[Servercert-wg] Displaying secure sites to Internet users

Christian Heutger ch at psw.net
Fri Nov 15 13:09:38 MST 2019


Hi,


  *   This is an interesting essay, about a wide variety of topics unrelated to certificates and the CA/Browser Forum, but it's unclear what you believe the "problem statement" to be. I'm hopin you might be able to refine it further?

SSL/TLS certificates have been introduced from my point of view for encryption and authentification (two security factors based on information security definition, refer to ISO 27001). Where DV (from technical point of view) and “secure”/”non-secure” (from UI point of view) left it up was encryption only (confidentiality without any more authentification). UI changes also proof, that the value of authentication has been deprecated by Google Chrome and Mozilla Firefox. From my point of view, the problem is the gap, this evolution arise. There is a need of authentification on the internet and certificates are the best way to provide such (from my current knowledge) and the CA/Browser forum should be the platform to discuss on how to re-establish this third party check and get as well keep it reliable.


  *   It might also be helpful to make sure it's historically accurate. For example, "look for https" was never a trust factor, and the Forum's archives make it clear that any suggestion of that was due to CAs misleading and confusing their users.

If so, CA seems to have the best marketing ever. Better than everyone else, including Google, to stop that. In the past, it was a valid trust factor. In 1995 I entered the internet first and was happy to be able to see such trust factor been added. Googling for HTTPS is secure, you get 2.570.000.000 results! For sure, newer entries state, that it seems to be not secure *any more*. Just think about, it’s your own search engine results! There are many evidences of such statements from reliable organisations, which I won’t expect to be influenced by CA and your browser (most recently) stated as well https to be secure if connection is encrypted. However, I agree with being on a secure encrypted connection, but missing additional factor of third party authentification, which should be involved and was involved in certificate handling, stated as description for public key infrastructures in 327.000.000 hits on your search engine. Not only for exchanging private and public keys.


  *   In any event, hopefully that will encourage you to actually define the problem to solve, which you can then discuss how your preferred solution helps.

Problem: Bring authentification (information security goal of authenticity) (back) to SSL/TLS ecosystem for deanomyzing the internet on users behalf not to fell victim of phishing, scaming and cybercrime. An additional factor is authentification therefor and a valid measurement are certificates issued by reliable third parties.

Better? Otherwise, you’re welcome to optimize as I’m sure, you understand, what I’m looking for, although you may see the solution be not covered by certificates or CA/B forum.



  *   This is a very long response, but it's not clear to me you read the related issues. I'm afraid much of what you said was unrelated, and so it's unclear to find out how this relates. It sounds like you may not have any suggestions for how CAs might better validate identity, which may further the idea that CAs are poorly placed to validate identity, and that the EV guidelines are woefully inadequate. There's always opportunities to discuss something new, but that seems to further emphasize that the CA/Browser Forum is hardly the place to do it, if many of the members don't have the necessary technological skills to articulate a clear and consistent identity validation process.

As mentioned before, then suggest one and let’s discuss on how to get this one established. As mentioned, I just finished training (one week of giving training and prepared slides for another training in the evenings next week), so I didn’t check the whole list. However, your (sponsored) CA (Let’s Encrypt) also had strange issues on first audit as well also occur on the list, your own CA is also on the list as well, looking for Chrome bugs, Google bugs at all (e.g. your Google Plus network and how you handled the security issue) is also the most poor possible handling of security issues, so no-one is without failures. However, such failures should be used to improve the system instead of shaming the system. Otherwise no-one should code anything anymore, establish any more online service etc., if we want to prevent from any failures. However poor handling should be improved to prevent any future occurrence. So what I wrote in my long response was from an information security point of view suggesting measurements to mitigate the issues arised: Base validation on information provided by a platform of identity validation as well and use their APIs and access to data for the certificate (issue 1548713, 1551352, 1551372, 1567456, 1575880, 1577913, 1589047, 1590810, 1593357, …) as well using post-verification services (check back with e.g. Netcraft, which of the issues on your list are covered by their monitoring systems, I would expect all of the technical topics on your list (I just rough estimate 70-80% of your listed items) are also listed there and it could be a corrective action to be required to use such services and for as well work on such items). The list itself also seems to work as an issue arise board, I see people there having assigned issues, which I know by name or also personally, so it seems, the issues come up to the people, which need to work on. As I also know some of the issues, I also know, that they are worked on as well, so maybe it’s not as quick as you expect, but it doesn’t look like no-one cares about. And once again, I just saw (and that’s what arised in the public) similar issues related to Google products and solutions, so no-one works without failures, the most important is, that failures are taken to be worked on and result in continual improvement.

Sorry for my bad english, being a bit tired from the last days as it’s not my native language.

Regards,
Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191115/8f77d2e9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3860 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191115/8f77d2e9/attachment-0001.bin>


More information about the Servercert-wg mailing list