On 12/12/2017 20:04, Ryan Sleevi wrote:
> On Tue, Dec 12, 2017 at 1:11 PM, Jakob Bohm via dev-security-policy <
>
dev-secur...@lists.mozilla.org> wrote:
>>
>> The overall thing is that the current thread seems to be a major case of
>> throwing the baby out with the bathwater.
>>
>
> That is overly reductive and may demonstrate a lack of understanding of the
> points of criticism.
>
>
>> The entire problem boils down to this:
>>
>
> No, it doesn't.
>
> This is yet another practical demonstration of an overall set of flaws with
> EV, for which those bolsters (which it would be fair to say include you, at
> this point) do not acknowledge the holistic set of issues - or their
> fundamental failure.
>
> For those involved in the regular, day to day involvement with PKI, these
> sets of concerns are well at the forefront of our minds, but in the event
> you may not be familiar:
>
What you are writing below, with far too many words is that you think
that URLs are the only identities that matter in this world, and
therefore DV certificates are enough security for everyone.
2.1.1(1) most certainly requires an UI that displays that legal entity
identity. It does not require suppressing legal entity identities
verified at a lower confidence level (OV certs). I have myself filed
bug comments to this effect.
> - 2.1.1 (2) is not necessary - DV already achieves that
But DV doesn't tie the encrypted connection to 2.1.1(1).
> - 2.1.2 (1) is demonstrably false
2.1.2 (1) is a lofty and difficult goal. But 2.1.2 (2) helps in this
regard.
If the vetting is as strong as it should be for EV, the evidence of
tying to a real legal entity will also be strong enough to facilitate
2.1.2 (3).
> - While Ian's example is yet another part of this, there's nothing
> fundamental within EV certificates that achieves 2.1.2 (1), because that
> goal is itself so ill-defined that it fundamentally is unachievable.
The "Spring Inc." (Kentucky) contributes towards achieving 2.1.2 (1) by
actually requiring the phisher to pass whatever requirements are imposed
by a government entity within the victim country (because the EV UI
shows the country directly). This reduces the attack surface from all
global domain name registrars to the national set of government company
registration authorities, and whatever anti-fraud security precautions
are imposed on them by the same governments that actually have courts
and police forces applicable to fighting online phishing scams.
Registering a company in Kentucky will not get you an EV certificate
that pretends to be in Canada, Mexico or France. Registering a company
in Italy will not get you an EV certificate that pretends to be in the
US.
Displaying the actual jurisdictionOfIncorporation (not just the country)
would further reduce the attack surface to the actual operating location
(such as California) and any common generic locations in that country
(Delaware, New York, etc.).
> - CAs who believe that biased marketing surveys are equivalent to
> peer-reviewed research would have you believe that "Out of 100 phishing
> sites we saw, none used EV, therefore, EV is more secure", therefore this
> goal is achieved. This is so scientifically unsound and methodogically
> flawed that it should be laughed out of serious discussion, yet they
> continue to peddle such abject logically unsound rubbish. They might as
> well shout "fake news" for all the credibility should be afforded to them.
I have not used any such nonsense in my argumentation.
> - Sticklers for this point will typically suggest this can be achieved
> through one of three means - "temporal risk", "financial cost", or "legal
> risk" - namely:
> - because an EV cert takes longer (temporal), it reduces risk because
> people don't want to wait (ignoring the fact that some CAs will turn out an
> EV cert in hours)
That might be a missing requirement in the EV guidelines. i.e. "If not
renewing a certificate or otherwise dealing with a long established CA
subscriber relationship, EV vetting should not be considered complete
until at least 1 week has passed since the vetting began. During such a
delay, the CA must monitor any relevant places where identity frauds are
likely or required to be reported to ensure that any quickly reported
fraud cannot result in issuance to someone other than the true
identity".
However none of my arguments for keeping EV require this.
