On Thu, Aug 15, 2019 at 1:59 PM Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> So far I see is a number of contrived test cases picking apart small
> components of EV, and no real data to back it up.  Mostly academic or
> irrelevant research, imho.

(posting in my personal capacity)

I don't think it's accurate to characterize the research dismissively as
academic or irrelevant. I also want to point out up top that Safari
announced it was removing the EV indicator over a year ago, in June 2018.

> https://stripe.ian.sh/: EV certificates with colliding entity names can
> be generated, but to date, I don’t know of any real attacks, just this
> academic exercise. And how much did it cost and how long did it Ian to get
> certificates to perform this experiment?  Way more time and money that a
> phisher would invest.

Ian states this directly in the post. It is a trivial amount of money and

"One question may be how practical this attack is for a real attacker who
desires to phish someone. First, from incorporation to issuance of the EV
certificate, I spent less than an hour of my time and about $177. $100 of
this was to incorporate the company, and $77 was for the certificate. It
took about 48 hours from incorporation to the issuance of the certificate."

CAs should be careful about casually and dramatically overestimating the
roadblocks that EV certificates present to attackers.

Even if Ian's experiment took 10 times as long in practice, and cost $1000
over a fortnight, this is well within what we should generally expect
attackers to spend on an organized phishing attack. I have been on the
receiving end, as a website owner whose service was spoofed, of
sophisticated phishing attacks, and I've observed attackers who are willing
to spend substantially more than that for what is by all evidence a
lucrative and often successful class of attack.

> references a number of studies. But none of them indicated that EV was bad
> or misleading or was a detriment to security, and a number of the
> references weren’t even related to EV (including irrelevant research links
> to bolster their claims to the uninformed)

The burden is not on the web browsers to prove that EV is detrimental to
security - the burden is on third parties to prove that EV is beneficial.
The fact that it's been around for a long time is not sufficient. I don't
see any evidence that any of the links or resources on that page are
designed to mislead uninformed readers.

I haven’t been counting the number of pro and cons emails, but there are a
> significant number of organizations questioning the changes by Google and
> Mozilla.  Mozilla and Google should reconsider their proposed changes.

I don't observe a significant number of organizations questioning these
changes, in this thread or externally, other than CAs. Not that there
aren't any, but I'm not seeing a significant hue and cry in the broader

I certainly can't speak for the US government, but I can say that when I
worked for the executive branch for a federal agency, I observed a strong
trend in adopting DV certificates (typically automated) throughout the
executive branch. One of the more relevant changes I observed agencies make
was the Department of Defense explicitly updating their internal policies
to remove a requirement to use EV certificates for public properties.
Multiple federal agencies gave internal guidance to widely adopt DV
certificates internally, and you can see a public example of that in the
official guidance accompanying the White House's HTTPS directive at

“Domain Validation” (DV) certificates are usually less expensive and more
amenable to automation than “Extended Validation” (EV) certificates. EV
certificates generally result in the domain owner’s name appearing in the
browser URL bar visitors see. Ordinary DV certificates are completely
acceptable for government use.

Given that Safari already removed the EV indicator well over a year ago, I
expect the guidance will be updated so as not to mislead agencies that EV
will continue to generally show their organization's name in browsers.

You can certainly still find EV certificates on some federal agency
websites out there, but overall, the trajectory away from them has been
clear and accelerating for years.

Yes, I work for a CA that issues EV certificates, but if there was no value
> in them, then our customers would certainly not be paying extra for them.

This is definitely not a strong argument. Enterprises do all sorts of
things they believe may be valuable, based on gut feelings or on outdated
best practices.

For example, 5 years ago, it was still conventional wisdom to periodically
rotate user passwords. After years of empirical research demonstrating the
opposite, NIST finally updated its guidance to make clear that this is
detrimental to user security, and so now enterprises are (grudgingly, in
many cases) starting to remove password rotation requirements.

Someone could have argued to NIST during their password guidance update
that "if periodic password rotation had no security value, all of these
organizations wouldn't be doing it", but that would have been an
exceptionally weak argument that, if it were taken seriously, would have
only hindered a valuable effort to improve organizational and personal

> Shouldn’t the large enterprises that see a value in identity (as does
> GlobalSign) drive the need for ending EV certificates?

The only population any of us -- including large enterprises -- should be
looking to serve are end users. If the evidence suggests that end users are
not being benefited by EV certificates, there's not a strong argument to
keep it (regardless of how plausible you think the potential use in
phishing attacks is). Enterprises don't have a right to force web browsers
to maintain a channel to display a name in a particular place because they
like how it makes them feel to see it there.

> With Google and Mozilla being prominent Lets Encrypt sponsors we know
> their intent is to drive business to them vs. any of the commercially
> respectable CAs.  It’s actually counter productive to security to sponsor a
> CA that issues so many certificates to phishing and malware sites without
> any consequences.

Let's Encrypt is a non-profit, and a huge part of what Let's Encrypt,
Google, and Mozilla have all contributed to spreading is the underlying
standard automation protocol behind it (ACME), as well as the open source
CA behind it (Boulder). Because Let's Encrypt and its sponsors have created
ACME, it is now easier than ever for CAs to compete with Let's Encrypt, and
for customers of Let's Encrypt to avoid vendor lock-in. I am personally
aware of commercial CAs that have adopted ACME for issuance. I'm also aware
of US government agencies -- some very large enterprises -- that are
creating ACME-based, Boulder-based CAs and will benefit in the long run
from the ease of migrating away from Let's Encrypt to their own
independently operated PKI.

This is all to say that it's inaccurate and unconstructive to point to
Let's Encrypt sponsorship as evidence of nefarious or self-interested
intent, and certainly not as damaging to large enterprises. The work
undertaken by these organizations has resulted in more freedom for large
enterprise customers, healthier competition among certificate authorities,
and more security for end users across the internet.

> Is this to increase the value of their malware site detection services?
> Maybe..

For the record, I'm not even aware of a malware detection service that
Mozilla operates. I believe they rely on Google Safe Browsing, even for
their particularly privacy-conscious Firefox Focus app. [1]

[1] https://support.mozilla.org/en-US/kb/safe-browsing-firefox-focus

> *       https://www.usenix.org/system/files/soups2019-drury.pdf
> *
> https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf
> Baffled…
> From: Tom Ritter <t...@ritter.vg>
> Sent: Thursday, August 15, 2019 1:13 PM
> To: Doug Beattie <doug.beat...@globalsign.com>
> Cc: Peter Gutmann <pgut...@cs.auckland.ac.nz>; MozPol <
> mozilla-dev-security-pol...@lists.mozilla.org>
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
> of the URL bar
> On Thu, Aug 15, 2019, 7:46 AM Doug Beattie via dev-security-policy <
> dev-security-policy@lists.mozilla.org <mailto:
> dev-security-policy@lists.mozilla.org> > wrote:
> Peter,
> Do you have any empirical data to backup the claims that there is no
> benefit
> from EV certificates?  From the reports I've seen, the percentage of
> phishing and malware sites that use EV is drastically lower than DV (which
> are used to protect the cesspool of websites).
> I don't doubt that at all. However see the first email in this thread
> citing research showing that users don't notice the difference.
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

Eric Mill
617-314-0966 | konklone.com | @konklone <https://twitter.com/konklone>
dev-security-policy mailing list

Reply via email to