Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Peter Gutmann via dev-security-policy
Eric Mill  writes:

>CAs should be careful about casually and dramatically overestimating the
>roadblocks that EV certificates present to attackers.

See also the screenshot I posted earlier.  That was from a black-market web
site selling EV certificates to anyone with the stolen credit cards to pay for
them.  These are legit EV certs issued to legit companies, available off the
shelf for criminals to use.  For a little extra payment you can get ones with
high SmartShield scores so your malware is instantly trusted by the victim's
PC.

>The burden is not on the web browsers to prove that EV is detrimental to
>security - the burden is on third parties to prove that EV is beneficial.

Yup, as per my previous post.  We've got a vast amounts of data on this, if
there was a benefit to users then it shouldn't be hard to show that from the
data.

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


RE: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Robin.Lin
I think that the Phishing eventscount should focus on number of phishing events 
per organization.
If the phishing event count was decreased after an organization start to use EV 
certificate, the EV certificate should have some effect to reduce the phishing 
event.

Thanks,
Robin Lin

> -Original Message-
> From: dev-security-policy  On
> Behalf Of Peter Gutmann via dev-security-policy
> Sent: Friday, August 16, 2019 10:03 AM
> To: Doug Beattie ;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of 
> the
> URL bar
> 
> Doug Beattie  writes:
> 
> >Do you have any empirical data to backup the claims that there is no
> >benefit from EV certificates?
> 
> Uhhh... I don't even know where to start.  We have over ten years of data and
> research publications on this, and the lack of benefit was explicitly cited 
> by Google
> and Mozilla as the reason for removing the EV bling... one example is the most
> obvious statistic, maintained by the Anti-Phishing Working Group (APWG), which
> show an essentially flat trend for phishing over the period of a year in 
> which EV
> certificates were phased in, indicating that they had no effect whatsoever on
> phishing.  There's endless other stats showing that the trend towards 
> security is
> negative, i.e. it's getting worse every year, here's some five-year stats 
> from a quick
> google:
> 
> https://www.thesslstore.com/blog/wp-content/uploads/2019/05/Phishing-by-Year.
> png
> 
> If EV certs had any effect at all on security we'd have seen a decrease in
> phishing/increase in security.
> 
> There is one significant benefit from EV certificates, which I've already 
> pointed out,
> which is to the CAs selling them.  So when I say "there's no benefit" I mean
> "there's no benefit to end users", which is who the certificates are 
> putatively
> helping.
> 
> Peter.
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Peter Gutmann via dev-security-policy
Doug Beattie  writes:

>So far I see is a number of contrived test cases picking apart small
>components of EV, and no real data to back it up.

See the phishing stats from any source you care to use.  I've already
mentioned the APWG which I consider the premier source, and also linked to the
SSL Store blog which happened to be the first Google hit, but feel free to
take any source of stats you trust, and see if you can find any that show that
phishing decreased and/or security increased due to EV certs.

I could also reverse this and say: You claim that EV certs are useful. Produce
some stats showing this.  We could agree on using the APWG as our source,
since they're a pretty authoritative.

In either case, we've got a good, decade-long, reliable, heavily-analysed data
source, it's up to the two sides to use it to support their case.  I've
already made mine.

>Yes, I work for a CA that issues EV certificates, but if there was no value
>in them, then our customers would certainly not be paying extra for them.

Must remember that one for the quotes file :-).

In case you're wondering why I find it amusing, consider this variant:

  Yes, I work for Monster Cable, but if there was no value in our cables then
  our customers would certainly not be paying extra for them.

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Peter Gutmann via dev-security-policy
Doug Beattie  writes:

>Do you have any empirical data to backup the claims that there is no benefit
>from EV certificates?

Uhhh... I don't even know where to start.  We have over ten years of data and
research publications on this, and the lack of benefit was explicitly cited by
Google and Mozilla as the reason for removing the EV bling... one example is
the most obvious statistic, maintained by the Anti-Phishing Working Group
(APWG), which show an essentially flat trend for phishing over the period of a
year in which EV certificates were phased in, indicating that they had no
effect whatsoever on phishing.  There's endless other stats showing that the
trend towards security is negative, i.e. it's getting worse every year, here's
some five-year stats from a quick google:

https://www.thesslstore.com/blog/wp-content/uploads/2019/05/Phishing-by-Year.png

If EV certs had any effect at all on security we'd have seen a decrease in
phishing/increase in security.

