>Mozilla has announced that we plan to relocate the EV UI in Firefox 70, which
>is expected to be released on 22-October. Details below.
Just out of interest, how are the CAs taking this? If there's no more reason
to pay a substantial premium to enable additional UI bling in browsers, isn't
this going to kill the market for EV certs?
Peter.
>I share the opinion with Jakob, except with the CVE. Please remove this
>change. It is unnecessary and kills the EV market.
And that was my motivation for the previous question: We know from a decade of
data that EV certs haven't made any difference to security. The only thing
they've affected is CA's bottom line, since they can now go back to charging
1990s prices for EV certs rather than $9.95 for non-EV certs. Removing the UI
bling for the more expensive certs makes sense from a security point of view,
but not from a business point of view: "it kills the [very lucrative] EV
market".
It'd be interesting to hear what CAs think of this. Will the next step be EEV
certs and a restart of the whole cycle, as was predicted when EV certs first
came out?
Peter.
>I have to admit that I'm a little confused by this whole discussion. While
>I've been involved with PKI for a while, I've never been clear on the
>problem(s) that need to be solved that drove the browser UIs and creation of
>EV certificates.
Oh, that's easy:
A few years ago certificates still cost several hundred dollars, but now
that the shifting baseline of certificate prices and quality has moved to
the point where you can get them for $9.95 (or even for nothing at all) the
big commercial CAs have had to reinvent themselves by defining a new
standard and convincing the market to go back to the prices paid in the good
old days.
This déjà-vu-all-over-again approach can be seen by examining Verisign’s
certificate practice statement (CPS), the document that governs its
certificate issuance. The security requirements in the EV-certificate 2008
CPS are (except for minor differences in the legalese used to express them)
practically identical to the requirements for Class 3 certificates listed in
Verisign’s version 1.0 CPS from 1996 [ ]. EV certificates simply roll back
the clock to the approach that had already failed the first time it was
tried in 1996, resetting the shifting baseline and charging 1996 prices as a
side-effect. There have even been proposals for a kind of sliding-window
approach to certificate value in which, as the inevitable race to the bottom
cheapens the effective value of established classes of certificates, they’re
regarded as less and less effective by the software that uses them (for
example browsers would no longer display a padlock for them), and the
sliding window advances to the next generation of certificates until
eventually the cycle repeats.
That was written about a decade ago. As recent events have shown, it was
remarkably accurate. The sliding window has just slid.
Peter.
>Problem example:
>[...]
You're explaining how it's supposed to work in theory, not in the real world.
We have a decade of real-world data showing that it doesn't work, that there's
no benefit from EV certificates apart from the one to CA's balance sheets. So
the browser vendors are doing the logical thing, responding to the real-world
data and no longer pretending that EV certs add any security value, both in
terms of protecting users and of keeping out the bad guys - see the attached
screen clip, in this case for EV code-signing certs for malware, but you can
buy web site EV certs just as readily.
Peter.
>Do you have any empirical data to backup the claims that there is no benefit
>from EV certificates?
Uhhh... I don't even know where to start. We have over ten years of data and
research publications on this, and the lack of benefit was explicitly cited by
Google and Mozilla as the reason for removing the EV bling... one example is
the most obvious statistic, maintained by the Anti-Phishing Working Group
(APWG), which show an essentially flat trend for phishing over the period of a
year in which EV certificates were phased in, indicating that they had no
effect whatsoever on phishing. There's endless other stats showing that the
trend towards security is negative, i.e. it's getting worse every year, here's
some five-year stats from a quick google:
https://www.thesslstore.com/blog/wp-content/uploads/2019/05/Phishing-by-Year.png
If EV certs had any effect at all on security we'd have seen a decrease in
phishing/increase in security.
There is one significant benefit from EV certificates, which I've already
pointed out, which is to the CAs selling them. So when I say "there's no
benefit" I mean "there's no benefit to end users", which is who the
certificates are putatively helping.
Peter.
>So far I see is a number of contrived test cases picking apart small
>components of EV, and no real data to back it up.
See the phishing stats from any source you care to use. I've already
mentioned the APWG which I consider the premier source, and also linked to the
SSL Store blog which happened to be the first Google hit, but feel free to
take any source of stats you trust, and see if you can find any that show that
phishing decreased and/or security increased due to EV certs.
I could also reverse this and say: You claim that EV certs are useful. Produce
some stats showing this. We could agree on using the APWG as our source,
since they're a pretty authoritative.
In either case, we've got a good, decade-long, reliable, heavily-analysed data
source, it's up to the two sides to use it to support their case. I've
already made mine.
>Yes, I work for a CA that issues EV certificates, but if there was no value
>in them, then our customers would certainly not be paying extra for them.
Must remember that one for the quotes file :-).
In case you're wondering why I find it amusing, consider this variant:
Yes, I work for Monster Cable, but if there was no value in our cables then
our customers would certainly not be paying extra for them.
Peter.
