[Servercert-wg] Identity in browser UIs

Paul Walsh paul at metacert.com
Thu Nov 7 11:42:34 MST 2019


I just received a Google alert with a list of today’s security issues. I thought I’d share this one as it’s timely and helpful. 

While we debate the bylaws, this is what’s happening outside our echo chamber:

According to the APWG’s new Phishing Activity Trends Report, the number of phishing attacks continued to rise into the autumn of 2019. The total number of phishing sites detected by APWG in July through September 2019 was 266,387. This was up 46 percent from the 182,465 seen in the second quarter of 2019, and almost double the 138,328 seen in Q4 2018.

“This is the worst period for phishing that the APWG has seen in three years, since the fourth quarter of 2016,” said Greg Aaron, APWG Senior Research Fellow and President of Illumintel Inc.

In addition to the increase in phishing volume, the number of brands that were attacked by phishers in Q3 was also up notably. APWG contributor MarkMonitor saw attacks against more than 400 different brands (companies) per month in Q3, versus an average of 313 per month in Q2. Stefanie Wood Ellis, Anti-Fraud Product & Marketing Manager at MarkMonitor, noted: “The top targeted industries are largely consistent with previous quarters. Webmail and SaaS sites remained the biggest targets of phishing.”

https://www.businesswire.com/news/home/20191105005324/en/APWG-Q3-Report-Phishing-Attacks-Highest-Level <https://www.businesswire.com/news/home/20191105005324/en/APWG-Q3-Report-Phishing-Attacks-Highest-Level>

I’d like to add that over 90% of all new phishing sites use a DV certificate to ensure consumers aren’t drawn to the “Not Secure” warning that browsers now provide. Browser vendors think the removal of the padlock helps. Yet another UI/UX design mistake. I think this is bad because even more consumers will come to rely on the presence of DV - irrespective of whether there is a positive visual indicators or not.

Of all the new phishing sites created, over 93% of them are issued by Let’s Encrypt. Let’s Encrypt is mostly used because certs are free and automatically issued. Encryption is great. Let’s get more of it. But, if there are negative things happening as a direct result, shouldn’t we talk about it? I’m blown away by the lack of discussion around this.

According to Google, boutique phishing has a shelf life of 7 minutes while bulk phishing is 13 hours - even if you think this is crazy wrong because it’s too short, it’s generally accepted that phishing usually has a life expectancy of less than 24 hours. Outside the discovery of phishing kits, the entire concept of URL blacklists is important, but it’s not solving the problem. It’s mathematically impossible to detect every new dangerous URL and reverse-proxy servers that even bypass 2FA make matters worse.  

We should research a new approach that involves telling people and machines what’s “safe" or “good”, or whatever we call “not deceptive”. This is where website identity comes in. 

0 = the number of phishing sites reported in the past 15 years where criminals went to the trouble of setting up a company for the purpose of obtaining an EV certificate - please correct me if I’m wrong. 

Every type of identity verification system in the world can be cheated. EV can be cheated, but it hasn’t actually happened outside a few researchers looking to prove that it can be cheated. 

Let’s Encrypt is *not* to blame for phishing in my opinion and they shouldn’t be held accountable. But I do think they should try to do something to tackle the problem. I mean, 14,000 certs issued to domains with the term PayPal is a little weird. I’ve been building URL based threat intelligence systems and content filtering systems since 2004, so I know it’s time consuming, hard and expensive. But it can be done. We all have a moral obligation to reduce the risk of our technology being used for bad.

If anyone wants to focus on the weaknesses of CAs let’s start there and come up with industry-wide revocation processes and tools that everyone agrees to make best endeavors to use. 

If EV and website identity worked as designed by the genius creators, the verification process would need to be improved in order to reduce the risk of it becoming a new attack vector - but we can cross that bridge separately.