There is one significant benefit from EV certificates, which I've already
pointed out, which is to the CAs selling them.  So when I say "there's no
benefit" I mean "there's no benefit to end users", which is who the
certificates are putatively helping.

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Nick Lamb via dev-security-policy
On Thu, 15 Aug 2019 22:11:37 +0200
Eric Rescorla via dev-security-policy
 wrote:

> I expect this is true, but it seems to me that if anything it is an
> argument that EV doesn't provide security value, not the other way
> around: DV certificates are much cheaper to obtain than EV, and so
> naturally if you just need a certificate you're going to get DV.
> OTOH, if users actually trusted EV more, it might be worthwhile for
> an attacker to get EV anyway.

It is as ever simultaneously reassuring and annoying to see EKR wrote
what I was thinking but more succinctly and a few hours before I get
time to draft an email.

Further:

My interpretation is that a LOT of phishing sites in 2019 only
have DV certificates because that was the default. The crooks didn't
think "I need a certificate" they thought "I need a web site" and in
2019 a typical web site comes with a certificate - same as you don't
need to buy separate seatbelts for your car these days.

If we are looking to protect users from Phishing, we should promote
WebAuthn, not Extended Validation, because we know WebAuthn actually
protects users from phishing.

Nick.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Eric Mill via dev-security-policy
I'm told my previous message to this thread was flagged as spam for some of
the recipients. But it did get posted to the Google Group, so for those who
didn't get my previous reply, here it is:

https://groups.google.com/d/msg/mozilla.dev.security.policy/iVCahTyZ7aw/tO3k5ua0AQAJ

On Thu, Aug 15, 2019 at 1:59 PM Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> So far I see is a number of contrived test cases picking apart small
> components of EV, and no real data to back it up.  Mostly academic or
> irrelevant research, imho.  Here are a couple of links posted in this
> thread:
>
>
>
> https://www.typewritten.net/writer/ev-phishing/: This post is intended
> for a technical audience interested in how an EV SSL certificate can be
> used as an effective phishing device  security concern>
>
>
>
> https://stripe.ian.sh/: EV certificates with colliding entity names can
> be generated, but to date, I don’t know of any real attacks, just this
> academic exercise. And how much did it cost and how long did it Ian to get
> certificates to perform this experiment?  Way more time and money that a
> phisher would invest.
>
>
>
>
> https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/ev-to-page-info.md
> references a number of studies. But none of them indicated that EV was bad
> or misleading or was a detriment to security, and a number of the
> references weren’t even related to EV (including irrelevant research links
> to bolster their claims to the uninformed)
>
>
>
> I haven’t been counting the number of pro and cons emails, but there are a
> significant number of organizations questioning the changes by Google and
> Mozilla.  Mozilla and Google should reconsider their proposed changes.
>
>
>
> Yes, I work for a CA that issues EV certificates, but if there was no
> value in them, then our customers would certainly not be paying extra for
> them.  Shouldn’t the large enterprises that see a value in identity (as
> does GlobalSign) drive the need for ending EV certificates?  With Google
> and Mozilla being prominent Lets Encrypt sponsors we know their intent is
> to drive business to them vs. any of the commercially respectable CAs.
> It’s actually counter productive to security to sponsor a CA that issues so
> many certificates to phishing and malware sites without any consequences.
> Is this to increase the value of their malware site detection services?
> Maybe..
>
> *   https://www.usenix.org/system/files/soups2019-drury.pdf
> *
> https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf
>
>
>
> Baffled…
>
>
>
>
>
>
>
> From: Tom Ritter 
> Sent: Thursday, August 15, 2019 1:13 PM
> To: Doug Beattie 
> Cc: Peter Gutmann ; MozPol <
> mozilla-dev-security-pol...@lists.mozilla.org>
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
> of the URL bar
>
>
>
>
>
> On Thu, Aug 15, 2019, 7:46 AM Doug Beattie via dev-security-policy <
> dev-security-policy@lists.mozilla.org  dev-security-policy@lists.mozilla.org> > wrote:
>
> Peter,
>
> Do you have any empirical data to backup the claims that there is no
> benefit
> from EV certificates?  From the reports I've seen, the percentage of
> phishing and malware sites that use EV is drastically lower than DV (which
> are used to protect the cesspool of websites).
>
>
>
> I don't doubt that at all. However see the first email in this thread
> citing research showing that users don't notice the difference.
>
>
>
>
>
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>


