[Servercert-wg] US Government recommends https for website identity

Paul Walsh paul at metacert.com
Thu Mar 26 11:02:10 MST 2020 

Good point Roland, thank you. 

I’d like to apologize to everyone if my email was not suitable. Please feel free to tell me publicly or privately if this is not suitable. Either way, this will be my last response on this subject.

My intent and motivation was driven by the fact that today, COVID-19 phishing scams are polluting the web. According to Trans Union, 22% of Americans say that they have been targeted with digital fraud related to COVID-19. The World Health Organization is saying that phishing scams are causing a real problem for them. Some hospitals have been hit with ransomware that involved phishing.

And according to DomainTools, they have classified 60,000 new phishing domains related to COVID alone. 

Given that this forum is here to protect consumers with better privacy and safety, I thought it was something this group would want to add value to. I mean, you’re doing a great job at encryption so kudos for that. But when it comes to “safety”, not so good, as an industry.

Sincerely,
- Paul



> On Mar 26, 2020, at 8:59 AM, Roland Shoemaker <roland at letsencrypt.org> wrote:
> 
> Without getting into the merits of the argument Krebs is making, why was this sent to the Server Certificate WG mailing list? The scope of this WG presumably doesn't include lobbying the US government to change how they talk about HTTPS given its focus is on the requirements and guidelines for issuance and management of TLS server certificates.
> 
> Without some relevant discussion or proposal for how the WG could or would address this, it seems this debate would be better had elsewhere.
> 
> On Wed, Mar 25, 2020 at 1:59 PM Paul Walsh via Servercert-wg <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>> wrote:
> Yes this old chestnut again. 
> 
> There are members of this forum who are infinitely more connected than me within the US Government. So this is a call to action for someone to ask the US Government to stop with this madness… 
> 
> Many U.S. government websites now carry a message prominently at the top of their home pages meant to help visitors better distinguish between official U.S. government properties and phishing pages.
> 
> They’re telling consumers: “The https:// ensures that you are connecting to the official website….” [1]
> 
> This is a problem because, according to Trans Union:
> 
> "As more consumers turn online for purchases, TransUnion survey finds 22% of Americans say they have been targeted by digital fraud related to COVID-19"
> 
> And according to DomainTools, they have classified 60,000 COVID-19 related phishing domains. 
> 
> I’m not one to promote what we do at MetaCert, which is why most think I’m a CA fanboy. But we have built a threat intelligence system that classifies phishing sites, but more importantly, it verifies on mass scale for our “Zero Trust” browser extensions and API service. 
> 
> Here’s my point… on our backend, we have classified .GOV and .MIL along with more *regulated* TLS - so when someone uses our software or API, every single URI to every single domain or sub-domain will display a green shield. You might remember my article on the CA Security blog - this is how we achieve a 100% track record with zero victims. So this again, should help to demonstrate why website identity UI inside browser and email software does in fact work well. 
> 
> There’s no reason why mainstream browsers can’t do the same as they’re regulated gTLDs and sTLDs. You don’t need CAs to verify those domains. Perhaps Microsoft, Google, Apple or Mozilla could build an extension similar to ours and focus only on .GOV websites as a way to test it out. 
> 
> [1] https://krebsonsecurity.com/2020/03/us-government-sites-give-bad-security-advice/ <https://krebsonsecurity.com/2020/03/us-government-sites-give-bad-security-advice/>
> 
> Thanks,
> Paul
> ------
> MetaCert CEO
> metacert.com <http://metacert.com/>_______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org <mailto:Servercert-wg at cabforum.org>
> http://cabforum.org/mailman/listinfo/servercert-wg <http://cabforum.org/mailman/listinfo/servercert-wg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200326/bc7c77e8/attachment-0001.html>

More information about the Servercert-wg mailing list