[Servercert-wg] US Government recommends https for website identity

Thu Mar 26 11:27:23 MST 2020

Hi Paul,

I've explained why the text in the banner is correct, because it's in the
context of other text that makes it accurate. Taking just the HTTPS text
out of context and analyzing it alone is incomplete. I'm not going to
dicker about the finer points - I've given ample detail about why Brian's
argument is incorrect.

On Thu, Mar 26, 2020 at 11:04 AM Paul Walsh <paul at metacert.com> wrote:

> Thanks for the clarification, Eric.
>
> Say that something is “unconstructive” is subjective and open to debate
> and interpretation. Let’s not go down that path unless you’d like to open
> up a different conversation about encryption and marketing efforts around
> it. I’m talking about mistaken identity here.
>
> The Government website is technically wrong and I would go as far as to
> say it’s irresponsible to not change it the people responsible are made
> aware of the mistake. It says that "*https:// ensures that you are
> connecting to the official website*”
>
> This is not correct, no matter how we look at it. Rather than put forward
> issues though, I’d like to propose a solution. Here’s what the Government
> website should say:
>
> “*The https ensures any information you provide is encrypted and
> transmitted securely*”. <— all I did was remove the words that make it
> inaccurate. I don’t think anyone could argue with that.
>
> Do you agree with the above statement and if you do, why would you
> disagree to updating the websites to be more accurate?
>
> What I would desire however, is the following text:
>
> “The https ensures any information you provide is encrypted and
> transmitted securely. This does not mean that the website owner has had
> their identity verified. You should look for other information to make sure
> that you are using the legitimate website and not a counterfeit website.”
> <— Also accurate but one could debate the merits of adding a few extra
> words.
>
> Eric, in a follow up email you said: "I was saying that the specific
> banner under discussion is not nearly as likely to mislead users into
> thinking so as Krebs described”. Unfortunately Brian is 100% right
> according to cybersecurity companies with anti-phishing experience.
>
> - Paul
>
>
>
> On Mar 26, 2020, at 12:53 AM, Eric Mill <eric at konklone.com> wrote:
>
> The article's argument is that the text is misleading, because it might
> incorrectly imply to users that the mere presence of HTTPS indicates a user
> is safe online.
>
> For the reasons I stated in my last email, I find that argument both
> unpersuasive and unconstructive.
>
> -- Eric
>
> On Wed, Mar 25, 2020, 9:13 PM Paul Walsh <paul at metacert.com> wrote:
>
>> Hi Eric,
>>
>> Would you please be kind enough to specify which of his comments you
>> disagree with and why? I couldn’t find a single comment that I disagree
>> with.
>>
>> It’s easy to get caught up in philosophical conversations on this
>> subject. So it’s best to unbundle and discuss :)
>>
>> Thanks
>> Paul
>>
>>
>> On Mar 25, 2020, at 7:55 PM, Eric Mill <eric at konklone.com> wrote:
>>
>> 
>> Krebs' criticism is seriously misplaced. The banner comes down when users
>> see text saying "An official website of the United States government", and
>> click a link saying "Here's how you know". The text in that banner then
>> answers the question of how you know you're at an official website of the
>> USG: because it's at a .gov URL, *and* because it's at HTTPS.
>>
>> Being at a .gov URL is not enough alone, and neither is being at an
>> https:// URL. But when .gov and HTTPS are combined, they actually do
>> make a strong technical guarantee that you are at the official government
>> site and are not being scammed.
>>
>> The banner presents both HTTPS and .gov together, and gives an accurate
>> response to a specific prompt that the user must have seen (the banner only
>> comes down if they click on it), so I would strongly push back on calling
>> this misleading.
>>
>> There is absolutely an increase in COVID-19 related scamming and phishing
>> and misinformation attacks right now -- not to mention the risk of
>> misinformation in an election year that could misrepresent official sites
>> describing polling places and times and other important information.
>>
>> These attacks on members of the public are some of the biggest reasons
>> why, to protect the public and increase their own resilience to these kinds
>> of attacks, federal, state, and local government websites should be 1)
>> moving to .gov, and 2) moving to HTTPS. I'm disappointed that Brian Krebs
>> chose to criticize an effort to drive better official uptake and public
>> awareness of these two things at a time when they are most needed.
>>
>> On Wed, Mar 25, 2020 at 2:00 PM Paul Walsh via Servercert-wg <
>> servercert-wg at cabforum.org> wrote:
>>
>>> Yes this old chestnut again.
>>>
>>> There are members of this forum who are infinitely more connected than
>>> me within the US Government. So this is a call to action for someone to ask
>>> the US Government to stop with this madness…
>>>
>>> Many U.S. government websites now carry a message prominently at the top
>>> of their home pages meant to help visitors better distinguish between
>>> official U.S. government properties and phishing pages.
>>>
>>> They’re telling consumers: “The https:// ensures that you are
>>> connecting to the official website….” [1]
>>>
>>> This is a problem because, according to Trans Union:
>>>
>>> "As more consumers turn online for purchases, TransUnion survey finds
>>> 22% of Americans say they have been targeted by digital fraud related to
>>> COVID-19"
>>>
>>> And according to DomainTools, they have classified 60,000 COVID-19
>>> related phishing domains.
>>>
>>> I’m not one to promote what we do at MetaCert, which is why most think
>>> I’m a CA fanboy. But we have built a threat intelligence system that
>>> classifies phishing sites, but more importantly, it verifies on mass scale
>>> for our “Zero Trust” browser extensions and API service.
>>>
>>> Here’s my point… on our backend, we have classified .GOV and .MIL along
>>> with more *regulated* TLS - so when someone uses our software or API, every
>>> single URI to every single domain or sub-domain will display a green
>>> shield. You might remember my article on the CA Security blog - this is how
>>> we achieve a 100% track record with zero victims. So this again, should
>>> help to demonstrate why website identity UI inside browser and email
>>> software does in fact work well.
>>>
>>> There’s no reason why mainstream browsers can’t do the same as they’re
>>> regulated gTLDs and sTLDs. You don’t need CAs to verify those domains.
>>> Perhaps Microsoft, Google, Apple or Mozilla could build an extension
>>> similar to ours and focus only on .GOV websites as a way to test it out.
>>>
>>> [1]
>>> https://krebsonsecurity.com/2020/03/us-government-sites-give-bad-security-advice/
>>>
>>> Thanks,
>>> Paul
>>> ------
>>> MetaCert CEO
>>> metacert.com
>>> _______________________________________________
>>> Servercert-wg mailing list
>>> Servercert-wg at cabforum.org
>>> http://cabforum.org/mailman/listinfo/servercert-wg
>>>
>>
>>
>> --
>> Eric Mill
>> 617-314-0966 | konklone.com | @konklone <https://twitter.com/konklone>
>>
>>
>

-- 
Eric Mill
617-314-0966 | konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200326/27486f34/attachment-0001.html>