>CAs should be careful about casually and dramatically overestimating the
>roadblocks that EV certificates present to attackers.
See also the screenshot I posted earlier. That was from a black-market web
site selling EV certificates to anyone with the stolen credit cards to pay for
them. These are legit EV certs issued to legit companies, available off the
shelf for criminals to use. For a little extra payment you can get ones with
high SmartShield scores so your malware is instantly trusted by the victim's
PC.
>The burden is not on the web browsers to prove that EV is detrimental to
>security - the burden is on third parties to prove that EV is beneficial.
Yup, as per my previous post. We've got a vast amounts of data on this, if
there was a benefit to users then it shouldn't be hard to show that from the
data.
Peter.
>One of the reasons that phishers don’t get EV certificates is because the
>vetting process requires several interactions and corporate repositories
>which end up revealing more about their identity. This leaves a trail back
>to the individual that set up the fake site which discourages the use of EV.
Again, this is how it works in theory and in CA sales pitches (OK, that second
bit was redundant). Since you can buy EV certs off-the-shelf from underground
web sites, or get them directly yourself if you want to put in the effort, it
obviously doesn't work that way in practice.
In any case though that's just a distraction: Since phishing has been on the
increase year after year, the existence of EV certs is entirely irrelevant.
There's a great Dave Barry joke [0] where he explains how to threaten someone
with dynamite: You call them up, hold the burning dynamite fuse up to the
handset and say "You hear that? That's dynamite baby!".
EV certs are the same thing. "You see that? That's an EV cert baby!". It's
as effective a threat to phishing as Dave Barry's dynamite threat.
Peter.
[0] This joke has been credited to a number of sources, including Dave Barry.
It sounds like a Dave Barry to me.
>Are you referring to EV Code Signing certificates? I agree that needs to be
>addressed in another forum, but this discussion in on EV SSL/TLS and their
>value (or lack thereof) in the browser UI. Browsers do not support EV Code
>Signing in the UI as far as I know.
>
>It's been documented that EV Code Signing certificates are on the black
>market. Did you see the same thing for EV SSL/TLS?
Yes, you can buy both, I used the code-signing EV one because I happened to
have a screenshot handy from a writeup I'm working on. In addition, EV code-
signing certs are much higher value, particularly when they come with
SmartScreen ratings, because they give you instant malware execution on a
billion plus systems, while EV web site certs are kinda meh. So EV code
signing is the holy grail, the hardest to get, and yet they're readily
available on the black market. EV web site certs are an afterthought in
comparison, "we also have those if you want 'em".
Peter.
>the effectiveness of the EV UI treatment is predicated on whether or not the
>user can memorize which websites always use EV certificates *and* no longer
>proceed with using the website if the EV treatment isn't shown. That's a huge
>cognitive overhead for everyday web browsing
In any case things like Perspectives and Certificate Patrol already do this
for you, with no overhead for the user, and it's not dependent on whether the
cert is EV or not. They're great add-ons for detecting sudden cert changes.
Like EV certs though, they have no effect on phishing. They do very
effectively detect MITM, but for most users it's phishing that's the real
killer.
Peter.
>Your legendary dislike for all things X.509 is showing.
My dislike for persisting mindlessly with stuff we already know doesn't work
is showing (see in particular the quote typically misattributed to Einstein
about the definition of insanity), and given the rich target environment
that's available in the security field that's in no way limited to X.509.
Apart from that, you're quite correct.
It's not working.
It's obvious that it's not working.
It's been obvious for years that it's not working.
Time to try a new approach, rather than just repeating a new variant of what
we already know doesn't work all over again.
Peter.
>I just looked at Opera and noticed that they don't have any UI difference at
>all, which means I have to open the X.509 certificate to see if it is EV or
>not.
Does anyone know when Opera made the change? They had EV UI at one point, and
then there's this bug report:
https://forums.opera.com/topic/17923/ev-certificate-looks-like-ov
which blames the lack of EV UI on Chromium, so something inherited from
Chrome. It looks like it's then just a side-effect of the Chrome change and
allegedly "fixed in 44.0.2494.0", but Chrome 57 was from 2017, which means at
some point the change got reinstated.
Peter.
><https://www.typewritten.net/writer/ev-phishing/> and
><https://stripe.ian.sh/> both took advantage of weaknesses in two
>government registries
They weren't "weaknesses in government registries", they were registries
working as designed, and as intended. The fact that they don't work in
they way EV wishes they did is a flaw in EV, not a problem with the
registries.
>Both demonstrations caused the researchers real name and identity to become
>part of the CA record, which was hand waved away by claiming that could
>have been avoided by criminal means.
It wasn't "wished away", it's avoided without too much trouble by criminals,
see my earlier screenshot of just one of numerous black-market sites where
you can buy fraudulent EV certs from registered companies. Again, EV may
wish this wasn't the case, but that's not how the real world works.
>12 years old study involving en equally outdated browser.
So you've published a more recent peer-reviewed academic study that
refutes the earlier work? Could you send us the reference?
Peter.