Thanks,
Paul



> On Nov 7, 2019, at 9:49 AM, Paul Walsh <paul at metacert.com> wrote:
> 
> Apologies in advance for my long response. I’m not a good writer, so I’m unable to use fewer words. 
> 
> I have a particular way of looking at these things. 
> 
> “Are we doing the right thing right now?” If the answer is yes, keep going. If the answer is no, change what we're doing. 
> 
> Bylaws, websites and all other documents can be updated at any time to reflect what we should be doing. We all know that you don’t build a product and just leave it because it was specified to work that way in a document. You iterate the product until you achieve a product/market fit. [1] 
> 
> Browser UI for identity was never iterated until it achieved product/market fit. For this reason, nobody can ever say “identity doesn’t, or can’t work” - there is no evidence to prove this hypothesis.
> 
> Asking people if existing UI works for them isn’t enough. Mozilla pointed me to a paper that included 25 subjects broken into 3 groups - 14 years ago. I hope I don’t need to explain why this is as far from meaningful data as one can get. There is a Google paper too, but it’s positive bias without meaningful testing. When I asked an upcoming browser vendor about identity they said “there’s no ROI for us”. 
> 
> Rather than over engineer this conversation by referencing words in the bylaws, why don’t we ask ourselves, “is it important to discuss identity right now, in the context of current market conditions?” What are the actual cybersecurity issues today? Answer = deceptive websites is #1. 
> 
> Scott, I wrote in great detail, the reasons why I personally believe there is a critical need for new website identity [2]. In my article, I provide a ton of data points while referencing the security firms responsible for them. None of those companies are CAs. My startup is not a CA. I have never worked for a CA. While it’s possible that many people will disagree with my conclusions, nobody can say they’re biased. If anything my startup does more harm to CAs, in theory, as we verify millions of domains without charging website owners. But I’d rather use their EV data. 
> 
> With 85K active power users relying on a new visual indicator for identity and zero victims over an 18 month period, should be discussed and questioned [1]. Website identity *does* work.
> 
> I expressed these opinions on the Mozilla security forum before they removed identity UI from Firefox 70.0. I was met with zero meaningful debate - only the usual CA-hating comments about how EV is dead. They usually end up showing their true colors - their dislike for companies making money out of verification. In fact, Mozilla didn’t even mention the removal of UI until I pointed it out. They then updated their release notes with a single bullet point referencing “EV” - as if mainstream Firefox users would know what that is - proves my point about Browser vendor education around this topic.
> 
> And these CA-haters are the same open source advocates who go through KYC across multiple crypto wallets and exchanges, and are happy for their personal data to be stored by people who are smoking cannabis on the beach while building small banks. I know because we protect more people in crypto than all other companies combined. It’s insane how much phishing is a problem and it’s only getting worse. It’s almost 2020 and deceptive websites and URLs continues to get worse. Srsly?! 
> 
> It’s worth pointing out, my COO started and built the Firefox developer evangelist community and my engineers built the official browser add-ons for digg, Delicious, Yahoo!, eBay, PayPal, Microsoft and Google. So we respect browser vendors and the developer ecosystem. But there’s too much arrogance amongst browser vendors today. Happy to discuss my thoughts on DoH and HTTPS Everywhere too - not the concept or benefits, but the execution and railroading of their implementations. I digress so let’s not go there.
> 
> Here’s the article on the CA Security Council website: https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/ <https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/>
> 
> Based on the negative feedback, I added more context to the article in the hope it would change some perceptions, and published it on Hackernoon because it also has hundreds of thousands of readers https://medium.com/hackernoon/the-insecure-elephant-in-the-room-12d98846b6f7 <https://medium.com/hackernoon/the-insecure-elephant-in-the-room-12d98846b6f7>
> 
> In regards to comments about taking this “conversation” to the W3C - I disagree. I co-founded the Mobile Web Initiative, I co-instigated the Standard for URL Classification / Content Labeling that formally replaced PICS in 2009, was one of the first invited experts to the Semantic Web Education & Outreach Program and I contributed to the Web Accessibility Initiative. Standards take time - you’re looking at 4 years. Taking this to the W3C would be as useful as asking your wife or husband of 20 years how they like their coffee. 
> 