-- 
Eric Mill
617-314-0966 | konklone.com | @konklone 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Ian Carroll via dev-security-policy
On Thursday, August 15, 2019 at 10:59:32 AM UTC-7, Doug Beattie wrote:
> So far I see is a number of contrived test cases picking apart small 
> components of EV, and no real data to back it up.  Mostly academic or 
> irrelevant research, imho.  Here are a couple of links posted in this thread:
> 
>  
> 
> https://www.typewritten.net/writer/ev-phishing/: This post is intended for a 
> technical audience interested in how an EV SSL certificate can be used as an 
> effective phishing device  concern>
> 
>  
> 
> https://stripe.ian.sh/: EV certificates with colliding entity names can be 
> generated, but to date, I don’t know of any real attacks, just this academic 
> exercise. And how much did it cost and how long did it Ian to get 
> certificates to perform this experiment?  Way more time and money that a 
> phisher would invest. 

To be clear, I obtained this certificate during lunch while I was in high 
school, but I'm sure you read the post explaining the cost/time already. I hope 
we can agree our bar for security is higher than "a kid who got bored".

> 
>  
> 
> https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/ev-to-page-info.md
>  references a number of studies. But none of them indicated that EV was bad 
> or misleading or was a detriment to security, and a number of the references 
> weren’t even related to EV (including irrelevant research links to bolster 
> their claims to the uninformed)
> 
>  
> 
> I haven’t been counting the number of pro and cons emails, but there are a 
> significant number of organizations questioning the changes by Google and 
> Mozilla.  Mozilla and Google should reconsider their proposed changes.
> 
>  
> 
> Yes, I work for a CA that issues EV certificates, but if there was no value 
> in them, then our customers would certainly not be paying extra for them.  
> Shouldn’t the large enterprises that see a value in identity (as does 
> GlobalSign) drive the need for ending EV certificates?  With Google and 
> Mozilla being prominent Lets Encrypt sponsors we know their intent is to 
> drive business to them vs. any of the commercially respectable CAs.  It’s 
> actually counter productive to security to sponsor a CA that issues so many 
> certificates to phishing and malware sites without any consequences.  Is this 
> to increase the value of their malware site detection services?  Maybe..

It is not worth it to respond to this bizarre theory. Sponsors of Let's Encrypt 
obviously have nothing to gain from more people using it; it's not like they 
pay dividends! You can slander them all you want, but it's not going to make 
anyone respect your opinion in the future.

> 
> * https://www.usenix.org/system/files/soups2019-drury.pdf
> * 
> https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf 
> 
>  
> 
> Baffled…
> 
>  
> 
>  
> 
>  
> 
> From: Tom Ritter  
> Sent: Thursday, August 15, 2019 1:13 PM
> To: Doug Beattie 
> Cc: Peter Gutmann ; MozPol 
> 
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of 
> the URL bar
> 
>  
> 
>  
> 
> On Thu, Aug 15, 2019, 7:46 AM Doug Beattie via dev-security-policy 
>   > wrote:
> 
> Peter,
> 
> Do you have any empirical data to backup the claims that there is no benefit
> from EV certificates?  From the reports I've seen, the percentage of
> phishing and malware sites that use EV is drastically lower than DV (which
> are used to protect the cesspool of websites).
> 
>  
> 
> I don't doubt that at all. However see the first email in this thread citing 
> research showing that users don't notice the difference.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Eric Rescorla via dev-security-policy
On Thu, Aug 15, 2019 at 2:46 PM Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Peter,
>
> Do you have any empirical data to backup the claims that there is no
> benefit
> from EV certificates?  From the reports I've seen, the percentage of
> phishing and malware sites that use EV is drastically lower than DV (which
> are used to protect the cesspool of websites).
>

I expect this is true, but it seems to me that if anything it is an
argument that EV doesn't provide security value, not the other way around:
DV certificates are much cheaper to obtain than EV, and so naturally if you
just need a certificate you're going to get DV. OTOH, if users actually
trusted EV more, it might be worthwhile for an attacker to get EV anyway.

