How to Detect the Authentic CalNet Login Page

Phishing exploits are one of the biggest security threats facing the UC Berkeley campus.  Fraudsters commonly target campus users with well-crafted emails to lure them to a counterfeit CalNet login page.  Users tricked into entering their CalNet login and password have compromised their account, giving free reign to the hacker to access private information and to perpetuate their scam to other users.

To help protect your CalNet account and sensitive data, follow the campus Top 10 Secure Computing Tips and learn about Protecting Your Credentials.  When you do come across a website that asks for your CalNet account login, you should always verify the authenticity of the website. 

The CalNet login page (sometimes referred to as the CalNet "Central Authentication Service" or CAS) has several unique security identifiers that can help you to verify the site and protect you from falling prey to a phishing scam.

CalNet Login Screen

The screenshot above shows what the CalNet login page should look like, but appearance is not a determining factor in trusting a website since the page can be easily forged.

Here are three steps to ensure you are logging in to the authentic CalNet login page:

  1. Verify that the beginning of the URL for the CalNet login page always begins withhttps://auth.berkeley.edu

    //auth.berkeley.edu

  2. The second step to verifying the CalNet login page is to check for the Extended Validation Certificate in the address bar.  Look for a long green bar with a padlock followed by our institution’s name:  University of California, Berkeley (Regents of the Univ. of CA)[US]

    CalNet login screen - look for the green bar indicating Extended Validation certificate
  3. The third step is to verify the site SSL certificate (steps vary per browser):
    1. Click the green padlock icon in the address bar and select "Certificate Information" in the dialogue box.

      CalNet login screen - view certificate

    2. View the details of the certificate to verify the following items:
      1. Look for "This Certificate is Valid" or "This certificate has been verified"
      1. Under "Subect Name" or "Issued To" section:
        1. Organization (O) name is:  University of California, Berkeley (Regents of the Univ. of CA)
        1. Common Name (CN) is:  auth.berkeley.edu
      1. Under "Issuer":
        1. The Organization (O) value is:  COMODO CA Limited

          CalNet login screen - Extended Validation certificate details


If you encounter a website that does not appear to be the genuine CalNet login page, and you are unsure about the authenticity of the page, contact us at security@berkeley.edu.

Do NOT enter your CalNet credentials until you have verified the authenticity of the login page.