> Even when you end up with something (Recommendation, Best Practice or whatever they’re called these days), you need “implementations” without implementations standards die. In the context of this conversation, browser vendors are the implementers. If you each give me those membership fees instead, I’ll setup a new foundation to replace this one and the security council with a more independent and far reaching solution for industry ;-)
> 
> In my opinion, this is the perfect place to discuss identity. I would even recommend redesigning the website and updating the purpose and bylaws to reflect what is needed today. 
> 
> Every cybersecurity report can only help us conclude that we as an industry are failing. Attacks and data breaches are on the rise and most of them start with people trusting a deceptive website. I read about new companies getting more funding because they’ve tweaked their anti-phishing AI-based solutions. They ain’t going to fix the problem any better than the companies that were funded yesterday. It’s like playing a game of whack-a-mole. 
> 
> Are we solving the biggest security problems today? No, we are not. And it’s almost embarrassing. Privacy is critical so I love encryption. But that’s all anyone seems to talk about. There’s no talk about “safety” which is privacy’s big sister. She’s being neglected. We are making connections more private  to deceptive websites where threat actors steal credentials and then use them on other important systems to compromise a company. Encryption is important but we need to discuss the negative aspects of it. 
> 
> The Global Director of Sales at a major security firm that I respect recently published an article on LinkedIn that recommended customers look for the padlock to know they’re on the right site. It has since been removed because I wrote to him in person to highlight the danger this puts people in. If security companies are getting this wrong, how can we expect consumers to get it right. 
> 
> [1] https://blog.growthhackers.com/using-product-market-fit-to-drive-sustainable-growth-58e9124ee8db <https://blog.growthhackers.com/using-product-market-fit-to-drive-sustainable-growth-58e9124ee8db>
> [2] https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/ <https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/>
> 
> Cheers :)
> Paul
> 
> 
>> On Nov 6, 2019, at 11:49 PM, Ryan Sleevi via Servercert-wg <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>> wrote:
>> 
>> Let's not confuse descriptive and prescriptive.
>> 
>> What someone has done in the past ("have worked") is not a statement about what they'll do in the future.
>> 
>> A different way to frame it:
>> Members of the CA Browser Forum have misissued a significant number of certificates.
>> 
>> If you read that, one interpretation - the interpretation offered by CAs that argue that the above sentence in the Bylaws defines the Forum's purpose - would naturally conclude that similarly, misissuing certificates is a fundamental purpose of CAs/the CA/Browser Forum. Whether it's in the Bylaws or not is inconsequential.
>> 
>> Another way to read it, the way I'm sure a number of members would prefer, is that it's a statement about something that has happened in the past, as context and explanation, but in no way binds or defines what they will do in the future. It's descriptive, not prescriptive.
>> 
>> When we say that Members of the CA/Browser Forum have done something, whether in the Bylaws or in a post, we simply describe what they did. Not what they do, not what they will do, not who they are, and not their raison d'etre.
>> 
>> On Thu, Nov 7, 2019 at 2:15 AM Kirk Hall via Servercert-wg <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>> wrote:
>> Two quick responses – it’s not true that Bylaws represent what an organization did in the past – Bylaws are a living document specifying what the purposes of the organization are today.  A Bylaw doesn’t become inactive unless and until it is deleted.  This language was on the Forum’s website for years until 2012, when it was added to version 1 of the Forum’s current Bylaws..
>> 
>>  
>> 
>> Bylaw 1.1 Purpose of the Forum:
>>  
>> 
>> The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of leading Certificate Issuers (as defined in Section 2.1(a)(1) and (2) below) and vendors of Internet browser software and other applications that use certificates (Certificate Consumers, as defined in Section 2.1(a)(3) below).
>>  
>> 
>> Members of the CA/Browser Forum have worked closely together in defining the guidelines and means of implementation for best practices as a way of providing a heightened security for Internet transactions and creating a more intuitive method of displaying secure sites to Internet users.
>>  
>> 
>> Also, Ryan suggested that the Forum should not discuss “creating a more intuitive method of displaying secure sites to Internet users” but instead should move the discussion to the W3C.  Here are the membership fees for W3C.  Why should Forum members have to pay $25,000-$77,000 to talk about the browser UI in W3C when we can talk about it for free under Bylaw 1.1 in the Forum???
>> 
>>  
>> 
>> https://www.w3.org/Consortium/fees?countryCode=US&quarter=10-01&year=2019#results <https://www.w3.org/Consortium/fees?countryCode=US&quarter=10-01&year=2019#results>
>>  
>> 
>> Fee Table For United States
