On Thursday, August 29, 2019 at 11:01:27 AM UTC-7, Jonathan Rudenberg wrote:
> On Thu, Aug 29, 2019, at 13:39, Kirk Hall via dev-security-policy wrote:
> > This string is about Mozilla’s announced plan to remove the EV UI from 
> > Firefox in October.  Over time, this will tend to eliminate confirmed 
> > identity information about websites from the security ecosystem, as EV 
> > website owners may decide it’s not worth using a n EV certificate if 
> > browsers decide to hide the data from users.  As noted in my last 
> > message, this will be a tragedy for users, as browser phishing filters 
> > and other anti-phishing services currently rely on website EV data in 
> > their algorithms for protecting users.
> 
> Can you provide more detail (preferably with citations) about how browser 
> phishing filters, and specifically Google Safe Browsing (used by Firefox), 
> rely on EV data?
> 
> It's not clear to me how this could possibly be useful in detecting phishing 
> given the data that you've previously published[1] showing that an extremely 
> small number sites with EV certificates were detected as phishing.
> 
> Jonathan
> 
> [1] 
> https://casecurity.org/wp-content/uploads/2018/06/Summary-Report-Incidence-of-Phishing-04-16-2018.pdf


Sure, I’m happy to explain, using Bank of America as an example.

The EV data securing the domain www.bankofamerica.com is as follows:

CN = www.bankofamerica.com
SERIALNUMBER = 2927442
OU = eComm Network Infrastructure
2.5.4.15 = Private Organization
O = Bank of America Corporation
1.3.6.1.4.1.311.60.2.1.2 = Delaware
1.3.6.1.4.1.311.60.2.1.3 = US
L = Chicago
S = Illinois
C = US

This data uniquely and unambiguously identifies the owner of the domain as 
“Bank of America Corporation”, a Delaware, US corporation with the Delaware 
registry serial number 2927442 – no other corporation in the world can get that 
place of incorporation and serial number.  There’s no “Stripe” problem here – 
even if a phisher or academic could create a new corporation in another state 
(e.g., Kentucky) in the name of “Bank of America Corporation” and then get an 
EV cert, it would show state of incorporation as Kentucky and show a different 
serial number –it’s easy for phishing algorithms to notice the difference and 
know these are not the same organization who own the websites.

Phishing services tend to capture and retain this kind of website identity 
information and use it in their algorithms to create a “reputation” for 
specific domains and for specific organizations named in EV certificates that 
they re-use later.  

Now, suppose a new website appears, “bankofamerica-alerts.com” and suppose it’s 
only secured by a DV certificate.  In that case, this is the only certificate 
information available to the anti-phishing service:

CN = bankofamerica-alerts.com

That could be a site owned by the real Bank of America, or owned by a phisher – 
who knows, as there is no identity information available about the site.  So a 
phishing service would be very cautious.

Now suppose the new website “bankofamerica-alerts.com” is instead secured by an 
EV certificate.  The certificate identity information for that site would be as 
follows:

CN = bankofamerica-alerts.com
SERIALNUMBER = 2927442
OU = eComm Network Infrastructure
2.5.4.15 = Private Organization
O = Bank of America Corporation
1.3.6.1.4.1.311.60.2.1.2 = Delaware
1.3.6.1.4.1.311.60.2.1.3 = US
L = Chicago
S = Illinois
C = US

Only the CN field would be different from the EV certificate securing 
www.bankofamerica.com.  Anti-phishing services will notice this similarity, and 
will likely rely on the “reputation” already established for the site 
www.bankofamerica.com (and for the organization “Bank  of America Corporation, 
Delaware serial number 2927442”) and so feel confident based on that good 
reputation that the new EV website “bankofamerica-alerts.com” is unlikely to be 
a phishing site.  This helps speed up decisions on which sites are likely safe 
for users and which should be flagged for phishing.

Anti-phishing algorithms like lots of data, particularly strongly confirmed 
data like EV data.  Website owners who use EV certificates today do so because 
they believe EV certs protect their customers and their brands, chiefly through 
the EV UI.  If the browsers eliminate the EV UI and hide identity data from 
users, over time website owners may stop using EV certificates, and the EV 
identity data will disappear from the security ecosystem – a real loss. 

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to