[Servercert-wg] Displaying secure sites to Internet users

[Christian Heutger]

Hi Ryan,

you’re welcome to provide input and suggestions on how to get the fundamentals running and then we can also talk about UI indicators. You point out, that you believe, they are not working and there are incidents, which show, there is room for improvement. But I haven’t read yet anything on about what to do exactly. You see pain points at CA interpration of the requirements, so then work on getting them more clear, you see baseline requirements are too loose, then provide better requirements, you see audits as been unreliable, then provide an audit scheme and model, which is working better, etc. You see UI indicator of EV doesn’t work, then provide thoughts on how to improve. Maybe there could be an extra step, seeing DV as currently reliable but lowest validation level (beside for sure no validation at all), current EV as a mid way and work on the best way, EV 2.0

Regards,
Christian

Von: Ryan Sleevi <sleevi at google.com>
Datum: Montag, 18. November 2019 um 16:38
An: Christian Heutger <ch at psw.net>
Cc: "servercert-wg at cabforum.org" <servercert-wg at cabforum.org>
Betreff: Re: [Servercert-wg] Displaying secure sites to Internet users



On Mon, Nov 18, 2019 at 9:27 AM Christian Heutger <ch at psw.net<mailto:ch at psw.net>> wrote:
Problem statement: UI elements currently missing additional information on site operator supporting phishing, scamming and cybercrime

Solution: Work on reliable standards, audit scheme and UI elements

Subsolutions: Address all levels of measurements as mentioned before: preventive, detective, corrective

Remember: 100% security is impossible

Thanks Christian. This is certainly help move the discussion forward.

I think we need to unpack "UI elements currently missing additional information on site operator supporting phishing, scamming and cybercrime" a lot more, because there are a lot of hidden assumptions:

Here's just a few that can be easily teased out with something as written:

Goal: Reduce the risk of phishing, scamming, and cybercrime
Assumption 1: Identity information reduces the risk of phishing, scamming, and cybercrime
Assumption 2: Display of identity information to end-users is the most effective means to make use of identity
Assumption 3: Identity information within certificates is reliable
Assumption 4: TLS certificates are the most effective means to provide identity
Conclusion: The CA/Browser Forum should work on standards to display identity information in certificates to reduce the risk of phishing, scamming, and cybercrime.

Now, I don't think anyone would want to discourage the goal; that seems noble.

However, each of those assumptions has a wide body of data showing that they are flawed.

Those touting Assumption 1, which unfortunately includes some CAs in this Forum, often make rather basic logical errors in doing so. The most obvious, unfortunate, and glaring error is assuming, for example, correlation equals causation. Anyone with a basic understanding of science or statistics would urge caution here, especially when drawing from multivariable studies that fail to account for confounding variables. For example, a CA that misleadingly and grossly misrepresents the situation, by suggestion that EV prevents phishing, is likely making a basic error that even a grade schooler familiar with the scientific method could point out ; for example, it could simply be a correlation, or it could be caused by price, or it could be caused by selection biases. We can clearly and thoroughly rule out Assumption 1 as having any real or credible support, and anyone promoting it as lacking in basic understanding of correlation and causation.

Assumption 2 similarly has no support. Even more so, there's ample peer-reviewed research in leading publications showing this is not the case. Entire branches around Human/Computer Interaction and Industrial Design are focused on the unreliability of the assumptions being made in assumption 2, and how they lead to real and credible harm. I think we can safely say that assuming the display is the method of protecting users is intellectually flawed and deeply lacking.

Assumption 3 can be empirically shown as false, at least today. Again, the set of CA incidents in the past two years show that there are systemic, systematic flaws in the standards developed for identity vetting in certificates by the CA/Browser Forum, and which as they presently stand, lead to highly inconsistent and unreliable information. Of all the assumptions, however, this is one we can at least work forwards fixing, but in general, and broadly speaking, we see quite a few CA members strongly opposed to any efforts to make certificates more reliable and trustworthy. This opposition is potentially motivated by at least two competing interests, which you've aptly highlighted earlier in the thread: 1) CAs view "server operators" as the end users, because they're the one that buy the CAs' products, rather than the much larger community that relies on the CA, as the CA only has the fiduciary relationship with the server operator and 2) Efforts to improve identity generally mean more work for CAs, and mean needing to say "no" to more users that fail to provide adequate means and proof - thus meaning reduced revenue. Whether or not these are the dominant motivators, it'd be foolish to overlook the incentive structures that CAs have, much like it would have been foolish to overlook the financial incentives of banking and lenders in the lead-up to the subprime mortgage crisis - there's money to be made, even if it's harmful to the world.

Assumption 4 is also questionable. It's one that the Forum initially made, many years ago, when introducing EV, and so it's not unreasonable to be tempted down that same path. But we've learned a lot more since then, and we've come to realize that it's more important to help users be secure online, wherever they are, and however they're accessing, and that means providing encrypted communications to the domain they're intending to talk to, free of interference on the wire by ISPs, snoops, and hackers. This base level of security is essential, not just to online safety, but to national cybersecurity, as previously shared by the former general counsel to the FBI who previously championed against strong encryption, Jim Baker, at https://www.lawfareblog.com/rethinking-encryption . The EV vetting process runs counter to many of the goals of making encryption easy and ubiquitous. This is, of course, specific to the question of TLS certificates, and of course, the factors significantly change when we talk about something delivered via means other than TLS.

So, we know there's a lot of shaky assumptions here, even for a reasonable problem, and so the conclusion is just right out the window.

However, the process of working through this shows that there's real opportunity for the Forum here, to work to improve it's EV Guidelines, to better understand if and how CAs might more reliably vet identity. This is a multi-year effort, and only when there's even a rough hint at a decent foundation, can or should we begin discussing whether and how that information might relate to the goal. However, we have ample evidence - from experience, and from how the underlying technologies work - that the current solutions don't work, and have no relation to the problem. So it's a bit foolish to look to UI to save us, when there's more fundamental issues at play.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191118/6f38f163/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3860 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191118/6f38f163/attachment-0001.bin>