[Servercert-wg] Displaying secure sites to Internet users

[Ryan Sleevi]

On Mon, Nov 18, 2019 at 9:27 AM Christian Heutger <ch at psw.net> wrote:

> Problem statement: UI elements currently missing additional information on
> site operator supporting phishing, scamming and cybercrime
>
> Solution: Work on reliable standards, audit scheme and UI elements
>
> Subsolutions: Address all levels of measurements as mentioned before:
> preventive, detective, corrective
>
> Remember: 100% security is impossible
>

Thanks Christian. This is certainly help move the discussion forward.

I think we need to unpack "UI elements currently missing additional
information on site operator supporting phishing, scamming and cybercrime"
a lot more, because there are a lot of hidden assumptions:

Here's just a few that can be easily teased out with something as written:

Goal: Reduce the risk of phishing, scamming, and cybercrime
Assumption 1: Identity information reduces the risk of phishing, scamming,
and cybercrime
Assumption 2: Display of identity information to end-users is the most
effective means to make use of identity
Assumption 3: Identity information within certificates is reliable
Assumption 4: TLS certificates are the most effective means to provide
identity
Conclusion: The CA/Browser Forum should work on standards to display
identity information in certificates to reduce the risk of phishing,
scamming, and cybercrime.

Now, I don't think anyone would want to discourage the goal; that seems
noble.

However, each of those assumptions has a wide body of data showing that
they are flawed.

Those touting Assumption 1, which unfortunately includes some CAs in this
Forum, often make rather basic logical errors in doing so. The most
obvious, unfortunate, and glaring error is assuming, for example,
correlation equals causation. Anyone with a basic understanding of science
or statistics would urge caution here, especially when drawing from
multivariable studies that fail to account for confounding variables. For
example, a CA that misleadingly and grossly misrepresents the situation, by
suggestion that EV prevents phishing, is likely making a basic error that
even a grade schooler familiar with the scientific method could point out ;
for example, it could simply be a correlation, or it could be caused by
price, or it could be caused by selection biases. We can clearly and
thoroughly rule out Assumption 1 as having any real or credible support,
and anyone promoting it as lacking in basic understanding of correlation
and causation.

Assumption 2 similarly has no support. Even more so, there's ample
peer-reviewed research in leading publications showing this is not the
case. Entire branches around Human/Computer Interaction and Industrial
Design are focused on the unreliability of the assumptions being made in
assumption 2, and how they lead to real and credible harm. I think we can
safely say that assuming the display is the method of protecting users is
intellectually flawed and deeply lacking.

Assumption 3 can be empirically shown as false, at least today. Again, the
set of CA incidents in the past two years show that there are systemic,
systematic flaws in the standards developed for identity vetting in
certificates by the CA/Browser Forum, and which as they presently stand,
lead to highly inconsistent and unreliable information. Of all the
assumptions, however, this is one we can at least work forwards fixing, but
in general, and broadly speaking, we see quite a few CA members strongly
opposed to any efforts to make certificates more reliable and trustworthy.
This opposition is potentially motivated by at least two competing
interests, which you've aptly highlighted earlier in the thread: 1) CAs
view "server operators" as the end users, because they're the one that buy
the CAs' products, rather than the much larger community that relies on the
CA, as the CA only has the fiduciary relationship with the server operator
and 2) Efforts to improve identity generally mean more work for CAs, and
mean needing to say "no" to more users that fail to provide adequate means
and proof - thus meaning reduced revenue. Whether or not these are the
dominant motivators, it'd be foolish to overlook the incentive structures
that CAs have, much like it would have been foolish to overlook the
financial incentives of banking and lenders in the lead-up to the subprime
mortgage crisis - there's money to be made, even if it's harmful to the
world.

Assumption 4 is also questionable. It's one that the Forum initially made,
many years ago, when introducing EV, and so it's not unreasonable to be
tempted down that same path. But we've learned a lot more since then, and
we've come to realize that it's more important to help users be secure
online, wherever they are, and however they're accessing, and that means
providing encrypted communications to the domain they're intending to talk
to, free of interference on the wire by ISPs, snoops, and hackers. This
base level of security is essential, not just to online safety, but to
national cybersecurity, as previously shared by the former general counsel
to the FBI who previously championed against strong encryption, Jim Baker,
at https://www.lawfareblog.com/rethinking-encryption . The EV vetting
process runs counter to many of the goals of making encryption easy and
ubiquitous. This is, of course, specific to the question of TLS
certificates, and of course, the factors significantly change when we talk
about something delivered via means other than TLS.

So, we know there's a lot of shaky assumptions here, even for a reasonable
problem, and so the conclusion is just right out the window.

However, the process of working through this shows that there's real
opportunity for the Forum here, to work to improve it's EV Guidelines, to
better understand if and how CAs might more reliably vet identity. This is
a multi-year effort, and only when there's even a rough hint at a decent
foundation, can or should we begin discussing whether and how that
information might relate to the goal. However, we have ample evidence -
from experience, and from how the underlying technologies work - that the
current solutions don't work, and have no relation to the problem. So it's
a bit foolish to look to UI to save us, when there's more fundamental
issues at play.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191118/6485324d/attachment-0001.html>