On Thursday, August 29, 2019 at 11:49:16 AM UTC-7, Kirk Hall wrote:
> On Thursday, August 29, 2019 at 11:01:27 AM UTC-7, Jonathan Rudenberg wrote:
> > On Thu, Aug 29, 2019, at 13:39, Kirk Hall via dev-security-policy wrote:
> > > This string is about Mozilla’s announced plan to remove the EV UI from 
> > > Firefox in October.  Over time, this will tend to eliminate confirmed 
> > > identity information about websites from the security ecosystem, as EV 
> > > website owners may decide it’s not worth using a n EV certificate if 
> > > browsers decide to hide the data from users.  As noted in my last 
> > > message, this will be a tragedy for users, as browser phishing filters 
> > > and other anti-phishing services currently rely on website EV data in 
> > > their algorithms for protecting users.
> > 
> > Can you provide more detail (preferably with citations) about how browser 
> > phishing filters, and specifically Google Safe Browsing (used by Firefox), 
> > rely on EV data?
> > 
> > It's not clear to me how this could possibly be useful in detecting 
> > phishing given the data that you've previously published[1] showing that an 
> > extremely small number sites with EV certificates were detected as phishing.
> > 
> > Jonathan
> > 
> > [1] 
> > https://casecurity.org/wp-content/uploads/2018/06/Summary-Report-Incidence-of-Phishing-04-16-2018.pdf
> 
> 
> Sure, I’m happy to explain, using Bank of America as an example.
> 
> The EV data securing the domain www.bankofamerica.com is as follows:
> 
> CN = www.bankofamerica.com
> SERIALNUMBER = 2927442
> OU = eComm Network Infrastructure
> 2.5.4.15 = Private Organization
> O = Bank of America Corporation
> 1.3.6.1.4.1.311.60.2.1.2 = Delaware
> 1.3.6.1.4.1.311.60.2.1.3 = US
> L = Chicago
> S = Illinois
> C = US
> 
> This data uniquely and unambiguously identifies the owner of the domain as 
> “Bank of America Corporation”, a Delaware, US corporation with the Delaware 
> registry serial number 2927442 – no other corporation in the world can get 
> that place of incorporation and serial number.  There’s no “Stripe” problem 
> here – even if a phisher or academic could create a new corporation in 
> another state (e.g., Kentucky) in the name of “Bank of America Corporation” 
> and then get an EV cert, it would show state of incorporation as Kentucky and 
> show a different serial number –it’s easy for phishing algorithms to notice 
> the difference and know these are not the same organization who own the 
> websites.
> 
> Phishing services tend to capture and retain this kind of website identity 
> information and use it in their algorithms to create a “reputation” for 
> specific domains and for specific organizations named in EV certificates that 
> they re-use later.  
> 
> Now, suppose a new website appears, “bankofamerica-alerts.com” and suppose 
> it’s only secured by a DV certificate.  In that case, this is the only 
> certificate information available to the anti-phishing service:
> 
> CN = bankofamerica-alerts.com
> 
> That could be a site owned by the real Bank of America, or owned by a phisher 
> – who knows, as there is no identity information available about the site.  
> So a phishing service would be very cautious.
> 
> Now suppose the new website “bankofamerica-alerts.com” is instead secured by 
> an EV certificate.  The certificate identity information for that site would 
> be as follows:
> 
> CN = bankofamerica-alerts.com
> SERIALNUMBER = 2927442
> OU = eComm Network Infrastructure
> 2.5.4.15 = Private Organization
> O = Bank of America Corporation
> 1.3.6.1.4.1.311.60.2.1.2 = Delaware
> 1.3.6.1.4.1.311.60.2.1.3 = US
> L = Chicago
> S = Illinois
> C = US
> 
> Only the CN field would be different from the EV certificate securing 
> www.bankofamerica.com.  Anti-phishing services will notice this similarity, 
> and will likely rely on the “reputation” already established for the site 
> www.bankofamerica.com (and for the organization “Bank  of America 
> Corporation, Delaware serial number 2927442”) and so feel confident based on 
> that good reputation that the new EV website “bankofamerica-alerts.com” is 
> unlikely to be a phishing site.  This helps speed up decisions on which sites 
> are likely safe for users and which should be flagged for phishing.
> 
> Anti-phishing algorithms like lots of data, particularly strongly confirmed 
> data like EV data.  Website owners who use EV certificates today do so 
> because they believe EV certs protect their customers and their brands, 
> chiefly through the EV UI.  If the browsers eliminate the EV UI and hide 
> identity data from users, over time website owners may stop using EV 
> certificates, and the EV identity data will disappear from the security 
> ecosystem – a real loss.

EV code signing certificates do not display any trusted UI -- their chief 
purpose is to inform Smartscreen and other relying parties of identity 
information, similar to the anti-phishing services you mention. UAC/etc will 
show the company name, but this happens for normal code signing certificates 
too.

Can you elaborate on why you believe browsers must prop up the EV UI in the 
name of these anti-phishing services, when EV code signing does not seem to 
need this? Surely either the value of the anti-phishing services is as you say 
it is -- valuable for both website owners and visitors alike -- or it is not, 
and website owners will stop paying for them.

And I hope it is clear that identity metadata like this is a tiny piece to the 
puzzle. There are nearly infinite data points one can use to make a call on URL 
reputation -- from the domain registrar to the contents of the page to the ASN 
hosting the site.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to