Thursday, May 12, 2022

Extended Verification Certificates

Troy Hunt (via Nick Heer):

Ah, now we know the cert has been issued to DigiCert Inc. in the US. So, all good right? No, because who are they? I mean, all we know is that the cert has been issued to an entity with that name, we don’t know if they are a certificate authority or a company that certifies how many fingers you have on your hand (digits - get it?). This is what Ian Carroll demonstrated a few years back when he got an EV cert for Stripe Inc. Perfectly legit cert issued to a perfectly legit entity, just not the one everyone thought it was.

[…]

Amazon doesn’t have an EV cert, inevitably because they’re smart enough to realise it wouldn’t do them any good if they did! But you see the problem: if DigiCert wants to make the case that you should inspect a cert by drilling down 2 clicks (not one) before trusting the site, that clearly flies in the face of how the web actually works. Same with eBay. Same with Alibaba. Same with the little shop I buy my coffee from. Don’t “look beyond the lock” because if you do, you’re not going to be buying anything online any more.

[…]

Let’s keep humouring DigiCert: how do you look “beyond the lock” on mobile? You know, those devices that are now massively dominant in the mobile shopping space? The ones that account for about three quarters of all e-commerce sales? Try it on Safari on iOS. Can you figure out how to inspect a site’s certificate? You won’t, because you can’t.

7 Comments RSS · Twitter

Joshua Ochs

At what point do we admit that the entire "trusted authority" system of certification is fundamentally broken? We keep seeing misuses of it, unfixable problems, and breakage left, right, and center, but keep on as if it's the only possible way. And meanwhile, we make perfectly valid uses of encryption (self-signed certificates for home, development, etc) more and more difficult to deploy. Surely we've come up with better systems to verify/trust remote systems in the last 30 years?

@Joshua Ochs:

We have; it's called DANE (or SSHFP, for SSH): simply publish keys or their hashes in DNS. But for silly political and self-serving reasons the Great and the Good in big tech and government refuse to endorse it. (Certificate Transparency is clearly only helping the big players, of course we can eventually fix middleboxes, convenience of other solutions taken up by the big players is no match for security, not to speak of good design, etc.)

@ Joshua: we can do centralized identity with CAs, registrars, governments, etc., and that creates incentive problems (very easy for a CA to set up a business that doesn't really _do_ much of anything other than collect money in exchange for reputation) as well as privacy issues. Or we can do decentralized identity with Web Of Trust, etc., and there's a multitude of reasons that has never taken off and perhaps never will.

@ Sebby: DANE just ties the identity of TLS to that of DNS. It doesn't really solve "is this who they think they are"; instead, it punts that to "well, maybe the domain registrar is more trustworthy than the CA".

@Sören DNS is a single centralised structure with each point of delegation an opportunity for control to be delegated, and all parties on the Internet can and should ultimately be known by their domain names. This has two useful properties: users can understand the responsible party at any given point in the tree and each party is ultimately accountable. This would be a much more credible defence against sabotage, IMO: if a domain owner goes bad, don't use its services; if a registry goes bad, just stop using its domain names; if a registrar goes bad, the registries have a great incentive to refuse to accredit (and users who learn about that registry can also do their bit). The CA monster is all about giving maximal power to all parties on the VIP list, whilst trying to hold them all accountable by using force to benefit the biggest players with Certificate Transparency and various non-solutions for TLS upgrade and certificate (non-)issuance. DANE can be used alongside the CA system, too, so even if you do have a political or technical objection you can choose to simply ignore the benefits. It can only help and it really should be done, IMO.

> DNS is a single centralised structure with each point of delegation an opportunity for control to be delegated, and all parties on the Internet can and should ultimately be known by their domain names.

Yes, but that doesn't solve identity. If I buy amazon.biz, am I Apple Inc.? WHOIS exists, but has been largely neutered for privacy reasons.

> This has two useful properties: users can understand the responsible party at any given point in the tree

They cannot. That's one of the reasons phishing works. If I buy chase-secure-banking.com, I assure you some people will think that's real. If I add cryptography on top of that the way DANE and DNSSEC do, some piece of software might even give the domain some padlock somewhere to make it look more authentic. Except it's not.

I get the gripes with CAs, but registrars alone are not the answer, and adding cryptography doesn't solve identity. Government might be, but that comes with its own warts. (For businesses, browsers might trust an international repository of commercial registers, and show some indication of "California state says this domain does in fact belong to Apple Inc.", but good luck scaling that across all countries.)

CAs for EV certs do, at least, try some level of verification. Domain registrars by and large do not.

DNS is a single centralised structure with each point of delegation an opportunity for control to be delegated, and all parties on the Internet can and should ultimately be known by their domain names.

