Phishing attacks designed to lure people into clicking on sites that look like legitimate businesses are nothing new. But this kind of activity has been amped up with so many more people having to use the internet for everyday activities, like ordering groceries online or purchasing products for curbside pickup. Users have been getting more savvy, though, and people do want to know that the companies they are doing business with are legitimate.
One way for companies to prove their online identity is through the use of TLS/SSL certificates. For as long as there has been web traffic, security leaders have relied on certs to help prove a business is legitimate, but not all certs are created equal. TLS certificates authenticate the identity of the website and encrypt traffic between the website and the person visiting the site. Websites with valid TLS certificates display a gray/black or hollow lock next to the URL in browser to indicate the web connection is secure.
The standard certificate in the industry for about 30 years has been organization validated (OV) TLS certificates. With these certificates, the issuing company would validate the domain with some kind of official record, such as Dunn and Bradstreet, to verify the authenticity of the business that is trying to get the certificate. After OV certificates started coming out, some certificate authorities started issuing domain validated (DV) certificates that had a much lighter level of authentication. With DV certificates, the only check done is to validate from internet records that the company buying the domain does indeed own it. The benefit of this is that the certificate can be issued very quickly, even automated, and the cost is relatively low or free. The downside is that anyone can make up a company and purchase a domain name.