[Servercert-wg] Displaying secure sites to Internet users

Christian Heutger ch at psw.net
Fri Nov 15 10:19:17 MST 2019


  *   It's a bit confusing to suggestion "Encryption alone is just one piece of the puzzle.". As noted with to others, if you'd like to productively contribute, to offer new or useful insight, it might be useful to sit down and define a problem.

  *   It should be noted that defining a problem is not about saying "You don't use my solution". For example, saying "Corporate identity is not displayed by browsers" is not a statement of a problem, it's a statement that a preferred solution is not adopted. By being thoughtful, clear, and concise about the problem to solve, we can then discuss the appropriate approaches and technologies. It's important to remember that certificates are not the only means of expressing identity, and TLS is not the only means of delivering certificates, so we know that any discussion of identity well exceeds what this Forum is qualified to discuss.

Problem description is easy. The internet by design is an anonymous place. But if you like to do transactions via the anonymous internet (online shopping, online banking, providing privacy concerned data, …), identity would help to increase trust (and security as well, information security is been based on confidentiality, integrity and availability, but also authenticity, reliability, non-repudiation and accountability) to be sure, to whom you transfer your data, where you place your orders, where you try to login etc. Phishing is one of the strongest factor here, but also to prevent from cybercrime, e.g. being on a valid website of a valid company, public organization etc., which may be trustful to work with (or could use the information to check, if it’s trustful in your point of view). As e.g. whois data is now been hidden because of GDPR and similar privacy regulations (although you couldn’t rely on, as the data is not validated), it’s getting harder and harder to differentiate valid and trustful sites from phishing, scam and other ways of cybercrime. Phishing sites and cybercrime increase and look to be reliable by being encrypted and “secure”. Recent education of companies, organisations, … based on “look for https” which recently was a trust factor, time ago before DV, now it isn’t any more, as it lost validation (authenticity) factor. That’s the problem description. You need to look at noobs, not at internet professionals. You won’t be able to educate them on how to check the involving quality of phishing, scam (e.g. piracy sites) and cybercrime (e.g. “copied” valid webshops), check the website for any evidence of possible curiosities. It must be a solution, which can be adopted by many and trained with ease. Browser and platform independent.

  *   Additionally, do you have any suggestions on how to ensure the identities expressed in certificates today are reliable? We have ample evidence that the information presently expressed in EV certificates cannot be relied upon, and that the standards (such as the EV Guidelines) do not provide the necessary or sufficient guidance to ensure the information is reliable. It would be interesting to see proposals on that, based on the lessons from the many CA misissuance events. If you're not familiar with them, https://wiki.mozilla.org/CA/Incident_Dashboard is an excellent collection of systemic issues, which have affected the majority of EV certificate issuers (by volume and by reliance), and it'd be essential that prior to any continued discussion of certificates, these issues be comprehensively addressed. This seems like it will take multiple years, and given that few (if any) CAs are stepping forward to systemically ensure there's a consistent level of validation, so that relying parties can have confidence, so it might be more productive to focus on that first. After all, what's the point of discussing identity here in the Forum, if, as is obviously demonstrated, the EV Guidelines does not provide any assurance that CAs can be relied upon to validate it consistently and correctly

Issues are from different point of view. Once it has been shown, that companies may register themselves with a similar name to a popular brand (same for domain names es well) and may be able to get a valid EV certificate therefor. On the other hand for sure, mistakes have been done in the past as well. So it’s three level measurement required: 1. Use solutions, which prevent mistakes as far as possible, are proven and reliable identity factors with enough uniqueness to distinguish from other identities like LEI, this solution may also be able to involve some point of automation, which currently is somehow impossible with every legislation having different ways for identity documentation on companies, organisations, etc., 2. find a differentiation factor to display first (as most users should, but won’t click to verify additional information), which is reliable and distinguish the best between identities been expected. I recommend here trademarks, although many CA and other players may decline (however, same as your offer, then please bring up an alternative idea, displaying the LEI number?), because there as trade mark system is well established and depend on company size (going linear with possible impact of misissuance) they have legal departments protecting their trademarks, also for sure, it’s not for the masses, but I also believe in DV and EV being able to co-exist, DV is enough e.g. for private blogs and websites, so for sure, it’s decreasing possible market segments to trademark holders or similar reliable data (e.g. public organisations should be able to show their name there as I don’t believe anyone can setup a company named Federal Trading Agency, hopefully), but I won’t expect everyone should have (or be required) to have an EV. So if you’re not required to place data there or be able to trust transaction integrity/authenticity, why should they require a EV cert. Everyone, who wants to do business or operate data (usually for profit) has also other administrative costs, which may involve registering a trademark for their company name, it’s highly affordable. Again going back to linear impact and trust need, smaller players won’t be interesting for phishing, scamming or cyber crime – so sorry, I’m german, you may use Google Translator – why should a “Tante-Emma-Laden” require an EV cert. 3. Meanwhile LEI may provide automation, easier and more reliable validation, so being a preventive factor, additional there should be a detective and corrective factor as well. So CA should be required to use monitor systems of misissuance. I know, there exist some as well as users brought misissuance to your attention for the dashboard linked above, so there could be the requirement to use such services, provide an anti-abuse platform/service, to be able to determine misuse as fast as possible, revoking the certificate as soon as possible on misissuance.

