On Thursday, August 29, 2019 at 11:01:27 AM UTC-7, Jonathan Rudenberg wrote: > On Thu, Aug 29, 2019, at 13:39, Kirk Hall via dev-security-policy wrote: > > This string is about Mozilla’s announced plan to remove the EV UI from > > Firefox in October. Over time, this will tend to eliminate confirmed > > identity information about websites from the security ecosystem, as EV > > website owners may decide it’s not worth using a n EV certificate if > > browsers decide to hide the data from users. As noted in my last > > message, this will be a tragedy for users, as browser phishing filters > > and other anti-phishing services currently rely on website EV data in > > their algorithms for protecting users. > > Can you provide more detail (preferably with citations) about how browser > phishing filters, and specifically Google Safe Browsing (used by Firefox), > rely on EV data? > > It's not clear to me how this could possibly be useful in detecting phishing > given the data that you've previously published[1] showing that an extremely > small number sites with EV certificates were detected as phishing. > > Jonathan > > [1] > https://casecurity.org/wp-content/uploads/2018/06/Summary-Report-Incidence-of-Phishing-04-16-2018.pdf
Sure, I’m happy to explain, using Bank of America as an example. The EV data securing the domain www.bankofamerica.com is as follows: CN = www.bankofamerica.com SERIALNUMBER = 2927442 OU = eComm Network Infrastructure 2.5.4.15 = Private Organization O = Bank of America Corporation 1.3.6.1.4.1.311.60.2.1.2 = Delaware 1.3.6.1.4.1.311.60.2.1.3 = US L = Chicago S = Illinois C = US This data uniquely and unambiguously identifies the owner of the domain as “Bank of America Corporation”, a Delaware, US corporation with the Delaware registry serial number 2927442 – no other corporation in the world can get that place of incorporation and serial number. There’s no “Stripe” problem here – even if a phisher or academic could create a new corporation in another state (e.g., Kentucky) in the name of “Bank of America Corporation” and then get an EV cert, it would show state of incorporation as Kentucky and show a different serial number –it’s easy for phishing algorithms to notice the difference and know these are not the same organization who own the websites. Phishing services tend to capture and retain this kind of website identity information and use it in their algorithms to create a “reputation” for specific domains and for specific organizations named in EV certificates that they re-use later. Now, suppose a new website appears, “bankofamerica-alerts.com” and suppose it’s only secured by a DV certificate. In that case, this is the only certificate information available to the anti-phishing service: CN = bankofamerica-alerts.com That could be a site owned by the real Bank of America, or owned by a phisher – who knows, as there is no identity information available about the site. So a phishing service would be very cautious. Now suppose the new website “bankofamerica-alerts.com” is instead secured by an EV certificate. The certificate identity information for that site would be as follows: CN = bankofamerica-alerts.com SERIALNUMBER = 2927442 OU = eComm Network Infrastructure 2.5.4.15 = Private Organization O = Bank of America Corporation 1.3.6.1.4.1.311.60.2.1.2 = Delaware 1.3.6.1.4.1.311.60.2.1.3 = US L = Chicago S = Illinois C = US Only the CN field would be different from the EV certificate securing www.bankofamerica.com. Anti-phishing services will notice this similarity, and will likely rely on the “reputation” already established for the site www.bankofamerica.com (and for the organization “Bank of America Corporation, Delaware serial number 2927442”) and so feel confident based on that good reputation that the new EV website “bankofamerica-alerts.com” is unlikely to be a phishing site. This helps speed up decisions on which sites are likely safe for users and which should be flagged for phishing. Anti-phishing algorithms like lots of data, particularly strongly confirmed data like EV data. Website owners who use EV certificates today do so because they believe EV certs protect their customers and their brands, chiefly through the EV UI. If the browsers eliminate the EV UI and hide identity data from users, over time website owners may stop using EV certificates, and the EV identity data will disappear from the security ecosystem – a real loss. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