-Ekr

Doug
>
>
>
> -Original Message-
> From: dev-security-policy 
> On
> Behalf Of Peter Gutmann via dev-security-policy
> Sent: Wednesday, August 14, 2019 9:04 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org; Jakob Bohm
> 
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
> of the URL bar
>
> Jakob Bohm via dev-security-policy 
> writes:
>
> >Problem example:
> >[...]
>
> You're explaining how it's supposed to work in theory, not in the real
> world.
>
> We have a decade of real-world data showing that it doesn't work, that
> there's no benefit from EV certificates apart from the one to CA's balance
> sheets.  So the browser vendors are doing the logical thing, responding to
> the real-world data and no longer pretending that EV certs add any security
> value, both in terms of protecting users and of keeping out the bad guys -
> see the attached screen clip, in this case for EV code-signing certs for
> malware, but you can buy web site EV certs just as readily.
>
> Peter.
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread James Burton via dev-security-policy
My understanding of the days before EV was that the CAs themselves made up
the validation requirements for DV and because of this there was an uneven
validation requirements across the industry. EV was the first document
created to solve this and standardise validation requirements for a
certificate type. Moving forward the baseline requirements has standardise
validation requirements for the DV certificate type and therefore EV is no
allowed needed.

Regarding the phishing aspect of EV, users have no clue what EV is and they
are more interested in looking for the padlock and completing the
checkout process.

On Thu, Aug 15, 2019 at 8:16 PM Ronald Crane via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On 8/15/2019 10:58 AM, Doug Beattie via dev-security-policy wrote:
> > So far I see is a number of contrived test cases picking apart small
> components of EV, and no real data to back it up.
> I also would like to see more evidence of problems. However, I have to
> object to the idea that
> > Mostly academic...research, imho...
> is of little value. This treads dangerously close to nihilism.
> > https://stripe.ian.sh/: EV certificates with colliding entity names can
> be generated, but to date, I don’t know of any real attacks, just this
> academic exercise. And how much did it cost and how long did it Ian to get
> certificates to perform this experiment?  Way more time and money that a
> phisher would invest.
> I question that a phisher, who stands potentially to gain hundreds of
> thousands or millions of dollars by phishing, e.g., the customers of a
> major bank, would not, as this paper says, invest "48 hours from
> incorporation to the issuance of the certificate" and "$177". This is a
> trivial investment for a non-frivolous financial phisher, let alone,
> say, a foreign government interested in phishing, say, a
> voter-registration (or -- shudder! -- an e-voting) site.
> > Yes, I work for a CA that issues EV certificates, but if there was no
> value in them, then our customers would certainly not be paying extra for
> them.
> That your customers may perceive additional value in them doesn't mean
> that they provide additional value to the general internet user. That
> said, I lean toward Mozilla letting this debate settle out before hiding
> EV support in release Firefox.
>
> -R
>
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Ronald Crane via dev-security-policy

On 8/15/2019 10:58 AM, Doug Beattie via dev-security-policy wrote:

So far I see is a number of contrived test cases picking apart small components 
of EV, and no real data to back it up.
I also would like to see more evidence of problems. However, I have to 
object to the idea that

Mostly academic...research, imho...

is of little value. This treads dangerously close to nihilism.

https://stripe.ian.sh/: EV certificates with colliding entity names can be 
generated, but to date, I don’t know of any real attacks, just this academic 
exercise. And how much did it cost and how long did it Ian to get certificates 
to perform this experiment?  Way more time and money that a phisher would 
invest.
I question that a phisher, who stands potentially to gain hundreds of 
thousands or millions of dollars by phishing, e.g., the customers of a 
major bank, would not, as this paper says, invest "48 hours from 
incorporation to the issuance of the certificate" and "$177". This is a 
trivial investment for a non-frivolous financial phisher, let alone, 
say, a foreign government interested in phishing, say, a 
voter-registration (or -- shudder! -- an e-voting) site.

Yes, I work for a CA that issues EV certificates, but if there was no value in 
them, then our customers would certainly not be paying extra for them.
That your customers may perceive additional value in them doesn't mean 
that they provide additional value to the general internet user. That 
said, I lean toward Mozilla letting this debate settle out before hiding 
EV support in release Firefox.


-R

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Eric Mill via dev-security-policy
On Thu, Aug 15, 2019 at 1:59 PM Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> So far I see is a number of contrived test cases picking apart small
> components of EV, and no real data to back it up.  Mostly academic or
> irrelevant research, imho.