So that are may problem and solution description. And I would be happy (as being my point of view of reason for this forum) instead of declining any of my topics and ideas above go into discussion and provide alternatives for facing the problem, defining the problem, solving the problem etc. As giving ISO 27001 information security trainings and classes as well just ending up in the exam today, it has been proven, that I’m not the only one seeing this problem and asking for a solution.


On Fri, Nov 15, 2019 at 10:58 AM Christian Heutger via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:

if all of that fail in your opinion, what’s your recommendation? No identity at all is no solution. Encryption alone is just one piece of the puzzle.


Von: Burton <burton at typewritten.net<mailto:burton at typewritten.net>>
Datum: Freitag, 15. November 2019 um 14:18
An: Christian Heutger <ch at psw.net<mailto:ch at psw.net>>, CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Betreff: Re: [Servercert-wg] Displaying secure sites to Internet users

I don't agree.

Moving back to an identity type security indicator is a bad idea. It's a bad idea because extended validation was an identity type security indicator and it has all sorts of issues and that caused it to fail.

Social media check marks are now becoming an issue because people are mistaking them are status symbols not identity and even then check marks are not good identity status as there has been many instances of accounts with check marks being used for phishing.

Doing a traffic light identity security indicator has been kinda been done in IE7 (green: EV, yellow: Mixed content / revocation checks, Red: Untrusted / Bad certificates ) and didn't work properly. Also using traffic light colours for identity is a bad idea for people with colour disabilities.

Using trademarks are identity status might work for large companies but is largely unfeasible for the majority of companies.

Overall, identity type security indicators are a bad idea given that it has been tried before and failed to work as intended. Unless one can design an identity type security indicator that works for all users and is implemented the same across browsers and does what it says on the tin then great! Otherwise it's the same as EV and it has no chance.

Thank you


On Fri, Nov 15, 2019 at 11:18 AM Christian Heutger via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:
Fully agree.

And there exist indicators for the second factor of certificate based encryption (which wouldn’t require certificates, if encryption is the only reason for SSL/TLS, but by design it wasn’t), e.g. the checkmarks at social networks indicating a prooven profile of e.g. a VIP. And also that proofment is similar to what CA does and always is able to be improved, but it’s better than nothing and help to de-anonymize the internet on topics, where identity is important. Cryptography is not only about encryption, it’s also about integrity as well as authenticity. Reducing the number of information security aspects been covered by a solution may make it more reliable, but also remove important factors from its value. So if validation is not free from mistakes, it’s a worse decision to remove the factor at all instead of improving the factor, also in sense of demand of the user base. What was the bigger trouble with EV wasn’t the rare validation issues but that the normal end user won’t expect a green address bar to be able to be shown as they are not aware of the possibility of additional levels. So it would require a different UI indicator, which help the user to expect, that there could be something more, e.g. showing a padlock on encryption and no or a striked padlock without encryption and work similar on validation. I recently promoted to use colors like on traffic signs therefore (red = no validation, yellow = weak validation (DV), green = strong validation), but that seems not to been adopted. So the checkmark, which got common in social networks, would be a good alternative.

Instead of companie names to be validated base on trademarks would also be an idea, trademarks are much harder protected than company names (also often impossible to prevent a company from naming themselves the same as existing companies), there are legal departments doing nothing else than that.


Von: Servercert-wg <servercert-wg-bounces at cabforum.org<mailto:servercert-wg-bounces at cabforum.org>> im Auftrag von Kirk Hall via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Antworten an: Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>>, CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Datum: Freitag, 15. November 2019 um 01:08
An: Paul Walsh <paul at metacert.com<mailto:paul at metacert.com>>, CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>, Ryan Sleevi <sleevi at google.com<mailto:sleevi at google.com>>
Betreff: Re: [Servercert-wg] Displaying secure sites to Internet users

Paul - +1.  Please do start drafting a problem statement.

One half of the Forum’s stated Purpose at Bylaw 1.1 is “creating a more intuitive method of displaying secure sites to Internet users”.  Obviously, “secure sites” means more than simple encryption – otherwise, all the encrypted phishing sites would be considered “secure”.

It doesn’t sound like any of these other groups are working on identity issues and the UI, so I’m not sure what the point would be of moving the Forum’s own discussions there.  And there is no reason why we can’t have multiple expert groups working on similar issues at the same time – perhaps there can be cross-collaboration over time.  Plus, I’m not keen on moving Forum discussions to any group that charges to be a member, and the Forum is already set up with bi-weekly teleconferences and three F2F meetings a year.  So it’s better for the Forum to work on one of our two stated Purposes right here.