>> Organization Type in United States (HIC category <http://data.worldbank.org/country>)
>> 
>> Annual Fee for Memberships Starting 2019-10-01
>> 
>> For-profit organization that has annual gross revenue, as measured by the most recent audited statement, of greater than or equal to 1,000,000,000 USD.
>> 
>> 77,000 USD
>> 
>> For-profit organization that has annual gross revenue, as measured by the most recent audited statement, of greater than or equal to 500,000,000 USD and less than 1,000,000,000 USD.
>> 
>> 68,500 USD
>> 
>> Introductory Industry Membership <https://www.w3.org/2014/08/intromem>, available for two years to a for-profit organization that has annual gross revenue, as measured by the most recent audited statement, of greater than or equal to 50,000,000 USD. Participation limited to one Interest Group
>> 
>> 34,250 USD
>> 
>> For-profit organization that has annual gross revenue, as measured by the most recent audited statement, of greater than or equal to 50,000,000 USD and less than 500,000,000 USD.
>> 
>> 25,000 USD
>> 
>> All other organizations, including non-profit organizations and government agencies.
>> 
>> 7,900 USD
>> 
>> Enterprises and non-profits with 10 or fewer employees, with revenues below 3,000,000 USD, who have not been W3C Members in the previous two years. This fee is not applicable to membership organizations <https://www.w3.org/Consortium/Process/#MemberConsortia> generally, but is available to non-profit organizations of individual members. This fee applies for the first two years of W3C Membership.
>> 
>> 2,250 USD
>> 
>>  
>> 
>>  
>> 
>> From: Servercert-wg <servercert-wg-bounces at cabforum.org <mailto:servercert-wg-bounces at cabforum.org>> On Behalf Of Scott Rea via Servercert-wg
>> Sent: Thursday, November 7, 2019 2:36 PM
>> To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>>
>> Subject: [EXTERNAL][Servercert-wg] Identity in browser UIs
>> 
>>  
>> 
>> WARNING: This email originated outside of Entrust Datacard.
>> DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
>> 
>> G’day Folks,
>> 
>>  
>> 
>> I listened to Chris’ presentation today at the CABF F2F 48. There are a couple of things I am not clear on…
>> 
>>  
>> 
>> What are the list of WG’s that Browsers are already participating in where Identity UI is being discussed? Can the participating Browsers please post a list of WG’s or forums they are participating in where this is discussed?
>> Secondary to the above, which of these are potentially open to CAs participating in them?
>> If CABF previously voted to stop work on coordinating Identity UIs, it would be good to understand the context for that decision – and I understand that potentially Ryan may be able to provide the documentation for this.
>> In respect to the alleged decision from #3 above, or any decision the CABF has made in the past, is there some prohibition in our by-laws that stops us from ever discussing it in future?? If the membership wants to take a fresh look at this particular issue/opportunity, aren’t we free to do so?
>> If there are forums where this is being discussed today, wouldn’t it be more efficient to coalesce an Industry perspective in CABF and then send a representative to those forums to convey that perspective rather than waiting for individual players to show up piecemeal to provide their perspectives.
>>  
>> 
>> I don’t have the historical context of the decision to work on this issue or not work on it, but it certainly seems to be a hot topic of interest today, and I am wondering if there is support for this in the CABF, why we can’t proceed to seek to address this like any other issue we identify?
>> 
>>  
>> 
>> Regards,
>> 
>> -Scott
>> 
>>  
>> 
>>  
>> 
>> Scott Rea
>> 
>> Senior Vice President - Trust Services
>> 
>> 
>> <image001.png> <http://www.darkmatter.ae/>
>> 
>> Level 15, Aldar HQ
>> Abu Dhabi, United Arab Emirates
>> T  +971 2 417 1417 <tel:+971%202%20417%201417>
>> M +971 52 847 5093 <tel:+971%2052%20847%205093>
>> E  Scott.Rea at darkmatter.ae <mailto:Scott.Rea at darkmatter.ae>
>> 
>> darkmatter.ae <http://darkmatter.ae/>
>> 
>> <image002.png> <https://www.linkedin.com/company/dark-matter-llc> <image003.png> <https://twitter.com/GuardedbyGenius>
>>  <image005.jpg> <> <image006.jpg>
>> 
>> 
>> The information in this email is intended only for the person(s) or entity to whom it is addressed and may contain confidential or privileged information. If you receive this email by error, please notify us immediately, delete the original message and do not disclose the contents to any other person, use or store or copy the information in any medium and for whatever purpose. Any unauthorized use is strictly prohibited.
>> 
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org <mailto:Servercert-wg at cabforum.org>
>> http://cabforum.org/mailman/listinfo/servercert-wg <http://cabforum.org/mailman/listinfo/servercert-wg>
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org <mailto:Servercert-wg at cabforum.org>
>> http://cabforum.org/mailman/listinfo/servercert-wg
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191107/522f4586/attachment-0001.html>


More information about the Servercert-wg mailing list