Ben, If you take a closer look on the attacks that is costing most, they are based on e-mail. The problem with e-mail is that there is no credible authentication structure in place at all. If there was such a structure it would much be less tempting sending spam from fake addresses, infecting computers with viruses, and trying to lure people with phising links.
Some people then says: "But we have S/MIME!". Yeah. After 10Y+ of US government billion-dollar investments in FPKI you still can't send an encrypted message to the IRS. You probably never will either. Not to mention the problem in the other direction. As John Clease once put it: This parrot is no more, it has met its maker etc etc. BTW, the cost of e-mail cleaning is a BILLION useful working hours per year. Did I mentioned EV? No, because the problems with SSL certificates are greatly exhaggerated and green bars and cute pad-locks is just "chrome" that means close to nothing for most people. Anders R ----- Original Message ----- From: "Ben Bucksch" <[EMAIL PROTECTED]> Newsgroups: mozilla.dev.security,mozilla.dev.tech.crypto To: <dev-tech-crypto@lists.mozilla.org> Sent: Thursday, February 01, 2007 20:34 Subject: EV guidelines Followup-To m.d.security Basics: SSL certificates are supposed to ensure the identity of the one you talk to. One reason is to make the crypto meaningful (a MITM attack is still possible with SSL, if the middleman uses his own cert and the client accepts it as real). The other reason is to connect online business to real world business - if you buy at a store, and give your credit card data, you want to know it's not going to Russia, but to a real company, and that you can sue them, if they don't deliver. Note that SSL certificates say nothing about the trustworthiness or similar, just verify identity. Problem: GeoTrust and a few other companies started selling cheap certificates which are issued automatically (no human involved) and only check whether the applicant has control over the domain (or email address) that the certificate is to be issued for. These are called "domain control verification" or DV certs. The "holder's name" field in the certificate does not get verified *at all* and is thus useless with these certs - it either equals domain name or can be simply lying, despite being signed by the CA. Given that, these new cert types pose a significant problem to business on the web, and make phisher's life easy (if phishers even bother with SSL or certs). EV solution by the "CA/Browser Forum": A bunch of CAs came up with a proposal of a new cert standard. Mainly, it mandates the checks that the CA has to do to verify the certificate holder. They are intended to be sold to high-profile sites like eBay.com, and cost $1000/year upwards. So, one obvious reason for EV is that CAs want to charge more money from the customers that make a lot of money on the web. It does increase the level of vetting substantially, and it's definitely a huge improvement over status quo. So, browser and browser users also gain from it. For Microsoft, it's actually part of an anti-phishing initiate, MSIE was supposed to make the URLbar green for some sites, and EV was one mandatory criteria for that (there are other criteria as well, e.g. anti-phishing blacklists etc.). The "CA/Browser Forum" consists out of all major browser vendors, including Microsoft, Mozilla Foundation, KDE (Konqueror), and Opera (Apple is missing). Most of the big Cas are on it as well. The current guidelines are at <http://www.cabforum.org/EV_Certificate_Guidelines.pdf>. It's 70-100 pages in lawyer language. My comments: Don't be followed by the language and length, though. "Qualified Independent Information Sources" could probably simply be a phonebook, and a "site audit" is a clerk looking at the sign on the street and peeking in the lobby. That's not what *I* would call an "audit". The "phone number verification" happens by calling the number and seeing who answers (Me at 0900-123456: "Microsoft, how can I help you?") (16(b)(2)(A)+(C)). So, I could apply as Microsoft, supply them my number, answer as Microsoft, and that's the verification. To top it, this number can then be used to verify the signature, with "a response from someone who identifies themselves as such person confirming that he/she did sign the applicable document". Maybe I have overlooked something, but I could give them the address of eBay, or my address with an eBay sign, and *my* phone number, sign the doc, and then when they call me, greet with "Ben Bucksch of eBay speaking" and confirm that I am a "Contract Signer" who is allowed to represent eBay and I did indeed sign the doc. huh? This whole thing has lots of loopholes. Given the experience and market pressures, we have to assume that the CAs use the absolute minimum and cheapest standards that still pass the guidelines, and they'll automate as much as possible. Also, there are really heavy statements in there, e.g. the liability (37(a); see also <https://financialcryptography.com/mt/archives/000862.html>: If the CA followes the EV guidelines and the user gets ripped off, the CA is not liable at all - be it due to hole in the guidelines or other reasons. Even worse, though, if the CA *fails* to follow the guidelines, and the user gets ripped of *because of that*, the liability of the CA is limited to $2000 - not even per case, per cert/CA customer. Even a single normal phishing incident is easily higher than that. That's particularly sobering considering that a cert *costs* $1000-2000 - that means I could set up a CA and sell certs to everybody including the mafia and not verify certs *at all*, and even pay all liability (per EV guideline doc) and still make a profit for my few valid customers. Sorry, how does that help users *at all*? IMHO, this should be backed by $10-100 million insurances - per incident. Even an average $100 UPS comes with $100,000 insurances. My alternative proposal: (most important part of posting) We need to connect online business with real world business. I want to have somebody to sue - who won't vanish when poked at. And I want that the info in the cert is actually correct. I really thing that every CA-issued certificate must be verified using the following steps: 1. Using the official state register of companies to verify company name and representing natural person 2. Acquiring written signature (original) of that person 3. Checking the signature against the ID card / passport of that person This, and pretty much only this, will ensure that the card holder really is who he claims to be, in real life, as seen by the government and courts. Thus, before EV, I assumed that the above is performed for the $100/year certs. It should be cheap enough, *esp.* so for $1000/year EV certs. In Germany, if you want to mail-rent (Netflix-alike) 18+ movies (including Van Helsing), you have to pass harder verification steps than EV. You actually have to walk to the post office, which has a service to verify your identity card and send the result back to the requester. It costs 10 Eur, once. In fact, my grocery store not only asks for my signature for every purchase, they even double-check the signature against my ID card every time! (Apart from the people who already know me.) If a grocery store clerk can do it for a $10 purchase, a CA can do it for a $1000/year cert which is backing up $ x00 million business for tens of thousands of users. People have said that not every US citizen has a passport. But they can get one. This is about ensuring something to users, after all. Note that I think that natural persons and small companies should also be able to get an EV cert, from the start. UI proposal: We could e.g. then show the cert holder name next to the domain name in the urlbar, so that the real world name is a trust root, in addition to the domain. That would be something most users can more easily relate to than the domain name system, which is logical, but literally backwards. However, the real world company name may then be just as much a phishing target as the domain name is now. We'll not only have international character sets (compare IDN), which we can't easily escape from as we did with domains, but there'll be another class of attack of similar seeming company names, e.g. is Shell Books a subsidary of Shell Oil Company or not or is "e Bay Auctioners, Inc." a part of eBay? UI: Green urlbar, as maybe done by MSIE: http://it.slashdot.org/article.pl?sid=07/01/26/1325228 > /"Stanford University and Microsoft Research have published a study > that claims that the new Extended Validation SSL Certificates in IE7 > are ineffective <http://www.usablesecurity.org/papers/jackson.pdf> > (PDF). The study, based on user testing, found that EV certificates > don't improve users' ability to detect attacks, that the interface can > be spoofed, and that training users actually decreases their ability > to detect attacks. The study will be presented at Usable Security 2007 > next month, which is a little late now that the new certificates are > already being issued. > <http://it.slashdot.org/article.pl?sid=07/01/13/1615213&tid=172>"/ Study done in Sept 2006 and I found the setup (training etc.) highly questionable, but the only conclusion one can draw is that the green bar increased people's trust in websites - ironically real and fraudulent alike! (no matter if green bar or not) So, if one can believe the study, the green bar is a really bad idea. -- When responding via mail, please remove the ".news" from the email address. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
