On Fri, Aug 16, 2019 at 12:42:35PM -0700, tim--- via dev-security-policy wrote: > > By way of background, until recently almost all phishing and malware was on > unencrypted http sites. They received a neutral UI, and the bad guys didn’t > have to spend time and money getting a certificate, even a DV certificate, > that might leave traces as to their identity. Users were told (and remembered > the advice) to “look for the lock symbol” for greater security. > > Then a few things happened in close proximity: (1) Google incentivized all > websites to move to encryption through the use of its “Not secure” warning, > (2) Mozilla instituted a similar “Not Secure” warning, and (3) Let’s Encrypt > began offering anonymous, automated DV certificates to everyone, including > known phishing sites, in part through Platinum-level financial support from > Mozilla and Google. > > As a result, virtually all phishing has now moved to DV encrypted websites > which receive the lock symbol in Firefox, which was predictable. In fact, the > FBI just issued a warning to consumers not to trust the https or lock symbol > in browsers anymore [1], as half or more of phishing sites now display the > lock symbol. [2] > > It’s unclear how Mozilla plans to ramp up protection for Firefox users. > Browser phishing filters such as Google Safe Browsing are good, but not > perfect. According to the most recent NSS labs report issued in October 2018, > GSB offers only about 79% user protection at “zero hour”, gradually rising to > 95% protection after 2 days. [3] However, most phishing sites are shut down > by then anyway. If a browser phishing filter is the main defense provided to > users by Firefox, this means thousands of users can be harmed before a site > is flagged for phishing. Clearly Mozilla should be looking for other ways to > protect them. > > That’s where EV certificates can help. Data shows that websites with EV > certificates have a very low incidence of phishing. New research from RWTH > Aachen University presented at Usenix this week measured the incidence of > phishing sites using certificates of various validation levels [4]. EV > certificates made up 0.4% of the total population of phishing sites with > certificates but 7% of the “benign” (non-phishing) sites. Compare that to OV, > where 15% of phishing sites had that certificate type and 35% of benign sites > had the same. And compare that again to Let’s Encrypt certificates, which > made up 34% of certificates for phishing sites and only 17% for benign sites. > > This research validates the results of an earlier study of 3,494 encrypted > phishing sites in February 2019 [5]. In this study the distribution of > encrypted phishing sites by certificate type was as follows: > > EV 0 phishing sites (0%) > OV 145 phishing sites (4.15%)* > DV 3,349 phishing sites (95.85%) > > *(These phishing OV certs were mostly multi-SANs certs requested by CDNs such > as Cloudflare containing multiple URLs for websites whose content the Subject > of the OV cert did not control. Perhaps such certificates should be DV rather > than OV.) > > Furthermore, research from Georgia Tech shows that EV sites have an > exceedingly low incidence of association with malware and known bad actors > [6]. > > > These studies show that the presence of an EV certificate has a strong > negative correlation with criminal activity intent on victimizing the site > visitor. In plain terms, users are safer when they visit sites with EV certs. > Now, how do we use that?
So they either don't have anything to do, just check some box, or need to spend 1 minute to get a DV certs. And as your research shows, DV certs are good enough to do phishing, they don't need EV certs, so why would they bother? But they you also say that 0.4% actually used an EV certificate. My guess in that case is that they didn't actually bother to get an EV ceritificate, but just hacked some website that just happens to have an EV certificate. I also think that 7% of the non-phising sites using EV certificates doesn't make sense at all, and that's most likely a sample bias. > This is where the argument that “users don’t see the absence of positive > indicators” misses the mark for several reasons. > 1. The internet is in possession of a clear signal of a site’s safety for the > end user. The fact that popular end-user software fails to take advantage of > this signal is a shortcoming of that software, not the signal. So here you turn a correlation into a causation. > 3. User behavior also changes based on context. The site visitor who suffers > from interface blindness when everything is going well may become hyper aware > when something suspicious occurs. If nothing else, the presence of an EV cert > gives the likes of law enforcement a clear path forward when pursuing > perpetrators of online crime. phishing sites don't expect everybody to be fooled. If 1 in 10000 is fooled, they have a very good day. > 4. Positive security indicators do work in many other contexts where > expectations are predictable. Let’s take an offline example we’re all > familiar with, the seat belt. Most people I know are expecting the feel of a > seat belt across their laps and shoulders when in a moving car, and without > it we feel uncomfortable. That is a positive security indicator. The reason > we miss it when it’s absent is because it is consistent, ubiquitous, obvious, > and important to us. There is no reason why an identity security indicator > cannot meet these same criteria. Unfortunately, the EV security indicator has > suffered from inconsistency across browsers and changing presentation over > time, and the industry as a whole has done a poor job of educating relying > parties on what this identity information means. These disadvantages are all > addressable, if companies like major browser and OS vendors treat doing so as > a priority. My day job involves seatbelts. I will always wear them when I can, I know how important they are. But I also end up in situations where it's not possible to wear them. And in most cases after 1 minute I forget about it that I'm not wearing one. But EV certificates aren't even *security* indicators. They only indicate that you're talking (in a secure way) to a server that has the private key of an EV certificate. But security is more than just the communication. EV certificate also don't signal that it's more trustworthy. But as EV you point out, there might be correlations. There is (currently) a higher chance that it's not a phishing site when it has an EV certificate, but you also show that it's not a guarantee. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