(posting in my personal capacity)

I don't think it's accurate to characterize the research dismissively as
academic or irrelevant. I also want to point out up top that Safari
announced it was removing the EV indicator over a year ago, in June 2018.


> https://stripe.ian.sh/: EV certificates with colliding entity names can
> be generated, but to date, I don’t know of any real attacks, just this
> academic exercise. And how much did it cost and how long did it Ian to get
> certificates to perform this experiment?  Way more time and money that a
> phisher would invest.
>

Ian states this directly in the post. It is a trivial amount of money and
time:

"One question may be how practical this attack is for a real attacker who
desires to phish someone. First, from incorporation to issuance of the EV
certificate, I spent less than an hour of my time and about $177. $100 of
this was to incorporate the company, and $77 was for the certificate. It
took about 48 hours from incorporation to the issuance of the certificate."


CAs should be careful about casually and dramatically overestimating the
roadblocks that EV certificates present to attackers.

Even if Ian's experiment took 10 times as long in practice, and cost $1000
over a fortnight, this is well within what we should generally expect
attackers to spend on an organized phishing attack. I have been on the
receiving end, as a website owner whose service was spoofed, of
sophisticated phishing attacks, and I've observed attackers who are willing
to spend substantially more than that for what is by all evidence a
lucrative and often successful class of attack.

https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/ev-to-page-info.md
> references a number of studies. But none of them indicated that EV was bad
> or misleading or was a detriment to security, and a number of the
> references weren’t even related to EV (including irrelevant research links
> to bolster their claims to the uninformed)
>

The burden is not on the web browsers to prove that EV is detrimental to
security - the burden is on third parties to prove that EV is beneficial.
The fact that it's been around for a long time is not sufficient. I don't
see any evidence that any of the links or resources on that page are
designed to mislead uninformed readers.


I haven’t been counting the number of pro and cons emails, but there are a
> significant number of organizations questioning the changes by Google and
> Mozilla.  Mozilla and Google should reconsider their proposed changes.
>

I don't observe a significant number of organizations questioning these
changes, in this thread or externally, other than CAs. Not that there
aren't any, but I'm not seeing a significant hue and cry in the broader
ecosystem.

I certainly can't speak for the US government, but I can say that when I
worked for the executive branch for a federal agency, I observed a strong
trend in adopting DV certificates (typically automated) throughout the
executive branch. One of the more relevant changes I observed agencies make
was the Department of Defense explicitly updating their internal policies
to remove a requirement to use EV certificates for public properties.
Multiple federal agencies gave internal guidance to widely adopt DV
certificates internally, and you can see a public example of that in the
official guidance accompanying the White House's HTTPS directive at
https://https.cio.gov/certificates/#what-kind-of-certificate-should-i-get-for-my-domain
 -

“Domain Validation” (DV) certificates are usually less expensive and more
amenable to automation than “Extended Validation” (EV) certificates. EV
certificates generally result in the domain owner’s name appearing in the
browser URL bar visitors see. Ordinary DV certificates are completely
acceptable for government use.


Given that Safari already removed the EV indicator well over a year ago, I
expect the guidance will be updated so as not to mislead agencies that EV
will continue to generally show their organization's name in browsers.

You can certainly still find EV certificates on some federal agency
websites out there, but overall, the trajectory away from them has been
clear and accelerating for years.


Yes, I work for a CA that issues EV certificates, but if there was no value
> in them, then our customers would certainly not be paying extra for them.


This is definitely not a strong argument. Enterprises do all sorts of
things they believe may be valuable, based on gut feelings or on outdated
best practices.

