Followup-To m.d.security
Basics: SSL certificates are supposed to ensure the identity of the one
you talk to. One reason is to make the crypto meaningful (a MITM attack
is still possible with SSL, if the middleman uses his own cert and the
client accepts it as real). The other reason is to connect online
business to real world business - if you buy at a store, and give your
credit card data, you want to know it's not going to Russia, but to a
real company, and that you can sue them, if they don't deliver.
Note that SSL certificates say nothing about the trustworthiness or
similar, just verify identity.
Problem: GeoTrust and a few other companies started selling cheap
certificates which are issued automatically (no human involved) and only
check whether the applicant has control over the domain (or email
address) that the certificate is to be issued for. These are called
"domain control verification" or DV certs. The "holder's name" field in
the certificate does not get verified *at all* and is thus useless with
these certs - it either equals domain name or can be simply lying,
despite being signed by the CA. Given that, these new cert types pose a
significant problem to business on the web, and make phisher's life easy
(if phishers even bother with SSL or certs).
EV solution by the "CA/Browser Forum": A bunch of CAs came up with a
proposal of a new cert standard. Mainly, it mandates the checks that the
CA has to do to verify the certificate holder. They are intended to be
sold to high-profile sites like eBay.com, and cost $1000/year upwards.
So, one obvious reason for EV is that CAs want to charge more money from
the customers that make a lot of money on the web. It does increase the
level of vetting substantially, and it's definitely a huge improvement
over status quo. So, browser and browser users also gain from it. For
Microsoft, it's actually part of an anti-phishing initiate, MSIE was
supposed to make the URLbar green for some sites, and EV was one
mandatory criteria for that (there are other criteria as well, e.g.
anti-phishing blacklists etc.).
The "CA/Browser Forum" consists out of all major browser vendors,
including Microsoft, Mozilla Foundation, KDE (Konqueror), and Opera
(Apple is missing). Most of the big Cas are on it as well.
The current guidelines are at
<http://www.cabforum.org/EV_Certificate_Guidelines.pdf>. It's 70-100
pages in lawyer language.
My comments:
Don't be followed by the language and length, though. "Qualified
Independent Information Sources" could probably simply be a phonebook,
and a "site audit" is a clerk looking at the sign on the street and
peeking in the lobby. That's not what *I* would call an "audit".
The "phone number verification" happens by calling the number and seeing
who answers (Me at 0900-123456: "Microsoft, how can I help you?")
(16(b)(2)(A)+(C)). So, I could apply as Microsoft, supply them my
number, answer as Microsoft, and that's the verification. To top it,
this number can then be used to verify the signature, with "a response
from someone who identifies themselves as such person confirming that
he/she did sign the applicable document". Maybe I have overlooked
something, but I could give them the address of eBay, or my address with
an eBay sign, and *my* phone number, sign the doc, and then when they
call me, greet with "Ben Bucksch of eBay speaking" and confirm that I am
a "Contract Signer" who is allowed to represent eBay and I did indeed
sign the doc. huh?
This whole thing has lots of loopholes. Given the experience and market
pressures, we have to assume that the CAs use the absolute minimum and
cheapest standards that still pass the guidelines, and they'll automate
as much as possible.
Also, there are really heavy statements in there, e.g. the liability
(37(a); see also
<https://financialcryptography.com/mt/archives/000862.html>: If the CA
followes the EV guidelines and the user gets ripped off, the CA is not
liable at all - be it due to hole in the guidelines or other reasons.
Even worse, though, if the CA *fails* to follow the guidelines, and the
user gets ripped of *because of that*, the liability of the CA is
limited to $2000 - not even per case, per cert/CA customer. Even a
single normal phishing incident is easily higher than that. That's
particularly sobering considering that a cert *costs* $1000-2000 - that
means I could set up a CA and sell certs to everybody including the
mafia and not verify certs *at all*, and even pay all liability (per EV
guideline doc) and still make a profit for my few valid customers.
Sorry, how does that help users *at all*? IMHO, this should be backed by
$10-100 million insurances - per incident. Even an average $100 UPS
comes with $100,000 insurances.
My alternative proposal:
(most important part of posting)
We need to connect online business with real world business. I want to
have somebody to sue - who won't vanish when poked at. And I want that
the info in the cert is actually correct.
I really thing that every CA-issued certificate must be verified using
the following steps:
1. Using the official state register of companies to verify company
name and representing natural person
2. Acquiring written signature (original) of that person
3. Checking the signature against the ID card / passport of that person
This, and pretty much only this, will ensure that the card holder really
is who he claims to be, in real life, as seen by the government and
courts. Thus, before EV, I assumed that the above is performed for the
$100/year certs.
It should be cheap enough, *esp.* so for $1000/year EV certs. In
Germany, if you want to mail-rent (Netflix-alike) 18+ movies (including
Van Helsing), you have to pass harder verification steps than EV. You
actually have to walk to the post office, which has a service to verify
your identity card and send the result back to the requester. It costs
10 Eur, once. In fact, my grocery store not only asks for my signature
for every purchase, they even double-check the signature against my ID
card every time! (Apart from the people who already know me.) If a
grocery store clerk can do it for a $10 purchase, a CA can do it for a
$1000/year cert which is backing up $ x00 million business for tens of
thousands of users.
People have said that not every US citizen has a passport. But they can
get one. This is about ensuring something to users, after all.
Note that I think that natural persons and small companies should also
be able to get an EV cert, from the start.
UI proposal:
We could e.g. then show the cert holder name next to the domain name in
the urlbar, so that the real world name is a trust root, in addition to
the domain.
That would be something most users can more easily relate to than the
domain name system, which is logical, but literally backwards.
However, the real world company name may then be just as much a phishing
target as the domain name is now. We'll not only have international
character sets (compare IDN), which we can't easily escape from as we
did with domains, but there'll be another class of attack of similar
seeming company names, e.g. is Shell Books a subsidary of Shell Oil
Company or not or is "e Bay Auctioners, Inc." a part of eBay?
UI: Green urlbar, as maybe done by MSIE:
http://it.slashdot.org/article.pl?sid=07/01/26/1325228
/"Stanford University and Microsoft Research have published a study
that claims that the new Extended Validation SSL Certificates in IE7
are ineffective <http://www.usablesecurity.org/papers/jackson.pdf>
(PDF). The study, based on user testing, found that EV certificates
don't improve users' ability to detect attacks, that the interface can
be spoofed, and that training users actually decreases their ability
to detect attacks. The study will be presented at Usable Security 2007
next month, which is a little late now that the new certificates are
already being issued.
<http://it.slashdot.org/article.pl?sid=07/01/13/1615213&tid=172>"/
Study done in Sept 2006 and I found the setup (training etc.) highly
questionable, but the only conclusion one can draw is that the green bar
increased people's trust in websites - ironically real and fraudulent
alike! (no matter if green bar or not)
So, if one can believe the study, the green bar is a really bad idea.
--
When responding via mail, please remove the ".news" from the email address.
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
