[Fwd Blog] Possibility for SSL spoofing in recent Firefox 3
Ben Bucksch
https://blog.startcom.org/?p=86
Eddy has a point here.
Comment:
At the minimum, such a change is too big and important to make in a RC.
It should happen before beta, as it's a drastic change to the UI of
webbrowsers.
I agree that current verification procedures by CAs mean almost nothing
and thus "verified" sites should not be very prominent. So, I agree with
the general direction of demoting normal SSL certificates. I think it's
going a bit too far, though.
More importantly, I agree with Eddy that overloading the favicon is a
very bad idea. First, if I hadn't read the *text* that Eddy wrote, I
would never had understood that the blue means SSL. Even looking at the
direct comparison screenshots, I didn't see it. And that's because the
favicon is owned by the site. Second, Eddy shows how subtle the
difference between a faked favicon and a real SSL favicon is.
Then, you say you want to make users understand indenty. Yet, the
padlock is gone, and even in earlier builds, it didn't go to the
Security Page Info dialog as it used to do in older browsers and IIRC
FF2. A simplified Security Page Info dialog would be what makes users
understand SSL identity verification.
Lastly, identity on the Internet is the domain, not the real name. The
DNS ensures that there's only one entity in the world with that domain.
By demoting the domain in the EV case, I think you blurry the notion of
identity on the Internet. I fully agree with showing the real name as
additional indication, but the domain should stay the primary
identification means, EV or not.
EV only prevents man-in-the-middle/posing and adds possibility to sue.
At the minimum, please the remove the favicon modifications and keep
padlock both in URLbar and statusbar (the former, because that's where
it belongs, and the latter, because that's what old browsers did and
many sites ask the user to look out for), for both EV and normal
CA-signed SSL sites.
Or just go back to what you did in the betas, because it's pretty late
for such important UI changes.
Ben
Followup-To: mozilla.dev.apps.firefox
Benjamin Smedberg
> More importantly, I agree with Eddy that overloading the favicon is a
> very bad idea. First, if I hadn't read the *text* that Eddy wrote, I
> would never had understood that the blue means SSL. Even looking at the
> direct comparison screenshots, I didn't see it. And that's because the
> favicon is owned by the site. Second, Eddy shows how subtle the
> difference between a faked favicon and a real SSL favicon is.
Wow, I was wondering why gmail had an ugly blue favicon. I agree that this
change is unfortunate. I don't really care about the specifics of padlocks
or yellow bars or whatnot, but I would like it to be visually obvious when
I'm transmitting information that's encrypted, even if the identity on the
other end isn't extended-validated.
> Lastly, identity on the Internet is the domain, not the real name. The
> DNS ensures that there's only one entity in the world with that domain.
> By demoting the domain in the EV case, I think you blurry the notion of
> identity on the Internet. I fully agree with showing the real name as
> additional indication, but the domain should stay the primary
> identification means, EV or not.
> EV only prevents man-in-the-middle/posing and adds possibility to sue.
I disagree. Even if the certificate is issued to a particular domain name,
I'm more concerned about what company I'm communicating with, than the
domain name. Of course in the non-EV case the domain name is the only
reliable information, so we have no choice. But with EV, we can trust the
company name, which is going to provide more information.
--BDS
Michael Connor
On 20-May-08, at 11:27 AM, Ben Bucksch wrote:
> Comment:
>
> At the minimum, such a change is too big and important to make in a
> RC.
> It should happen before beta, as it's a drastic change to the UI of
> webbrowsers.
To the UI of Firefox, you mean. Removing the padlock isn't new, we
just removed the (semantically confusing) yellow treatment on the
bar. IE/Safari don't do anything except a padlock (and most people
can't even find Safari's without knowing where to look). Yellow
actually means "warning" in IE7, and there's no evidence that it was
meaningful along the right axis for users.
> More importantly, I agree with Eddy that overloading the favicon is a
> very bad idea. First, if I hadn't read the *text* that Eddy wrote, I
> would never had understood that the blue means SSL. Even looking at
> the
> direct comparison screenshots, I didn't see it. And that's because the
> favicon is owned by the site. Second, Eddy shows how subtle the
> difference between a faked favicon and a real SSL favicon is.
Blue means "there's something here to click on" more than "SSL" IMO.
There's not a lot of useful information that comes solely from "SSL or
not SSL" I have a secure tunnel to "someone" who may or may not be
the person I care about. I can get an SSL cert for
bugzilla.mozillla.org easily enough, does blue on its own carry any
useful information?
> Then, you say you want to make users understand indenty. Yet, the
> padlock is gone, and even in earlier builds, it didn't go to the
> Security Page Info dialog as it used to do in older browsers and IIRC
> FF2. A simplified Security Page Info dialog would be what makes users
> understand SSL identity verification.
Please pay attention, read the studies. The padlock in primary UI
means bad user expectations, and its being used in a lot of dumb ways,
by banks, in http content no less.
> Lastly, identity on the Internet is the domain, not the real name. The
> DNS ensures that there's only one entity in the world with that
> domain.
> By demoting the domain in the EV case, I think you blurry the notion
> of
> identity on the Internet. I fully agree with showing the real name as
> additional indication, but the domain should stay the primary
> identification means, EV or not.
> EV only prevents man-in-the-middle/posing and adds possibility to sue.
That's totally bogus. Go read Gutman about bank-of-america.com and
other all-too-easy phishing attempts. Lots of companies use a bunch
of different domains, and expecting a user to learn which are legit
and which aren't is foolish at best. It doesn't even address typos
(like the infamous yahooo.com and other smart cookies in the early
days). Having a reasonably trusted identity of the company behind the
site is far more useful.
Also, your faith in DNS is much higher than mine. If DNS can be
trusted, we could ignore certs entirely and just encrypt on demand.
> At the minimum, please the remove the favicon modifications and keep
> padlock both in URLbar and statusbar (the former, because that's where
> it belongs, and the latter, because that's what old browsers did and
> many sites ask the user to look out for), for both EV and normal
> CA-signed SSL sites.
The padlock's been gone for many betas, and we're not bringing it
back. Its in the statusbar still, for now. I think your arguments
are weak, and not at all based on anything other than "change is bad"
and "old UI was good" when there's a ton of evidence that the old UI
was meaningless and harmful.
Of course, users don't look at the location bar, which is why phishing
still works, and why no one uses HTTPS for phishing anyway.
-- Mike
Ben Bucksch
> There's not a lot of useful information that comes solely from "SSL or
> not SSL" I have a secure tunnel to "someone" who may or may not be
> the person I care about.
SSL (with knowing the cert is owned by the webserver owner, which normal
CA-verified certs are supposed to guarantee) means that I can exchange
information without other parties seeing it. That *is* important
information. That's the main thing we need for credit card payment,
which is the original and still main use for SSL. It was also important
recently for me to formally prove that a certain site leaked information
(a company name during domain registration) and not somebody sniffing
the traffic.
EV is checks a little more thoroughly, but not temperproof either. I
agree that EV is better, but CA-verified SSL is not useless as you say.
Neither normal SSL nor EV say anything about whether the party is
trustworthy.
> I can get an SSL cert for bugzilla.mozillla.org easily enough, does
> blue on its own carry any useful information?
Yes, I know my password for it won't be stolen by anybody in the middle,
and I know nobody else can read the security bugs by sniffing the traffic.
> The padlock in primary UI means bad user expectations, and its being
> used in a lot of dumb ways, by banks, in http content no less.
I agree the padlock as icon was silly.
>> Lastly, identity on the Internet is the domain, not the real name. [...]
>
> That's totally bogus.
Not commenting on insults.
It's obviously, and provably, true.
> Lots of companies use a bunch of different domains
Yes, and they are *wrong* and silly and neglecting, and they pay with
phishing. Including bank of america and paypal and ebay.
EV will not end the phishing, I can get confusingly similar real names
without problem. And paypal and ebay have subsidaries. It's just as hard
to find the correct realname as it is to find the correct domain. In
fact, it's harder.
One domain per company, and users checking it, will end phishing. That's
what we need to get into the user's heads. Verifying the domain is the
simplest and surest way to avoid phishing. That's what we need to teach.
It's the domain.
The realname just adds information, but does not substitute the domain
at all.
> Also, your faith in DNS is much higher than mine. If DNS can be
> trusted, we could ignore certs entirely and just encrypt on demand.
DNS plus SSL of course
> I think your arguments are weak
Yours are not better. Please get rational.
I maintain that using the favicon border to signify CA-verified SSL is
useless at best or even dangerous.
Ben
Shawn Wilsher
> Then, you say you want to make users understand indenty. Yet, the
> padlock is gone, and even in earlier builds, it didn't go to the
> Security Page Info dialog as it used to do in older browsers and IIRC
> FF2. A simplified Security Page Info dialog would be what makes users
> understand SSL identity verification.
Cheers,
Shawn
Shawn Wilsher
>>> Lastly, identity on the Internet is the domain, not the real name. [...]
>>
>> That's totally bogus.
>
> Not commenting on insults.
> It's obviously, and provably, true.
With that said, phishing attacks (which have been demonstrated to work)
demonstrate that people don't look at the domain, so I don't understand
how you can claim that identity is the domain name - at least in any
reliable manner.
>> Lots of companies use a bunch of different domains
>
> Yes, and they are *wrong* and silly and neglecting, and they pay with
> phishing. Including bank of america and paypal and ebay.
> EV will not end the phishing, I can get confusingly similar real names
> without problem. And paypal and ebay have subsidaries. It's just as hard
> to find the correct realname as it is to find the correct domain. In
> fact, it's harder.
And HTML that doesn't validate is also wrong and silly and neglecting,
but we can't really do anything about that either. We can only fix
things that in our control, and we cannot control how a company uses its
domains.
Cheers,
Shawn
Julien R Pierre - Sun Microsystems
Ben Bucksch wrote:
>
> https://blog.startcom.org/?p=86
>
> Eddy has a point here.
I just downloaded FF3 RC1. I don't think that Eddy has a point. The
padlock is still there, in the lower right hand corner, and present only
when connecting to SSL sites . That's the traditional indicator of
whether a site is secure or not.
Can this padlock be spoofed ? I didn't see anything in Eddy's blog that
said it could.
Dave Townsend
>
>> I can get an SSL cert for bugzilla.mozillla.org easily enough, does
>> blue on its own carry any useful information?
>
> Yes, I know my password for it won't be stolen by anybody in the middle,
> and I know nobody else can read the security bugs by sniffing the traffic.
>
And since you failed to read the domain name properly you just sent your
bugzilla password to someone spoofing Mozilla's bugzilla, thus allowing
them to access all those security bugs.
Dave
>
>>> Lastly, identity on the Internet is the domain, not the real name. [...]
>>
>> That's totally bogus.
>
> Not commenting on insults.
> It's obviously, and provably, true.
As you have proven yourself, domain name is not useful as people can be
fooled by them
Dave
Ben Bucksch
> phishing attacks (which have been demonstrated to work) demonstrate
> that people don't look at the domain
Yes, because URLs are hard to decypher and thus ignored. The domain is
not clear and prominent enough.
See Eddy's screenshot:
https://blog.startcom.org/wp-content/uploads/2008/05/ff3-enabled-original.png
So, why not set browser.identity.ssl_domain_display to 1 ?
--
When responding privately, please remove the ".news" from the email address.
Ben Bucksch
>>> bugzilla.mozillla.org
> And since you failed to read the domain name properly you just sent
> your bugzilla password to someone spoofing Mozilla's bugzilla, thus
> allowing them to access all those security bugs.
Ah funny, I thought that was a typo from mconner.
