and the name of theissuer (CA) who signed it. All this information can beviewed in Opera’s security information dialog, byclicking the padlock icon in the address field.

 

To make secure sites stand out more, and to makethe information in the site’s digital certificatemore accessible, Opera has added a “security field”in the address field. The security field currentlycontains the “Organization” name and the “Country”field from the certificate, and the padlock icon.It has a yellow background to attract the user’sattention.

 

However, rather often the Organization name is notthe name of the company represented by the site. Forexample, it is common for banks to outsource theirbank site. Those bank sites can have the name of thehosting company in the Organization name, even thoughthe domain name is that of the bank. This may appearconfusing to some end users.

 

Some Certificate Authorities issue low-cost certificatesmore or less automatically without proper verificationagainst a company registry. These CAs will only verifythe domain name.

 

Also, the documentation submitted to the Certificate Authoritycan be incorrect. This can lead the Certificate Authority toissue a certificate erroneously.

 

Opera’s response

 

This inconsistent use of the “Organization” fieldof digital certificates is well-known to Opera. Thesecurity field is intended to be used as additionalinformation. As such it will help raise users’awareness of certificates, and may make it moredifficult for a phishing attack to be successful.

 

The Organization name was chosen, as it providesa company name in addition to the domain name. Amajority of the SSL certificates have the name ofthe company behind the site as their Organizationname.

 

When visiting a secure site, the user has to makean informed choice before entering any sensitiveinformation: Is it the right site? And is ittrustworthy? If either the domain name or theOrganization field look wrong, it calls for closerscrutiny from the user.

 

Bank notes typically contain several features thatare hard to counterfeit and easy to check. SSLcertificates also contain items that are very hardto fake. With the introduction of the securityfield one of those items, the Organization name,has become easier to check.