[Servercert-wg] US Government recommends https for website identity

Eric Mill eric at konklone.com
Wed Mar 25 19:54:43 MST 2020


Krebs' criticism is seriously misplaced. The banner comes down when users
see text saying "An official website of the United States government", and
click a link saying "Here's how you know". The text in that banner then
answers the question of how you know you're at an official website of the
USG: because it's at a .gov URL, *and* because it's at HTTPS.

Being at a .gov URL is not enough alone, and neither is being at an https://
URL. But when .gov and HTTPS are combined, they actually do make a strong
technical guarantee that you are at the official government site and are
not being scammed.

The banner presents both HTTPS and .gov together, and gives an accurate
response to a specific prompt that the user must have seen (the banner only
comes down if they click on it), so I would strongly push back on calling
this misleading.

There is absolutely an increase in COVID-19 related scamming and phishing
and misinformation attacks right now -- not to mention the risk of
misinformation in an election year that could misrepresent official sites
describing polling places and times and other important information.

These attacks on members of the public are some of the biggest reasons why,
to protect the public and increase their own resilience to these kinds of
attacks, federal, state, and local government websites should be 1) moving
to .gov, and 2) moving to HTTPS. I'm disappointed that Brian Krebs chose to
criticize an effort to drive better official uptake and public awareness of
these two things at a time when they are most needed.

On Wed, Mar 25, 2020 at 2:00 PM Paul Walsh via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Yes this old chestnut again.
>
> There are members of this forum who are infinitely more connected than me
> within the US Government. So this is a call to action for someone to ask
> the US Government to stop with this madness…
>
> Many U.S. government websites now carry a message prominently at the top
> of their home pages meant to help visitors better distinguish between
> official U.S. government properties and phishing pages.
>
> They’re telling consumers: “The https:// ensures that you are connecting
> to the official website….” [1]
>
> This is a problem because, according to Trans Union:
>
> "As more consumers turn online for purchases, TransUnion survey finds 22%
> of Americans say they have been targeted by digital fraud related to
> COVID-19"
>
> And according to DomainTools, they have classified 60,000 COVID-19 related
> phishing domains.
>
> I’m not one to promote what we do at MetaCert, which is why most think I’m
> a CA fanboy. But we have built a threat intelligence system that classifies
> phishing sites, but more importantly, it verifies on mass scale for our
> “Zero Trust” browser extensions and API service.
>
> Here’s my point… on our backend, we have classified .GOV and .MIL along
> with more *regulated* TLS - so when someone uses our software or API, every
> single URI to every single domain or sub-domain will display a green
> shield. You might remember my article on the CA Security blog - this is how
> we achieve a 100% track record with zero victims. So this again, should
> help to demonstrate why website identity UI inside browser and email
> software does in fact work well.
>
> There’s no reason why mainstream browsers can’t do the same as they’re
> regulated gTLDs and sTLDs. You don’t need CAs to verify those domains.
> Perhaps Microsoft, Google, Apple or Mozilla could build an extension
> similar to ours and focus only on .GOV websites as a way to test it out.
>
> [1]
> https://krebsonsecurity.com/2020/03/us-government-sites-give-bad-security-advice/
>
> Thanks,
> Paul
> ------
> MetaCert CEO
> metacert.com
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>


-- 
Eric Mill
617-314-0966 | konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200325/80b3ffe6/attachment.html>


More information about the Servercert-wg mailing list