[Servercert-wg] US Government recommends https for website identity

Eric Mill eric at konklone.com
Thu Mar 26 08:32:53 MST 2020 

Sorry if I was unclear - I wasn't saying that users thinking "HTTPS =
completely safe" isn't an issue on the general web. I was saying that the
specific banner under discussion is not nearly as likely to mislead users
into thinking so as Krebs described, and that it's important and legitimate
for users to expect the use of HTTPS from .gov websites.

On Thu, Mar 26, 2020 at 6:31 AM Tony Rutkowski <tony at yaana.com> wrote:

> It may not be persuasive to you, but he is accurate, and it reflects a
> widespread concern you seem unwilling to recognize.  The arena needs
> significant government regulation to bring about trust transparency.
>
> --Tony R
> ------------------------------
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of
> Eric Mill via Servercert-wg <servercert-wg at cabforum.org>
> *Sent:* Thursday, March 26, 2020 3:53:02 AM
> *To:* Paul Walsh <paul at metacert.com>
> *Cc:* CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg at cabforum.org>
> *Subject:* Re: [Servercert-wg] US Government recommends https for website
> identity
>
> The article's argument is that the text is misleading, because it might
> incorrectly imply to users that the mere presence of HTTPS indicates a user
> is safe online.
>
> For the reasons I stated in my last email, I find that argument both
> unpersuasive and unconstructive.
>
> -- Eric
>
> On Wed, Mar 25, 2020, 9:13 PM Paul Walsh <paul at metacert.com> wrote:
>
> Hi Eric,
>
> Would you please be kind enough to specify which of his comments you
> disagree with and why? I couldn’t find a single comment that I disagree
> with.
>
> It’s easy to get caught up in philosophical conversations on this subject.
> So it’s best to unbundle and discuss :)
>
> Thanks
> Paul
>
>
> On Mar 25, 2020, at 7:55 PM, Eric Mill <eric at konklone.com> wrote:
>
> 
> Krebs' criticism is seriously misplaced. The banner comes down when users
> see text saying "An official website of the United States government", and
> click a link saying "Here's how you know". The text in that banner then
> answers the question of how you know you're at an official website of the
> USG: because it's at a .gov URL, *and* because it's at HTTPS.
>
> Being at a .gov URL is not enough alone, and neither is being at an
> https:// URL. But when .gov and HTTPS are combined, they actually do make
> a strong technical guarantee that you are at the official government site
> and are not being scammed.
>
> The banner presents both HTTPS and .gov together, and gives an accurate
> response to a specific prompt that the user must have seen (the banner only
> comes down if they click on it), so I would strongly push back on calling
> this misleading.
>
> There is absolutely an increase in COVID-19 related scamming and phishing
> and misinformation attacks right now -- not to mention the risk of
> misinformation in an election year that could misrepresent official sites
> describing polling places and times and other important information.
>
> These attacks on members of the public are some of the biggest reasons
> why, to protect the public and increase their own resilience to these kinds
> of attacks, federal, state, and local government websites should be 1)
> moving to .gov, and 2) moving to HTTPS. I'm disappointed that Brian Krebs
> chose to criticize an effort to drive better official uptake and public
> awareness of these two things at a time when they are most needed.
>
> On Wed, Mar 25, 2020 at 2:00 PM Paul Walsh via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
> Yes this old chestnut again.
>
> There are members of this forum who are infinitely more connected than me
> within the US Government. So this is a call to action for someone to ask
> the US Government to stop with this madness…
>
> Many U.S. government websites now carry a message prominently at the top
> of their home pages meant to help visitors better distinguish between
> official U.S. government properties and phishing pages.
>
> They’re telling consumers: “The https:// ensures that you are connecting
> to the official website….” [1]
>
> This is a problem because, according to Trans Union:
>
> "As more consumers turn online for purchases, TransUnion survey finds 22%
> of Americans say they have been targeted by digital fraud related to
> COVID-19"
>
> And according to DomainTools, they have classified 60,000 COVID-19 related
> phishing domains.
>
> I’m not one to promote what we do at MetaCert, which is why most think I’m
> a CA fanboy. But we have built a threat intelligence system that classifies
> phishing sites, but more importantly, it verifies on mass scale for our
> “Zero Trust” browser extensions and API service.
>
> Here’s my point… on our backend, we have classified .GOV and .MIL along
> with more *regulated* TLS - so when someone uses our software or API, every
> single URI to every single domain or sub-domain will display a green
> shield. You might remember my article on the CA Security blog - this is how
> we achieve a 100% track record with zero victims. So this again, should
> help to demonstrate why website identity UI inside browser and email
> software does in fact work well.
>
> There’s no reason why mainstream browsers can’t do the same as they’re
> regulated gTLDs and sTLDs. You don’t need CAs to verify those domains.
> Perhaps Microsoft, Google, Apple or Mozilla could build an extension
> similar to ours and focus only on .GOV websites as a way to test it out.
>
> [1]
> https://krebsonsecurity.com/2020/03/us-government-sites-give-bad-security-advice/
>
> Thanks,
> Paul
> ------
> MetaCert CEO
> metacert.com
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
>
>
> --
> Eric Mill
> 617-314-0966 | konklone.com | @konklone <https://twitter.com/konklone>
>
>

-- 
Eric Mill
617-314-0966 | konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200326/9413fb47/attachment.html>

More information about the Servercert-wg mailing list