[Servercert-wg] US Government recommends https for website identity
Roland Shoemaker
roland at letsencrypt.org
Thu Mar 26 08:59:03 MST 2020
Without getting into the merits of the argument Krebs is making, why was
this sent to the Server Certificate WG mailing list? The scope of this WG
presumably doesn't include lobbying the US government to change how they
talk about HTTPS given its focus is on the requirements and guidelines for
issuance and management of TLS server certificates.
Without some relevant discussion or proposal for how the WG could or would
address this, it seems this debate would be better had elsewhere.
On Wed, Mar 25, 2020 at 1:59 PM Paul Walsh via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> Yes this old chestnut again.
>
> There are members of this forum who are infinitely more connected than me
> within the US Government. So this is a call to action for someone to ask
> the US Government to stop with this madness…
>
> Many U.S. government websites now carry a message prominently at the top
> of their home pages meant to help visitors better distinguish between
> official U.S. government properties and phishing pages.
>
> They’re telling consumers: “The https:// ensures that you are connecting
> to the official website….” [1]
>
> This is a problem because, according to Trans Union:
>
> "As more consumers turn online for purchases, TransUnion survey finds 22%
> of Americans say they have been targeted by digital fraud related to
> COVID-19"
>
> And according to DomainTools, they have classified 60,000 COVID-19 related
> phishing domains.
>
> I’m not one to promote what we do at MetaCert, which is why most think I’m
> a CA fanboy. But we have built a threat intelligence system that classifies
> phishing sites, but more importantly, it verifies on mass scale for our
> “Zero Trust” browser extensions and API service.
>
> Here’s my point… on our backend, we have classified .GOV and .MIL along
> with more *regulated* TLS - so when someone uses our software or API, every
> single URI to every single domain or sub-domain will display a green
> shield. You might remember my article on the CA Security blog - this is how
> we achieve a 100% track record with zero victims. So this again, should
> help to demonstrate why website identity UI inside browser and email
> software does in fact work well.
>
> There’s no reason why mainstream browsers can’t do the same as they’re
> regulated gTLDs and sTLDs. You don’t need CAs to verify those domains.
> Perhaps Microsoft, Google, Apple or Mozilla could build an extension
> similar to ours and focus only on .GOV websites as a way to test it out.
>
> [1]
> https://krebsonsecurity.com/2020/03/us-government-sites-give-bad-security-advice/
>
> Thanks,
> Paul
> ------
> MetaCert CEO
> metacert.com
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200326/840921da/attachment.html>
More information about the Servercert-wg
mailing list