For example, 5 years ago, it was still conventional wisdom to periodically
rotate user passwords. After years of empirical research demonstrating the

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Tom Ritter via dev-security-policy
On Thu, Aug 15, 2019, 7:46 AM Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Peter,
>
> Do you have any empirical data to backup the claims that there is no
> benefit
> from EV certificates?  From the reports I've seen, the percentage of
> phishing and malware sites that use EV is drastically lower than DV (which
> are used to protect the cesspool of websites).
>

I don't doubt that at all. However see the first email in this thread
citing research showing that users don't notice the difference.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread deanjc18--- via dev-security-policy
On Thursday, August 15, 2019 at 7:30:46 AM UTC-4, Kurt Roeckx wrote:
> On Wed, Aug 14, 2019 at 11:52:46PM -0700, Daniel Marschall via 
> dev-security-policy wrote:
> > In old Firefox, I get a green bar if I visit google.com and paypal.com, 
> > telling me that this is a well-known company that got the EV certificate.
> > The other fake domains goog1e.com and paypa1.com only have DV certificates 
> > by Let's Encrypt.
> 
> The green bar does not indicate that it's a well-known company. It
> means someone payed for an EV certificate. The green bar does not
> in any way say it's more secure or indicate that you're talking to
> some trustworthy company. It only gives you a false sense of
> security.
> 
> 
> Kurt

That's a pretty disingenuous description of EV certificates. Whether they paid 
for it or not isn't the issue. It means that some entity applied for an EV 
certificate, the CA used the vetting methods described in the CA/B Forum EV 
guidelines (which were agreed to by CAs and browsers) to verify the domain, the 
company, the address, location, etc. Only after that is complete is an EV 
certificate issued.  The CA was then audited against the work they did (in 
addition to assuring they meet physical, network and other audit requirements), 
annually. 
I have to agree with Jakob, it's remarkable that Mozilla would make such a 
drastic change with only a 2 day announcement and no discussion.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


RE: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Doug Beattie via dev-security-policy
Peter,

Do you have any empirical data to backup the claims that there is no benefit
from EV certificates?  From the reports I've seen, the percentage of
phishing and malware sites that use EV is drastically lower than DV (which
are used to protect the cesspool of websites).

Doug



-Original Message-
From: dev-security-policy  On
Behalf Of Peter Gutmann via dev-security-policy
Sent: Wednesday, August 14, 2019 9:04 PM
To: mozilla-dev-security-pol...@lists.mozilla.org; Jakob Bohm

Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
of the URL bar

Jakob Bohm via dev-security-policy 
writes:

>Problem example:
>[...]

You're explaining how it's supposed to work in theory, not in the real
world.

We have a decade of real-world data showing that it doesn't work, that
there's no benefit from EV certificates apart from the one to CA's balance
sheets.  So the browser vendors are doing the logical thing, responding to
the real-world data and no longer pretending that EV certs add any security
value, both in terms of protecting users and of keeping out the bad guys -
see the attached screen clip, in this case for EV code-signing certs for
malware, but you can buy web site EV certs just as readily.

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Kurt Roeckx via dev-security-policy
On Wed, Aug 14, 2019 at 11:52:46PM -0700, Daniel Marschall via 
dev-security-policy wrote:
> In old Firefox, I get a green bar if I visit google.com and paypal.com, 
> telling me that this is a well-known company that got the EV certificate.
> The other fake domains goog1e.com and paypa1.com only have DV certificates by 
> Let's Encrypt.

The green bar does not indicate that it's a well-known company. It
means someone payed for an EV certificate. The green bar does not
in any way say it's more secure or indicate that you're talking to
some trustworthy company. It only gives you a false sense of
security.


Kurt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


AW: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Buschart, Rufus via dev-security-policy
Dear Daniel!
 
> Please tell me if I understand this correctly...
> Is it that DV and EV certificates now both show the same lock symbol?
> That would be a great harm in my opinion. And I do not understand why you 
> want this change.
> 
> I think EV is very important and I explain why.
> 
> Let's look at following hypothetical case: We have google.com, paypal.com as 
> well as goog1e.com and paypa1.com . Notice the two
> number 1 (one) instead of a lower case L in the latter two domains. (lowecase 
> "L" and "one" look perfectly equal in Times New Roman. And
> lowercase "L" looks perfectly equal to uppercase "i" in Arial.)
> 
> In old Firefox, I get a green bar if I visit google.com and paypal.com, 
> telling me that this is a well-known company that got the EV certificate.
> The other fake domains goog1e.com and paypa1.com only have DV certificates by 
> Let's Encrypt.
> 
> In the newer Firefox, both domains, the real one and the fake one both get a 
> lock symbol. And I need to click the lock to see if it is DV or EV.
> 
> Do I understand that correctly?

