My apologies for not weighing in earlier, but like many others I was surprised 
by this announcement and had to make time to craft this message around other 
pressing demands. The original announcement above that the EV UI would be 
removed in October cited authorities and articles that were in favor of what 
Mozilla wants to do. It would be useful to this community to understand and 
consider other relevant evidence and arguments that were not included there.

By way of background, until recently almost all phishing and malware was on 
unencrypted http sites. They received a neutral UI, and the bad guys didn’t 
have to spend time and money getting a certificate, even a DV certificate, that 
might leave traces as to their identity. Users were told (and remembered the 
advice) to “look for the lock symbol” for greater security.

Then a few things happened in close proximity: (1) Google incentivized all 
websites to move to encryption through the use of its “Not secure” warning, (2) 
Mozilla instituted a similar “Not Secure” warning, and (3) Let’s Encrypt began 
offering anonymous, automated DV certificates to everyone, including known 
phishing sites, in part through Platinum-level financial support from Mozilla 
and Google.

As a result, virtually all phishing has now moved to DV encrypted websites 
which receive the lock symbol in Firefox, which was predictable. In fact, the 
FBI just issued a warning to consumers not to trust the https or lock symbol in 
browsers anymore [1], as half or more of phishing sites now display the lock 
symbol. [2]

It’s unclear how Mozilla plans to ramp up protection for Firefox users. Browser 
phishing filters such as Google Safe Browsing are good, but not perfect. 
According to the most recent NSS labs report issued in October 2018, GSB offers 
only about 79% user protection at “zero hour”, gradually rising to 95% 
protection after 2 days. [3] However, most phishing sites are shut down by then 
anyway. If a browser phishing filter is the main defense provided to users by 
Firefox, this means thousands of users can be harmed before a site is flagged 
for phishing. Clearly Mozilla should be looking for other ways to protect them.

That’s where EV certificates can help. Data shows that websites with EV 
certificates have a very low incidence of phishing. New research from RWTH 
Aachen University presented at Usenix this week measured the incidence of 
phishing sites using certificates of various validation levels [4]. EV 
certificates made up 0.4% of the total population of phishing sites with 
certificates but 7% of the “benign” (non-phishing) sites. Compare that to OV, 
where 15% of phishing sites had that certificate type and 35% of benign sites 
had the same. And compare that again to Let’s Encrypt certificates, which made 
up 34% of certificates for phishing sites and only 17% for benign sites.

This research validates the results of an earlier study of 3,494 encrypted 
phishing sites in February 2019 [5]. In this study the distribution of 
encrypted phishing sites by certificate type was as follows:

EV      0 phishing sites (0%)
OV      145 phishing sites (4.15%)*
DV      3,349 phishing sites (95.85%)

*(These phishing OV certs were mostly multi-SANs certs requested by CDNs such 
as Cloudflare containing multiple URLs for websites whose content the Subject 
of the OV cert did not control. Perhaps such certificates should be DV rather 
than OV.)

Furthermore, research from Georgia Tech shows that EV sites have an exceedingly 
low incidence of association with malware and known bad actors [6].

These studies show that the presence of an EV certificate has a strong negative 
correlation with criminal activity intent on victimizing the site visitor. In 
plain terms, users are safer when they visit sites with EV certs. Now, how do 
we use that?

This is where the argument that “users don’t see the absence of positive 
indicators” misses the mark for several reasons. 
1. The internet is in possession of a clear signal of a site’s safety for the 
end user. The fact that popular end-user software fails to take advantage of 
this signal is a shortcoming of that software, not the signal.
2. Users are not a single homogenous group, and they don’t all behave the same. 
Proof positive of that fact is that most of the people participating in this 
thread do, in fact, notice whether or not an EV indicator is there. They are 
not the only ones in the world. In the absence of compelling reasons to remove 
the indicator, providing this evidence to some users is superior to providing 
it to none.
3. User behavior also changes based on context. The site visitor who suffers 
from interface blindness when everything is going well may become hyper aware 
when something suspicious occurs. If nothing else, the presence of an EV cert 
gives the likes of law enforcement a clear path forward when pursuing 
perpetrators of online crime.
4. Positive security indicators do work in many other contexts where 
expectations are predictable. Let’s take an offline example we’re all familiar 
with, the seat belt. Most people I know are expecting the feel of a seat belt 
across their laps and shoulders when in a moving car, and without it we feel 
uncomfortable. That is a positive security indicator. The reason we miss it 
when it’s absent is because it is consistent, ubiquitous, obvious, and 
important to us. There is no reason why an identity security indicator cannot 
meet these same criteria. Unfortunately, the EV security indicator has suffered 
from inconsistency across browsers and changing presentation over time, and the 
industry as a whole has done a poor job of educating relying parties on what 
this identity information means. These disadvantages are all addressable, if 
companies like major browser and OS vendors treat doing so as a priority.

Mozilla’s most pressing need right now is to work with other browsers to 
develop common UI features across laptops and mobile devices and to engage with 
CAs in common user training to help users make good security decisions based on 
available identity information. Common UI standards have been extraordinarily 
successful: The automotive stop sign used to vary country by country and state 
by state before it became standardized. If stop signs were always different and 
users didn’t know what they meant (no user training), then some might argue 
“Users don’t use stop signs to make security decisions (stopping their cars), 
so let’s just remove all stop signs.” But that would be exactly the wrong thing 
to do, leaving users even less secure.

In the absence of such an effort, instead of removing the EV UI entirely, maybe 
Mozilla should consider other options for presenting this information, 
including the approach taken by Apple a year ago: Show users the URL for the 
site they are on, but make the URL and lock symbol green for sites with proven 
identity (secured by an EV cert) and black for all other sites (including all 
DV sites). Users would at least have a signal that additional identity 
information was available. Combined with some amount of user training, users 
would be better off in the aggregate than they would with the flat removal of 
any identity indicator at all.

Without any other identity indicator in Mozilla, users have nothing to go on 
but the URL and for some but not all phishing sites, an interstitial warning. 
But as Google security researchers have stated, “People have a really hard time 
understanding URLs. They’re hard to read, it’s hard to know which part of them 
is supposed to be trusted, and in general I don’t think URLs are working as a 
good way to convey site identity.” [7]

I personally was among the group who put together the original EV 
specification. At that time we imagined that EV would be an ongoing, evolving 
standard that the community continued to make better. When I hear objections 
about EV being less than perfect, I cannot help but think of the adage about 
perfect being the enemy of good. EV is good. It’s really good, and the 
statistics indicate that. Let’s focus our energy on making it even better, not 
throwing it away and being left with nothing.

[1] https://www.ic3.gov/media/2019/190610.aspx; 
https://www.infosecurity-magazine.com/news/fbi-dont-trust-https-or-padlock-on-1/
[2] 
https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/
[3] 
https://www.nsslabs.com/blog-posts/2019/3/8/nss-tests-phishing-block-rates-on-windows-chromebooks-platforms
 
[4] https://www.usenix.org/system/files/soups2019-drury.pdf
[5] https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf  
See slide 8 for the difference in incidence between EV and DV phishing sites.
[6] Understanding the Role of Extended Validation Certificates in Internet 
Abuse (Georgia Tech Research Paper) 
https://www.instantssl.com/uploads/resources/Updated-EVSSL.pdf; The probability 
that an EV SSL certificate is associated with a domain associated with malware 
or a known bad actor is 0.013%.
[7] https://www.wired.com/story/google-wants-to-kill-the-url/?verso=true
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to