[Servercert-wg] US Government recommends https for website identity

Paul Walsh paul at metacert.com
Wed Mar 25 13:59:48 MST 2020 

Yes this old chestnut again. 

There are members of this forum who are infinitely more connected than me within the US Government. So this is a call to action for someone to ask the US Government to stop with this madness… 

Many U.S. government websites now carry a message prominently at the top of their home pages meant to help visitors better distinguish between official U.S. government properties and phishing pages.

They’re telling consumers: “The https:// ensures that you are connecting to the official website….” [1]

This is a problem because, according to Trans Union:

"As more consumers turn online for purchases, TransUnion survey finds 22% of Americans say they have been targeted by digital fraud related to COVID-19"

And according to DomainTools, they have classified 60,000 COVID-19 related phishing domains. 

I’m not one to promote what we do at MetaCert, which is why most think I’m a CA fanboy. But we have built a threat intelligence system that classifies phishing sites, but more importantly, it verifies on mass scale for our “Zero Trust” browser extensions and API service. 

Here’s my point… on our backend, we have classified .GOV and .MIL along with more *regulated* TLS - so when someone uses our software or API, every single URI to every single domain or sub-domain will display a green shield. You might remember my article on the CA Security blog - this is how we achieve a 100% track record with zero victims. So this again, should help to demonstrate why website identity UI inside browser and email software does in fact work well. 

There’s no reason why mainstream browsers can’t do the same as they’re regulated gTLDs and sTLDs. You don’t need CAs to verify those domains. Perhaps Microsoft, Google, Apple or Mozilla could build an extension similar to ours and focus only on .GOV websites as a way to test it out. 

[1] https://krebsonsecurity.com/2020/03/us-government-sites-give-bad-security-advice/ <https://krebsonsecurity.com/2020/03/us-government-sites-give-bad-security-advice/>

Thanks,
Paul
------
MetaCert CEO
metacert.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200325/a07758fa/attachment.html>

More information about the Servercert-wg mailing list