Any CA that strictly follow BRGs 4.2.1 should not issue a certificate for 
paypa1.com or goog1e.com. Until recently this was also done by Let's Encrypt, 
but they stopped doing so in January 2019 - 
https://community.letsencrypt.org/t/let-s-encrypt-no-longer-checking-google-safe-browsing/82168.
 Maybe someone from the Let's Encrypt team can explain, how they are now 
fulfilling this requirement.

/Rufus
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Daniel Marschall via dev-security-policy
Please tell me if I understand this correctly...
Is it that DV and EV certificates now both show the same lock symbol?
That would be a great harm in my opinion. And I do not understand why you want 
this change.

I think EV is very important and I explain why.

Let's look at following hypothetical case: We have google.com, paypal.com as 
well as goog1e.com and paypa1.com . Notice the two number 1 (one) instead of a 
lower case L in the latter two domains. (lowecase "L" and "one" look perfectly 
equal in Times New Roman. And lowercase "L" looks perfectly equal to uppercase 
"i" in Arial.)

In old Firefox, I get a green bar if I visit google.com and paypal.com, telling 
me that this is a well-known company that got the EV certificate.
The other fake domains goog1e.com and paypa1.com only have DV certificates by 
Let's Encrypt.

In the newer Firefox, both domains, the real one and the fake one both get a 
lock symbol. And I need to click the lock to see if it is DV or EV.

Do I understand that correctly?

And in regards to the comparison of Peter Bowen: If we assume that an 
improvement is that a fire sprinkler does react faster and more accurate, then 
why it is an improvement that old Firefox shows something, and the new Firefox 
does not show something? Is that an enhancement? No, it's removing something 
from the UI.



Am Montag, 12. August 2019 20:31:22 UTC+2 schrieb Wayne Thayer:
> Mozilla has announced that we plan to relocate the EV UI in Firefox 70,
> which is expected to be released on 22-October. Details below.
> 
> If the before and after images are stripped from the email, you can view
> them here:
> 
> Before:
> https://lh4.googleusercontent.com/pSX4OAbkPCu2mhBfeleKKe842DgW28-xAIlRjhtBlwFdTzNhtNE7R43nqBS1xifTuB0L8LO979yhpPpLUIOtDdfJd3UwBmdxFBl7eyX_JihYi7FqP-2LQ5xw4FFvQk2bEObdKQ9F
> 
> After:
> https://lh5.googleusercontent.com/kL-WUskmTnKh4vepfU3cSID_ooTXNo9BvBOmIGR1RPvAN7PGkuPFLsSMdN0VOqsVb3sAjTsszn_3LjRf4Q8eoHtkrNWWmmxOo3jBRoEJV--XJndcXiCeTTAmE4MuEfGy8RdY_h5u
> 
> - Wayne
> 
> -- Forwarded message -
> From: Johann Hofmann 
> Date: Mon, Aug 12, 2019 at 1:05 AM
> Subject: Intent to Ship: Move Extended Validation Information out of the
> URL bar
> To: Firefox Dev 
> Cc: dev-platform , Wayne Thayer <
> wtha...@mozilla.com>
> 
> 
> In desktop Firefox 70, we intend to remove Extended Validation (EV)
> indicators from the identity block (the left hand side of the URL bar which
> is used to display security / privacy information). We will add additional
> EV information to the identity panel instead, effectively reducing the
> exposure of EV information to users while keeping it easily accessible.
> 
> Before:
> 
> 
> After:
> 
> 
> The effectiveness of EV has been called into question numerous times over
> the last few years, there are serious doubts whether users notice the
> absence of positive security indicators and proof of concepts have been 
> pitting
> EV against domains  for
> phishing.
> 
> More recently, it has been shown  that EV
> certificates with colliding entity names can be generated by choosing a
> different jurisdiction. 18 months have passed since then and no changes
> that address this problem have been identified.
> 
> The Chrome team recently removed EV indicators from the URL bar in Canary
> and announced their intent to ship this change in Chrome 77
> .
> Safari is also no longer showing the EV entity name instead of the domain
> name in their URL bar, distinguishing EV only by the green color. Edge is
> also no longer showing the EV entity name in their URL bar.
> 
> 
> 
> On our side a pref for this
> (security.identityblock.show_extended_validation) was added in bug 1572389
>  (thanks :evilpie for
> working on it!). We're planning to flip this pref to false in bug 1572936
> .
> 
> Please let us know if you have any questions or concerns,
> 
> Wayne & Johann
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy