[Servercert-wg] US Government recommends https for website identity

Eric Mill eric at konklone.com
Thu Mar 26 00:53:02 MST 2020 

The article's argument is that the text is misleading, because it might
incorrectly imply to users that the mere presence of HTTPS indicates a user
is safe online.

For the reasons I stated in my last email, I find that argument both
unpersuasive and unconstructive.

-- Eric

On Wed, Mar 25, 2020, 9:13 PM Paul Walsh <paul at metacert.com> wrote:

> Hi Eric,
>
> Would you please be kind enough to specify which of his comments you
> disagree with and why? I couldn’t find a single comment that I disagree
> with.
>
> It’s easy to get caught up in philosophical conversations on this subject.
> So it’s best to unbundle and discuss :)
>
> Thanks
> Paul
>
>
> On Mar 25, 2020, at 7:55 PM, Eric Mill <eric at konklone.com> wrote:
>
> 
> Krebs' criticism is seriously misplaced. The banner comes down when users
> see text saying "An official website of the United States government", and
> click a link saying "Here's how you know". The text in that banner then
> answers the question of how you know you're at an official website of the
> USG: because it's at a .gov URL, *and* because it's at HTTPS.
>
> Being at a .gov URL is not enough alone, and neither is being at an
> https:// URL. But when .gov and HTTPS are combined, they actually do make
> a strong technical guarantee that you are at the official government site
> and are not being scammed.
>
> The banner presents both HTTPS and .gov together, and gives an accurate
> response to a specific prompt that the user must have seen (the banner only
> comes down if they click on it), so I would strongly push back on calling
> this misleading.
>
> There is absolutely an increase in COVID-19 related scamming and phishing
> and misinformation attacks right now -- not to mention the risk of
> misinformation in an election year that could misrepresent official sites
> describing polling places and times and other important information.
>
> These attacks on members of the public are some of the biggest reasons
> why, to protect the public and increase their own resilience to these kinds
> of attacks, federal, state, and local government websites should be 1)
> moving to .gov, and 2) moving to HTTPS. I'm disappointed that Brian Krebs
> chose to criticize an effort to drive better official uptake and public
> awareness of these two things at a time when they are most needed.
>
> On Wed, Mar 25, 2020 at 2:00 PM Paul Walsh via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
>> Yes this old chestnut again.
>>
>> There are members of this forum who are infinitely more connected than me
>> within the US Government. So this is a call to action for someone to ask
>> the US Government to stop with this madness…
>>
>> Many U.S. government websites now carry a message prominently at the top
>> of their home pages meant to help visitors better distinguish between
>> official U.S. government properties and phishing pages.
>>
>> They’re telling consumers: “The https:// ensures that you are connecting
>> to the official website….” [1]
>>
>> This is a problem because, according to Trans Union:
>>
>> "As more consumers turn online for purchases, TransUnion survey finds 22%
>> of Americans say they have been targeted by digital fraud related to
>> COVID-19"
>>
>> And according to DomainTools, they have classified 60,000 COVID-19
>> related phishing domains.
>>
>> I’m not one to promote what we do at MetaCert, which is why most think
>> I’m a CA fanboy. But we have built a threat intelligence system that
>> classifies phishing sites, but more importantly, it verifies on mass scale
>> for our “Zero Trust” browser extensions and API service.
>>
>> Here’s my point… on our backend, we have classified .GOV and .MIL along
>> with more *regulated* TLS - so when someone uses our software or API, every
>> single URI to every single domain or sub-domain will display a green
>> shield. You might remember my article on the CA Security blog - this is how
>> we achieve a 100% track record with zero victims. So this again, should
>> help to demonstrate why website identity UI inside browser and email
>> software does in fact work well.
>>
>> There’s no reason why mainstream browsers can’t do the same as they’re
>> regulated gTLDs and sTLDs. You don’t need CAs to verify those domains.
>> Perhaps Microsoft, Google, Apple or Mozilla could build an extension
>> similar to ours and focus only on .GOV websites as a way to test it out.
>>
>> [1]
>> https://krebsonsecurity.com/2020/03/us-government-sites-give-bad-security-advice/
>>
>> Thanks,
>> Paul
>> ------
>> MetaCert CEO
>> metacert.com
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> http://cabforum.org/mailman/listinfo/servercert-wg
>>
>
>
> --
> Eric Mill
> 617-314-0966 | konklone.com | @konklone <https://twitter.com/konklone>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200326/886d55f8/attachment.html>

More information about the Servercert-wg mailing list