And that's different from "PayPal (DE)" in which way? (PayPal does not
operate in Germany.) Or "eBays Operations, Inc (US)"?
Do you want to rely on trademark law now?
(Yeah, I know about the EV blacklists. But there's more than eBay out
there.)
Ben
Ben Bucksch
It used to go to the Security page of Page Info (as I said), which tells
the name of the identity issued to, the server, and the CA which
verified it.
Shawn Wilsher
>> How, exactly, does the padlock have anything to do with identity?
>
> It used to go to the Security page of Page Info (as I said), which tells
> the name of the identity issued to, the server, and the CA which
> verified it.
users didn't even know about it.
Cheers,
Shawn
Boris Zbarsky
> That isn't the primary browser UI, and I strongly suspect that most
> users didn't even know about it.
While true, the users I told about it (all in their 50s or later) were very
interested in having that sort of functionality available to them easily.
-Boris
Ben Bucksch
>> [padlock] It used to go to the Security page of Page Info (as I
>> and the CA which verified it.
> That isn't the primary browser UI, and I strongly suspect that most
> users didn't even know about it.
But they *are* supposed to know that this blue border around the favicon
is supposed to mean something? And to tell the difference to a blue
favicon? That was my main criticism.
Thomas Stache
> It used to go to the Security page of Page Info (as I said), which tells
> the name of the identity issued to, the server, and the CA which
> verified it.
I don't get this argument...
Now you click the favicon to inspect the Larry/Identity popup, and in there
the big-ass "More information" button takes you to the Page Info dialog, which
is much improved over Fx2, fwiw.
Thomas
Thomas Stache
They are supposed to know, that they can click the Identity Button/favicon on
*any* site to view the identity information, regardless if it's plain HTTP,
SSL or an EV certificate. This UI doesn't appear and vanish in a strange
manner, it's consistent now. The color of the Identity Button is just an
additional cue.
Dave Townsend
> Dave Townsend schrieb:
>>>> bugzilla.mozillla.org
>> And since you failed to read the domain name properly you just sent
>> your bugzilla password to someone spoofing Mozilla's bugzilla, thus
>> allowing them to access all those security bugs.
>
> Ah funny, I thought that was a typo from mconner.
>
> And that's different from "PayPal (DE)" in which way? (PayPal does not
> operate in Germany.) Or "eBays Operations, Inc (US)"?
So if domain names don't work, and company names don't work, exactly
what do you think should be used that can't be spoofed? Should we
introduce a complete block on all SSL certificates except those that the
user has added to a whitelist, using some secure method for paypal to
send them their certificate fingerprint?
Dave
Ben Bucksch
> So if domain names don't work
huch? They do work. We just don't *show* domain names! (Not by
themselves, but in a complex, spoofable way.) That's exactly what I
asked for. And is partially implemented, see the mentioned pref and
screenshot.
Johnathan Nightingale
Wait, I'm confused. Double-clicking on the padlock in the status bar
to bring up the security page of page info? That still works just
fine, unless someone committed code without telling me? I didn't
spend that time reworking the security page info just to hide it
away. :)
J
---
Johnathan Nightingale
Human Shield
joh...@mozilla.com
Wolfgang Rosenauer
Hmm, that reminds me: Why do I have to double-click that on Linux now
while it worked with single click in FF2? In light of this discussion it
seems like a real issue since Linux users are not so much used to double
clicks. I found it by accident.
Wolfgang
Wolfgang Rosenauer
No, but IIRC he said that the status bar is not necessarily visible in
some types of browser windows (or probably it was someone else).
Wolfgang
Johnathan Nightingale
> Johnathan Nightingale wrote:
>>
>> Wait, I'm confused. Double-clicking on the padlock in the status
>> bar to
>> bring up the security page of page info? That still works just fine,
>> unless someone committed code without telling me? I didn't spend
>> that
>> time reworking the security page info just to hide it away. :)
>
> Hmm, that reminds me: Why do I have to double-click that on Linux now
> while it worked with single click in FF2? In light of this
> discussion it
> seems like a real issue since Linux users are not so much used to
> double
> clicks. I found it by accident.
