[cabfpub] [EXTERNAL]Re: Obtaining an EV cert for phishing

Ryan Sleevi sleevi at google.com
Tue Nov 28 14:42:23 MST 2017


I appreciate your arguments about human nature, although from a security
perspective, we prefer to think about what the 'weakest link' is. I also
appreciate the appeal to suspend logical discussion, and instead discussion
on experience and emotion, which can certainly make for good business, but
also makes for bad security.

The weakest link will always be the most lucrative to attack.

Your argument is that DV is a weak-link, and that EV improves that
weak-link.

Ignoring, for a second, that EV and DV are not differentiated in the
foundational security model of the Web (the origin security model of the
same origin policy), we have to evaluate two aspects of the claim here:
1) How does one strengthen the weak-link (of DV)
2) Are the claims about EV improving that weak-link (of DV) accurate

James' work shows the misrepresentation of the value of EV with respect to
#2. That is, an EV certificate can be obtained for 'nefarious' intent
without leaving a trace. This is especially true given that EVs security
itself rests on the weakest link of the QIIS, QGIS, and QTIS, and James has
shown how assumptions of the strength of those links are, to put mildly,
incorrect, or to put hyperbolically, overblown.

The CA Security Council, which is both not affiliated with the CA/B Forum
and, charitably, misnamed, advocates that the solution to #1 is "user
training", by virtue of changes to the user interface. That is, we should
make the supposed-weak-link look bad (for some sort of activity), while
making the supposed-strong-link look good (for some sort of activity)

What that activity is varies, of course - If our activity is, say,
"phishing", then it means every page that takes any form of user details
(not just passwords, but any form of data collection) should use an EV
certificate. If our solution is say, "malware", then it it means every page
that offers any form of download (or runs any form of browser scripting,
since that can be used to exploit bugs in browsers) should use an EV
certificate.

The 'solution' from the CA Security Council is to suggest that users should
know that all sensitive operations should be OV/EV certificates, and all
site operators should use OV/EV certificates, with a somewhat dismissive
'still allow' of DV for 'blogs' - that is, CAs want to be content police
and adjudicators, indicating blogs are not important activities but
'commerce' is, despite their virtual indistinguishability to impact on
everyday life.

This solution rests on the premise that #2 is stronger than DV, because of
its use of a QIIS and QGIS. Your own reply echoes this belief, conflating
both correlation with causation and ignoring the conclusions that can be
drawn by James' work. Unfortunately, this specious reasoning was perhaps
most compellingly summed up by Lisa Simpson in
https://www.youtube.com/watch?v=fm2W0sq9ddU

You argue that this works by arguing on the basis of 'false' negatives -
companies you rejected due to the lack of cross-correlation - but as James
has pointed out, there's a clear lack of data of the false positives -
organizations that were issued EV certs but are 'up to no good'. We know
false positives exists - a former member of the CA/Browser Forum, and
(possibly still current) member of the CA/Security Council issued quite a
few of them over the past three years. The argument that there must not be
false positives, because evil isn't done, is, unfortunately, much like
arguing that Lisa's rock repels tigers.



On Tue, Nov 28, 2017 at 4:16 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com>
wrote:

> Moving from pure logical assumptions to actual experience – we have
> EV-vetted thousands of organizations over nearly a ten-year period.  We
> have never found one (either at the time or verification or after the fact)
> that was fake or appeared to include fake address or other information –
> even though the holder of an EV certificate is rewarded by having its
> identity displayed in the browser UI (such as the “Identity Verified” name
> displayed in the browser UI from the EV cert for Mr. Burton’s company – his
> article seemed to say that identity display was important to him as a
> potential phisher).
>
>
>
> Under the EV verification processes that all CAs must follow and be
> audited to, any information contained in the Qualified Government
> Information Source (QGIS) such as Companies House in the UK must be
> cross-correlated with data found in a Qualified Independent Information
> Source (QIIS), such as Hoover’s.  On several occasions we have not been
> able to complete this cross-correlation for EV applicants, often because
> the company was too new and did not yet have an established record with the
> QIIS, and so were unable to issue the EV cert to the applicant.
>
>
>
> So again, dealing with actual experience – phishers have not been choosing
> EV certificates when they move their activities to encrypted sites, they
> have overwhelmingly been choosing anonymous DV certificates for obvious
> reasons.  It’s simple human nature that people avoid doing bad things when
> their identity will be known, and prefer doing bad things when they can
> remain anonymous – that’s why identity websites (OV and EV) are proving to
> be much safer for users than anonymous websites (DV).
>
>
>
> *From:* Public [mailto:public-bounces at cabforum.org] *On Behalf Of *Ryan
> Sleevi via Public
> *Sent:* Tuesday, November 28, 2017 10:58 AM
> *To:* Christian Heutger <ch at psw.net>; CA/Browser Forum Public Discussion
> List <public at cabforum.org>
> *Subject:* [EXTERNAL]Re: [cabfpub] Obtaining an EV cert for phishing
>
>
>
> To be fair, I was grossly simplifying the argument that it is:
>
> a) A crime to mislead a QGIS, QIIS, or QTIS within either the Jurisdiction
> of Incorporation or the Place of Business (as Ben and Kirk suggested)
>
> b) A crime to use cert for 'evil' purposes, as Kirk suggested
>
>
>
> There are many other reductions of the arguments being made here that
> would also apply, but I thought it worth pointing out that the argument
> that it'd be a crime to commit crime, is somewhat of a flawed tautology,
> and by no means a way to conclude we'd prevent crime by criminalizing crime.
>
>
>
> On Tue, Nov 28, 2017 at 1:35 PM, Christian Heutger via Public <
> public at cabforum.org> wrote:
>
> It also means that a crime favours another crime, and that is exactly how
> criminals are caught, because they leave their mark, the more so, the
> better, because it makes it easier to get to the bottom of it. If you were
> to skip steps now, you would also deprive yourself of opportunities to hunt
> down criminals.
>
>
>
> *Von: *Public <public-bounces at cabforum.org> im Auftrag von Ryan Sleevi
> via Public <public at cabforum.org>
> *Antworten an: *Ryan Sleevi <sleevi at google.com>, CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> *Datum: *Dienstag, 28. November 2017 um 19:26
> *An: *Ben Wilson <ben.wilson at digicert.com>, CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> *Betreff: *Re: [cabfpub] Obtaining an EV cert for phishing
>
>
>
> Just to square these comments:
>
>
>
> Kirk's position was that EV certificates provide a way of tracking those
> who'd commit crime online because they have to disclose identity.
>
> Gerv and James pointed out that the identity information is only as useful
> as it is vetted, and there's scenarios where the vetting may not be
> rigorous.
>
> Ben pointed out that it'd be a crime to lie to the government (although,
> as a broad statement, this varies by jurisdiction)
>
>
>
> By combining these views, it seems like we're in agreement that criminals
> who are willing to commit crime may need to commit crime to commit crime.
> That doesn't seem like the requirement to commit crime would deter a
> criminal from committing crime, but what do I know - I'm not a criminal (I
> don't think...)
>
>
>
> On Tue, Nov 28, 2017 at 12:50 PM, Ben Wilson via Public <
> public at cabforum.org> wrote:
>
> Gerv wrote: I would say that the EV Guidelines allow EV issuers to trust
> things which are QGISes because there's an assumption that information in a
> Government information source will have had some level of checking.
>
> I'd disagree.  QGISes are relied upon because everyone relies on them
> because lying to the government is a crime.
>
>
>
> -----Original Message-----
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase
> Markham via Public
> Sent: Tuesday, November 28, 2017 10:46 AM
> To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; James Burton <
> james at sirburton.com>; CA/Browser Forum Public Discussion List <
> public at cabforum.org>
> Subject: Re: [cabfpub] Obtaining an EV cert for phishing
>
> Hi Kirk,
>
> On 28/11/17 17:03, Kirk Hall wrote:
> > Thanks for the additional information, James.  In the end, the EV
> > Guidelines did exactly what they were designed to do – they provided a
> > way for the public to find you (as the company owner) if you used your
> > EV certificate and domain to do something wrong.
>
> They did, but only because he was honest. He is pointing out that it may
> not be difficult, due to the lack of checking, for a dishonest person to
> use fake information. I do think that's an issue of concern.
>
> I would say that the EV Guidelines allow EV issuers to trust things which
> are QGISes because there's an assumption that information in a Government
> information source will have had some level of checking. But it seems from
> this experience that this is not true in all cases. That concerns me. Do we
> have to agree that Companies House is not a valid QGIS?
>
> This is not a phishing issue, it's a more general "integrity of the EV
> process" issue.
>
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20171128/fd281b2d/attachment-0001.html>


More information about the Public mailing list