[Servercert-wg] US Government recommends https for website identity

Tony Rutkowski tony at yaana.com
Thu Mar 26 06:31:38 MST 2020


It may not be persuasive to you, but he is accurate, and it reflects a widespread concern you seem unwilling to recognize.  The arena needs significant government regulation to bring about trust transparency.

--Tony R
________________________________
From: Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of Eric Mill via Servercert-wg <servercert-wg at cabforum.org>
Sent: Thursday, March 26, 2020 3:53:02 AM
To: Paul Walsh <paul at metacert.com>
Cc: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] US Government recommends https for website identity

The article's argument is that the text is misleading, because it might incorrectly imply to users that the mere presence of HTTPS indicates a user is safe online.

For the reasons I stated in my last email, I find that argument both unpersuasive and unconstructive.

-- Eric

On Wed, Mar 25, 2020, 9:13 PM Paul Walsh <paul at metacert.com<mailto:paul at metacert.com>> wrote:
Hi Eric,

Would you please be kind enough to specify which of his comments you disagree with and why? I couldn’t find a single comment that I disagree with.

It’s easy to get caught up in philosophical conversations on this subject. So it’s best to unbundle and discuss :)

Thanks
Paul


On Mar 25, 2020, at 7:55 PM, Eric Mill <eric at konklone.com<mailto:eric at konklone.com>> wrote:


Krebs' criticism is seriously misplaced. The banner comes down when users see text saying "An official website of the United States government", and click a link saying "Here's how you know". The text in that banner then answers the question of how you know you're at an official website of the USG: because it's at a .gov URL, *and* because it's at HTTPS.

Being at a .gov URL is not enough alone, and neither is being at an https:// URL. But when .gov and HTTPS are combined, they actually do make a strong technical guarantee that you are at the official government site and are not being scammed.

The banner presents both HTTPS and .gov together, and gives an accurate response to a specific prompt that the user must have seen (the banner only comes down if they click on it), so I would strongly push back on calling this misleading.

There is absolutely an increase in COVID-19 related scamming and phishing and misinformation attacks right now -- not to mention the risk of misinformation in an election year that could misrepresent official sites describing polling places and times and other important information.

These attacks on members of the public are some of the biggest reasons why, to protect the public and increase their own resilience to these kinds of attacks, federal, state, and local government websites should be 1) moving to .gov, and 2) moving to HTTPS. I'm disappointed that Brian Krebs chose to criticize an effort to drive better official uptake and public awareness of these two things at a time when they are most needed.

On Wed, Mar 25, 2020 at 2:00 PM Paul Walsh via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:
Yes this old chestnut again.

There are members of this forum who are infinitely more connected than me within the US Government. So this is a call to action for someone to ask the US Government to stop with this madness…

Many U.S. government websites now carry a message prominently at the top of their home pages meant to help visitors better distinguish between official U.S. government properties and phishing pages.

They’re telling consumers: “The https:// ensures that you are connecting to the official website….” [1]

This is a problem because, according to Trans Union:

"As more consumers turn online for purchases, TransUnion survey finds 22% of Americans say they have been targeted by digital fraud related to COVID-19"

And according to DomainTools, they have classified 60,000 COVID-19 related phishing domains.

I’m not one to promote what we do at MetaCert, which is why most think I’m a CA fanboy. But we have built a threat intelligence system that classifies phishing sites, but more importantly, it verifies on mass scale for our “Zero Trust” browser extensions and API service.

Here’s my point… on our backend, we have classified .GOV and .MIL along with more *regulated* TLS - so when someone uses our software or API, every single URI to every single domain or sub-domain will display a green shield. You might remember my article on the CA Security blog - this is how we achieve a 100% track record with zero victims. So this again, should help to demonstrate why website identity UI inside browser and email software does in fact work well.

There’s no reason why mainstream browsers can’t do the same as they’re regulated gTLDs and sTLDs. You don’t need CAs to verify those domains. Perhaps Microsoft, Google, Apple or Mozilla could build an extension similar to ours and focus only on .GOV websites as a way to test it out.

[1] https://krebsonsecurity.com/2020/03/us-government-sites-give-bad-security-advice/

Thanks,
Paul
------
MetaCert CEO
metacert.com<http://metacert.com>
_______________________________________________
Servercert-wg mailing list
Servercert-wg at cabforum.org<mailto:Servercert-wg at cabforum.org>
http://cabforum.org/mailman/listinfo/servercert-wg


--
Eric Mill
617-314-0966 | konklone.com<https://konklone.com/> | @konklone<https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200326/7ca1da1a/attachment-0001.html>


More information about the Servercert-wg mailing list