I think you want:
https://bugzilla.mozilla.org/show_bug.cgi?id=432741
although ttbomk we haven't changed that deliberately between 2 and 3.
It is double-click on FF2 for windows and mac, for instance, and the
xul that handles it isn't platform-dependent in any obvious way.
Cheers,
Johnathan
Ben Bucksch
you replied to me in private. I don't know whether that was intentional.
I hope it's OK to quote some cutted down sniplets from you in public.
Michael Connor schrieb:
>> Michael Connor schrieb:
>>> There's not a lot of useful information that comes solely from "SSL
>>> or not SSL"
>>
>> SSL (with knowing the cert is owned by the webserver owner, which
>> normal CA-verified certs are supposed to guarantee) means that I can
>> exchange information without other parties seeing it. That *is*
>> important information.
>
> All that DV-SSL validates is that you have control of the domain.
Yes, exactly. That's all that's needed in most cases, that I am talking
to the entity in control of the domain that I went to. It *is* very
important information, and we need to convey that information clearly.
(DV-)SSL essentially makes Internet much safer than telephone. Most
people are fine with giving credit card data over the phone.
> you only need 30 minutes to compromise a site [to get a DV cert]
If I compromised the server, then EV does not help at all either.
> Nope, but EV at least verifies the party is real, and not someone
> who's compromised a server
Wrong. If I compromised the server, I also own the private part of the
issued EV cert.
> Reread the domain I typed.
Already answered in parallel postings.
[domain vs. real name]
Already discussed that realname is not unique and not fakeproof either.
>> Verifying the domain is the simplest and surest way to avoid phishing.
>
> That's a pipe dream
EV and relying on realnames is a pipe dream.
That's not a useful way to discuss, notice?
> in reality, users don't understand domains as a concrete concept
Of course they do, it's printed in almost all advertizing. Clearly,
users do understand them.
> It hasn't worked in the past
Because *we* failed to properly convey the domain. That's exactly what I
asked for.
People can understand domains, they just can't understand the complex
URL syntax. Even I have misinterpreted some better faked URLs. Users
consider the URL technical glibberish that's hard or impossible to
understand and *that's* why they ignore it. That's what most phishing
attacks base on. On the other hand, lufthansa.de is a fairly simple
concept, in fact users enter it themselves. URLs are the problem, not
domains. Thus, show the domain.
> I think we've looked at enough data to feel like we're trending in the
> right direction.
Your comments and implemention suggest to me that you have entirely
ignored the discussion about EV on the security group and on this
newsgroup last year.
Michael Connor
> _______________________________________________
> dev-apps-firefox mailing list
> dev-apps...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-apps-firefox
Shawn Wilsher
> Wait, I'm confused. Double-clicking on the padlock in the status bar to
> bring up the security page of page info? That still works just fine,
> unless someone committed code without telling me? I didn't spend that
> time reworking the security page info just to hide it away. :)
made the assumption, perhaps poorly, that that is what he was referring to.
Cheers,
Shawn
Ben Bucksch
* Using a blue border for the favicon is either not noticable or
begging for spoofing. Genuinely bad idea.
* Show the domain clearly, for SSL and EV certs. For EV certs,
*also* show the realname as additional info.
* Do not demote DV-SSL entirely in favor of EV. DV-SSL does provide
some value and should be conveyed. I agree that EV is better than
DV (but expensive and not available for individuals, for example).
Concretely, for implementation,
* Remove border around favicon
* set browser.identity.ssl_domain_display to 1, to show domain in
blue for normal SSL.
* Also show domain for EV, in the same way as for normal SSL (just
in green), before the real name.
(Only problem I can see is screen real estate. You could put the
realname in a different place outside the URLbar.)
Michael Connor
is in the group now though.
On 21-May-08, at 11:38 AM, Ben Bucksch wrote:
> Michael Connor schrieb:
>>> Michael Connor schrieb:
>>>> There's not a lot of useful information that comes solely from "SSL
>>>> or not SSL"
>>>
>>> SSL (with knowing the cert is owned by the webserver owner, which
>>> normal CA-verified certs are supposed to guarantee) means that I can
>>> exchange information without other parties seeing it. That *is*
>>> important information.
>>
>> All that DV-SSL validates is that you have control of the domain.
>
> Yes, exactly. That's all that's needed in most cases, that I am
> talking
> to the entity in control of the domain that I went to. It *is* very
> important information, and we need to convey that information clearly.
> (DV-)SSL essentially makes Internet much safer than telephone. Most
> people are fine with giving credit card data over the phone.
>
>> you only need 30 minutes to compromise a site [to get a DV cert]
>
> If I compromised the server, then EV does not help at all either.
You cut out the part about non-OCSP, which is part of the problem. EV
requires OCSP, so revocation should be _very_ swift in that case. For
non-OCSP barebones certs, you have a cert that probably doesn't get
revoked cleanly for a very long time.
>> Nope, but EV at least verifies the party is real, and not someone
>> who's compromised a server
>
> Wrong. If I compromised the server, I also own the private part of the
> issued EV cert.
Which will be worth nothing pretty rapidly, since OCSP is required for
EV. If you don't get a valid OCSP response, we don't show the EV UI.
I can get my own DV cert issued while I own the server, and it'll
probably be good for a year.
>> Reread the domain I typed.
>
> Already answered in parallel postings.
>
> [domain vs. real name]
>
> Already discussed that realname is not unique and not fakeproof
> either.
No, but its harder to register a company name that will be confusing,
set up a physical location to be verified, and use the cert for
phishing. Its not impossible, but it is raising the bar considerably.
>> in reality, users don't understand domains as a concrete concept
>
> Of course they do, it's printed in almost all advertizing. Clearly,
> users do understand them.
No, they understand that they type stuff in to get what they want.
Understanding how DNS works, and how ownership of subdomains works,
etc, is not the same.
Also, look at China. They typically _don't_ print domains, they use
keyword engines, because IDN is still weakly supported across all
browsers. (You conveniently cut this from my post, for some reason....)
>> It hasn't worked in the past
>
> Because *we* failed to properly convey the domain. That's exactly
> what I
> asked for.
Its been in the status bar since 1.0. Have you read Why Phishing
Works yet? Even if they look at the domain, they don't understand
what is and isn't bogus. There's a long tail of companies that don't
run pervasive ads that you'll remember the domain from, and DNS sure
as hell can't be trusted to tell you who's real and who isn't.
> People can understand domains, they just can't understand the complex
> URL syntax. Even I have misinterpreted some better faked URLs. Users
> consider the URL technical glibberish that's hard or impossible to
> understand and *that's* why they ignore it. That's what most phishing
> attacks base on. On the other hand, lufthansa.de is a fairly simple
> concept, in fact users enter it themselves. URLs are the problem, not
> domains. Thus, show the domain.
That problem has very little to do with SSL, anyway. Phishing has
very little to do with SSL, phishing doesn't even _use_ SSL and works
anyway. So you're arguing on the basis of phishing, and that isn't
>> I think we've looked at enough data to feel like we're trending in
>> the
>> right direction.
>
> Your comments and implemention suggest to me that you have entirely
> ignored the discussion about EV on the security group and on this
> newsgroup last year.
Is this "you disagree, so you haven't been paying attention" argument?
We know SSL has been dramatically weakened by the race to the bottom.
EV and KCM-lite are steps in the right direction, as are better login
systems like sayrer's been talking about. Of course, most of this has
very little to do with EV, the real problem is the UI for DV-SSL. You
think its important, seemingly for phishing, but you're selectively
arguing and lacking evidence. Do Safari users get phished more often
because of the lack of prominent SSL UI? Do IE users? Beyond the
expected user skew (Firefox users trend towards heavier Internet usage/
familiarity), of course...
-- Mike