Finally, if the browsers are working together on URL UI issues outside of the Forum, it would be great (and much appreciated) if you all would update CAs in the Forum from time to time – we worked together collaboratively on UI issues in our early years, and could do so again.

From: Servercert-wg <servercert-wg-bounces at cabforum.org<mailto:servercert-wg-bounces at cabforum.org>> On Behalf Of Paul Walsh via Servercert-wg
Sent: Wednesday, November 13, 2019 9:04 PM
To: Ryan Sleevi <sleevi at google.com<mailto:sleevi at google.com>>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Subject: [EXTERNAL]Re: [Servercert-wg] Displaying secure sites to Internet users

On Nov 13, 2019, at 7:03 PM, Ryan Sleevi via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:

During our most recent F2F, there was a presentation about ways to display secure sites to Internet users. Despite the stated topic, most of the discussion focused solely on identity expressed in certificates, which is only part of the picture.
This limited view overlooked a number of the considerations involved in establishing and communicating secure connections. This prompted my questions of whether the proposers had examined other Standards Developing Organizations ("SDO"s), and if the CA/Browser Forum was the appropriate venue.

[PW] I acknowledge what you say about other forums and the benefits you attribute to them, but can you please explain why you think this can’t happen inside this forum?

Browsers are already collaborating in other SDOs with domain experts across industry on topics, including the display of secure sites to Internet users. Given the complexities of modern web security, and the difficulty of presenting understandable and actionable information to users, new work would be most usefully presented in such forums, which can be done without being an existing member or needing to apply to be one.

[PW] Encryption and UI for website identity are very different. They require people with different skills. Identity UI requires product people and UX designers. We don’t need more engineers for this problem/solution. Right now we mostly have plumbers telling us why people are walking past our house without looking at it. They’re great plumbers, so they’re great at plumbing. They’re probably not the best people to tell us how to decorate our home though.

The primary venue for this collaboration are within the W3C’s Web Incubator Community Group ("WICG"). It is through efforts like WICG, which are used to house and build interest in nascent ideas for the Web that solve real problems for users and developers, that mature specifications are created and adopted.

[PW] I co-instigated the first ever W3C Incubator Group in 2006 [1] with Phil Archer. The WICG sounds extremely similar. Following a year of incubation, our project went onto a Full Recommendation Track, formally replacing PICS in 2009 [2]. Our Recommendation was never adopted, for numerous reasons, even though it had support from some browser vendors and other major potential implementors. Some browser vendors still use PICS today.

An example of where browsers are already actively collaborating is on the WHATWG URL standard<https://url.spec.whatwg.org/>, which similarly provides the necessary IP protections while providing opportunities for open collaboration. It has already developed a number of guidelines on the more intuitive display of secure sites to Internet users. These guidelines, which have evolved through rigorous and peer-reviewed usability research, and combined with the deep technical expertise involved in how modern Web security works, reflect a number of the industry best practices.

Proponents advocating for the Forum to charter a new Working Group should be able to articulate and explain the problem they are seeking to solve, and then communicate how their proposed solution fits to solve that problem. This approach, where the problem to be solved is clearly explained first<https://www.w3.org/blog/2015/07/wicg/#what-s-the-process->, has been highly successful for collaborations on evolving the Web, and is the core approach for most modern Web standards work. This process helps ensure the problem is well understood and can bring to light any faulty assumptions or premises, which is key to assessing how well different options addressing them might work.

[PW] I’m pretty confident that almost everyone who needs to be involved, knows what the problem is.

I’m happy to write a problem statement and a proposed solution to get something started. I’ve contributed to a lot of W3C initiatives and specifications and I still think this forum is the most suitable place for this particular work. This forum was started and built to address Internet Security from the perspective of encryption and identity.

As a side note, how do you feel about the lack of privacy for visitors of the W3C Incubator Community Group Charter URI? [3]

Given the flexibility and open-access provided, along with strong IP protections in place with the organizational support of the W3C, the WICG does seem like an excellent starting point for any specific problem statements and abstract proposals, as a natural evolution for long-standing collaborations and discussions within the Web security community. You can learn more about the process of making and evolving proposals with the WICG here<https://www.w3.org/blog/2015/07/wicg/>.

[PW] We could easily put together a small team of respected independent industry experts from various stakeholders to help manage the project.

[1] https://www.w3.org/2005/Incubator/
[2] https://www.w3.org/2005/Incubator/wcl/XGR-wcl-20070220/#appendix1
[3] http://wicg.github.io/admin/charter.html


- Paul

Servercert-wg mailing list
Servercert-wg at cabforum.org<mailto:Servercert-wg at cabforum.org>
Servercert-wg mailing list
Servercert-wg at cabforum.org<mailto:Servercert-wg at cabforum.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191115/d643f217/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3860 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191115/d643f217/attachment-0001.bin>

More information about the Servercert-wg mailing list