> - because an EV cert has, on average, a substantially higher cost
> (financial) than a DV cert, it serves as a bar to entry for attackers who
> would otherwise not want to use money (ignoring that attackers,
> particularly phishers, already have a network of credentials and resources
> to charge against)
There could be requirements that the payment means (credit card, PO
etc.) is legally tied to the vetted entity. This would limit the use of
stolen payment resources to impersonating the legit holders of same (or
getting a bank to issue payment means for the wrong identity).
However none of my arguments for keeping EV require this.
> - because an EV cert requires some sort of legal identity, they're
> exposing themselves to risk of identification (ignoring work like James' or
> Ian's, because, well, that's convenient)
Is there any report that James or Ian did not have to use their real
identities to set up the companies? If they didn't, there's something
wrong with the administration of that company jurisdiction.
> - 2.1.2 (3) does not require any UI - that's purely on the backend
>
Of cause.
> So the whole premise for why there should be *any* UI treatment is
> predicated on 2.1.2 (2), which clearly spells out that EV is a marketing
> tool, wrapped in the guise of a security tool. I do not feel you can offer
> a more charitable read of that section.
>
That is not what it says. At all. It says that it should be a way
for genuine businesses to show they are "not a dog", but someone who
exist in a very real sense, at least to the extend that laws enforce
such requirements in the offline world.
For major phishing targets such as banks they can (and do!) include
notifications in their brochures etc. telling customers to only type
their identity in if there is a green bar with the banks name next to
the URL.
This is to ensure that the only ways to bypass EV is to compromise the
Banks' genuine systems (directly or indirectly), or to compromise a
government office dedicated to establishing company identities (which
may be easy in Kentucky).
> And what do we get for that browsers selling, rent-free, their critical UI
> space of billions of users?
>
> Well,
> 2.1.3 (1) - No assurances that they're doing business
> 2.1.3 (2) - No assurances that they comply with applicable laws
> 2.1.3 (3) - No assurances that they're trustworthy, honest, or reputable
>
That just spells out the very real and good principle that the issuance
of *identity* documents does not vouch for the *quality* of the
individual or company.
>
> Literally the entire value proposition of EV reduces to "CAs want to sell
> billboards in the browser's security UI". And the fundamental point is that
> such UI is security critical - it's the line of death between trustworthy
> and untrustworthy content (
>
https://textslashplain.com/2017/01/14/the-line-of-death/ ).
>
> The goal is to ensure this URL bar requires as little cognitive thought
> possible - you should be able to quickly determine if you're at where you
> expect, where "where you expect" is the URL. And the URLs you use should
> use systems that do not rely on users checking that - e.g., they should be
> using origin bound credentials (WebAuthN/U2F), they should be using
> browser/password manager mediated identities (Credentials API), etc.
>
"Where you expect" is NOT the URL. It is the real world entity you want
to talk to. EV and OV tie the URL to someone real, such as the bank
around the corner or the well known company you want to do business
with.
> This isn't throwing the baby out with the bathwater. This is recognizing
> that having a billboard of things users are also supposed to know or else
> we get to blame them when things go wrong is bad policy, bad security, and
> actively hostile to users. Let's not let idealism get in the way of the
> pragmatic reality that the most important job a browser has is keeping
> users safe and secure, the most effective way to do that is to keep things
> as simple as possible (so that all people, of all skillsets, can enjoy the
> Web), and the simplest way to security is to get users to the point of not
> having to think about it, because the systems Just Work. EV is predicated
> on the idea of training users to be cognitively aware of all of the legal
> nuance of the organization, and ever vigilent, as a way of absolving site
> operators and CAs of their responsibility to make the system better. That's
> just bad policy.
>
Having a billboard of things to blame the user for not knowing is
certainly the wrong way to use this. Having something easy to check
like a policeman wearing an official badge helps users reject obvious
fakes, thus making it harder for any random fraudster to just tell
people they are cops / banks / shops.
Victims should not be blamed for being defrauded, but they should still
be helped not to be.