On 28/03/17 08:23, Peter Gutmann via dev-security-policy wrote:
Martin Heaps via dev-security-policy
writes:
This topic is frustrating in that there seems to be a wide attempt by people
to use one form of authentication (DV TLS) to verify another form of
authentication (EV TLS).
The overall problem is that browser vendors have decreed that you can't have
encryption unless you have a certificate, i.e. a CA-supplied magic token to
turn the crypto on. Let's Encrypt was an attempt to kludge around this by
giving everyone one of these magic tokens. Like a lot of other kludges, it
had negative consequences...
It's not a kludge, though. Let's Encrypt is not (merely) a workaround
for the fact that self-signed certificates are basically considered
worthless. If it were, it wouldn't meet BR rules. Let's Encrypt actively
performs validation of domains, and in that respect is as legitimate as
any other DV CA.
We actually have *five* levels of trust here:
1. HTTP
2. HTTPS with no validation (self-signed or anonymous ciphersuite)
3. HTTPS with DV
4. HTTPS with OV
5. HTTPS with EV
These are technically objective levels of trust (mostly). There is also
a technically subjective tangential attribute:
a. Is not a phishing or malicious site.
Let's Encrypt aims to obsolete levels 1 and 2 by making 3 ubiquitously
accessible.
The problem is that browser vendors have historically treated trust as
binary, confounding (3), (4), and (a), mostly because the ecosystem at
the time made it hard to get (3) without meeting (a). They also
inexplicably treated (2) as worse than (1), which is of course nonsense,
but I guess was driven by some sort of backwards thinking that "if you
have security at all, you'd better have good security" (or,
equivalently: "normal people don't need security, and a mediocre attempt
at security implies Bad Evil Things Are Happening").
With time, certificates have become more accessible, everyone has come
to agree that we all need security, and with that, that thinking has
become obsolete. Getting a DV cert for a phishing site was by no means
hard before Let's Encrypt. Now that Let's Encrypt is here, it's trivial.
So it's now being actively exploited... how could anyone *not* see this
coming? How can anyone actually be surprised that this is now happening? As
the late Bob Jueneman once said on the PKIX list (over a different PKI-related
topic), "it's like watching a train wreck in slow motion, one freeze-frame at
a time". It's pre-ordained what's going to happen, the most you can do is
artificially delay its arrival.
And this question should be directed at browser vendors. After years of
mistakenly educating users that "green lock = good, safe, secure,
awesome, please type in all your passwords", how could they *not* see
this coming?
The end nessecity is that the general public need to be educated [...]
Quoting Vesselin Bontchev, "if user education was going to work, it would have
worked by now". And that was a decade ago.
This is strictly a presentation layer problem. We *know* what the
various trust levels mean. We need to present them in a way that is
*useful* to users.
Obvious answer? Make (1)-(2) big scary red, (3) neutral, (4) green, (5)
full EV banner. (a) still correlates reasonably well with (4) and (5).
HTTPS is no longer optional. All those phishing sites get a neutral URL
bar. We've already educated users that their bank needs a green lock in
the URL.
--
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy