On Thu, Aug 15, 2019 at 1:59 PM Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> So far I see is a number of contrived test cases picking apart small > components of EV, and no real data to back it up. Mostly academic or > irrelevant research, imho. (posting in my personal capacity) I don't think it's accurate to characterize the research dismissively as academic or irrelevant. I also want to point out up top that Safari announced it was removing the EV indicator over a year ago, in June 2018. > https://stripe.ian.sh/: EV certificates with colliding entity names can > be generated, but to date, I don’t know of any real attacks, just this > academic exercise. And how much did it cost and how long did it Ian to get > certificates to perform this experiment? Way more time and money that a > phisher would invest. > Ian states this directly in the post. It is a trivial amount of money and time: "One question may be how practical this attack is for a real attacker who desires to phish someone. First, from incorporation to issuance of the EV certificate, I spent less than an hour of my time and about $177. $100 of this was to incorporate the company, and $77 was for the certificate. It took about 48 hours from incorporation to the issuance of the certificate." CAs should be careful about casually and dramatically overestimating the roadblocks that EV certificates present to attackers. Even if Ian's experiment took 10 times as long in practice, and cost $1000 over a fortnight, this is well within what we should generally expect attackers to spend on an organized phishing attack. I have been on the receiving end, as a website owner whose service was spoofed, of sophisticated phishing attacks, and I've observed attackers who are willing to spend substantially more than that for what is by all evidence a lucrative and often successful class of attack. https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/ev-to-page-info.md > references a number of studies. But none of them indicated that EV was bad > or misleading or was a detriment to security, and a number of the > references weren’t even related to EV (including irrelevant research links > to bolster their claims to the uninformed) > The burden is not on the web browsers to prove that EV is detrimental to security - the burden is on third parties to prove that EV is beneficial. The fact that it's been around for a long time is not sufficient. I don't see any evidence that any of the links or resources on that page are designed to mislead uninformed readers. I haven’t been counting the number of pro and cons emails, but there are a > significant number of organizations questioning the changes by Google and > Mozilla. Mozilla and Google should reconsider their proposed changes. > I don't observe a significant number of organizations questioning these changes, in this thread or externally, other than CAs. Not that there aren't any, but I'm not seeing a significant hue and cry in the broader ecosystem. I certainly can't speak for the US government, but I can say that when I worked for the executive branch for a federal agency, I observed a strong trend in adopting DV certificates (typically automated) throughout the executive branch. One of the more relevant changes I observed agencies make was the Department of Defense explicitly updating their internal policies to remove a requirement to use EV certificates for public properties. Multiple federal agencies gave internal guidance to widely adopt DV certificates internally, and you can see a public example of that in the official guidance accompanying the White House's HTTPS directive at https://https.cio.gov/certificates/#what-kind-of-certificate-should-i-get-for-my-domain - “Domain Validation” (DV) certificates are usually less expensive and more amenable to automation than “Extended Validation” (EV) certificates. EV certificates generally result in the domain owner’s name appearing in the browser URL bar visitors see. Ordinary DV certificates are completely acceptable for government use. Given that Safari already removed the EV indicator well over a year ago, I expect the guidance will be updated so as not to mislead agencies that EV will continue to generally show their organization's name in browsers. You can certainly still find EV certificates on some federal agency websites out there, but overall, the trajectory away from them has been clear and accelerating for years. Yes, I work for a CA that issues EV certificates, but if there was no value > in them, then our customers would certainly not be paying extra for them. This is definitely not a strong argument. Enterprises do all sorts of things they believe may be valuable, based on gut feelings or on outdated best practices. For example, 5 years ago, it was still conventional wisdom to periodically rotate user passwords. After years of empirical research demonstrating the opposite, NIST finally updated its guidance to make clear that this is detrimental to user security, and so now enterprises are (grudgingly, in many cases) starting to remove password rotation requirements. Someone could have argued to NIST during their password guidance update that "if periodic password rotation had no security value, all of these organizations wouldn't be doing it", but that would have been an exceptionally weak argument that, if it were taken seriously, would have only hindered a valuable effort to improve organizational and personal security. > Shouldn’t the large enterprises that see a value in identity (as does > GlobalSign) drive the need for ending EV certificates? The only population any of us -- including large enterprises -- should be looking to serve are end users. If the evidence suggests that end users are not being benefited by EV certificates, there's not a strong argument to keep it (regardless of how plausible you think the potential use in phishing attacks is). Enterprises don't have a right to force web browsers to maintain a channel to display a name in a particular place because they like how it makes them feel to see it there. > With Google and Mozilla being prominent Lets Encrypt sponsors we know > their intent is to drive business to them vs. any of the commercially > respectable CAs. It’s actually counter productive to security to sponsor a > CA that issues so many certificates to phishing and malware sites without > any consequences. Let's Encrypt is a non-profit, and a huge part of what Let's Encrypt, Google, and Mozilla have all contributed to spreading is the underlying standard automation protocol behind it (ACME), as well as the open source CA behind it (Boulder). Because Let's Encrypt and its sponsors have created ACME, it is now easier than ever for CAs to compete with Let's Encrypt, and for customers of Let's Encrypt to avoid vendor lock-in. I am personally aware of commercial CAs that have adopted ACME for issuance. I'm also aware of US government agencies -- some very large enterprises -- that are creating ACME-based, Boulder-based CAs and will benefit in the long run from the ease of migrating away from Let's Encrypt to their own independently operated PKI. This is all to say that it's inaccurate and unconstructive to point to Let's Encrypt sponsorship as evidence of nefarious or self-interested intent, and certainly not as damaging to large enterprises. The work undertaken by these organizations has resulted in more freedom for large enterprise customers, healthier competition among certificate authorities, and more security for end users across the internet. > Is this to increase the value of their malware site detection services? > Maybe.. > For the record, I'm not even aware of a malware detection service that Mozilla operates. I believe they rely on Google Safe Browsing, even for their particularly privacy-conscious Firefox Focus app. [1] [1] https://support.mozilla.org/en-US/kb/safe-browsing-firefox-focus > > * https://www.usenix.org/system/files/soups2019-drury.pdf > * > https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf > > > > Baffled… > > > > > > > > From: Tom Ritter <t...@ritter.vg> > Sent: Thursday, August 15, 2019 1:13 PM > To: Doug Beattie <doug.beat...@globalsign.com> > Cc: Peter Gutmann <pgut...@cs.auckland.ac.nz>; MozPol < > mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out > of the URL bar > > > > > > On Thu, Aug 15, 2019, 7:46 AM Doug Beattie via dev-security-policy < > dev-security-policy@lists.mozilla.org <mailto: > dev-security-policy@lists.mozilla.org> > wrote: > > Peter, > > Do you have any empirical data to backup the claims that there is no > benefit > from EV certificates? From the reports I've seen, the percentage of > phishing and malware sites that use EV is drastically lower than DV (which > are used to protect the cesspool of websites). > > > > I don't doubt that at all. However see the first email in this thread > citing research showing that users don't notice the difference. > > > > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- Eric Mill 617-314-0966 | konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