Yes, but that doesn't solve identity. If I buy amazon.biz, am I Apple Inc.? WHOIS exists, but has been largely neutered for privacy reasons.

No, you're "amazon.biz"--whatever that is. And if I have no reason to trust "amazon.biz" or to know who "amazon.biz" are, then I simply shouldn't talk to "amazon.biz". The point I'm making is that it's precisely this obsession with trying to associate online identities with "real world" identities that's at the root of the trouble. People make guesses and they're often wrong, but "amazon.biz" is probably a scam and "amazon.com" is owned by a large, well-known retailer with added bookshop. People need to know that they do business with "amazon.com" which just so happens to be run by a large retailer with added bookshop incorporated as Amazon.com Inc. And if Apple were ever to own "amazon.biz" then it would best behoove them to explain to world+dog why exactly they feel a domain name like "amazon.biz" best fits a company like Apple Inc., instead of telling world+dog that Apple Inc. owns "apple.com" and that, online, people wishing to talk to Apple Inc. should always talk to "apple.com". In other words the domain ownership is the identity of the business, not aside from it, and is not merely a technical detail to be speculated about by users. (I don't appreciate the UDRP entanglement with the WIPO very much, but I suppose I can accept that it's probably necessary to stop squatters from hijacking brand names; in an ideal world, people would understand this point literally but in the real world there's probably a superficial expectation of some parity between domain names and brand names, however tenuous. Sigh.)

This has two useful properties: users can understand the responsible party at any given point in the tree

They cannot. That's one of the reasons phishing works. If I buy chase-secure-banking.com, I assure you some people will think that's real. If I add cryptography on top of that the way DANE and DNSSEC do, some piece of software might even give the domain some padlock somewhere to make it look more authentic. Except it's not.

Correct, and that's a problem that needs to be solved, by sternly educating users. (More difficult, but just as important, harder-to-spot orthographical frauds committed using IDNs etc.) And yes, in a time of ever-present TLS, it may even be time to remove indicators, rather than add them (though DANE users would probably initially benefit from an optional positive indicator, I accept that the right way forward is ultimately to indicate insecurity rather than security).

I get the gripes with CAs, but registrars alone are not the answer, and adding cryptography doesn't solve identity. Government might be, but that comes with its own warts. (For businesses, browsers might trust an international repository of commercial registers, and show some indication of "California state says this domain does in fact belong to Apple Inc.", but good luck scaling that across all countries.)

CAs for EV certs do, at least, try some level of verification. Domain registrars by and large do not.

CAs remain economically motivated to cut costs--that's why even EV is failing to deliver as promised. The very fact that EV is an (increasingly scarce) distinction nowadays owes much to the proliferation of "Domain Validation" (especially, of course, thanks to LetsEncrypt), which is clearly weaker even than domain registration as validation. "Organisation Validation" as a genre of product, though it exists, is technically irrelevant since it is indistinguishable from DV--yet it was once the raison d'être of every CA, until DV became acceptable in the marketplace and EV was "invented" to resist it.

You're right, government is probably a tough sell (and just look at Europe's demand for weaker CA policies for their identity scheme).

I will concede the open question of whether adding crypto to domains solves identity, only because I recognise that technical solutions too often fail the litmus test of hard reality and overlook legitimate civil concerns. I am a Utopian--no getting around that. I have faith in humanity which may not be warranted. Even so, I submit that DANE would be an improvement over the status quo. CAs have failed in their mission, and any failure they exhibit now will only ever been noticed by The Great and The Good, who have the power to observe security violations, not all Internet stakeholders who now lean on their largess. It's an intolerable situation, which contributes to the already grossly over-centralised Internet.

>No, you're "amazon.biz"--whatever that is. And if I have no reason to trust "amazon.biz" or to know who "amazon.biz" are, then I simply shouldn't talk to "amazon.biz". The point I'm making is that it's precisely this obsession with trying to associate online identities with "real world" identities that's at the root of the trouble.

It kind of matters, though, when you're trying to buy something and want to know if it's a scam.

> In other words the domain ownership is the identity of the business, not aside from it, and is not merely a technical detail to be speculated about by users.

I'm not sure what you're getting at here. Are you advocating for companies to put their domains in their ads more prominently?

Like, how _do_ you tell a website is the Amazon you're thinking of?

> Correct, and that's a problem that needs to be solved, by sternly educating users.

But what do I tell them? How do I explain to them that selfservicerepair.com is, in fact, legit? (By having them go to Apple Support instead and hop on over that way, I suppose.)

> More difficult, but just as important, harder-to-spot orthographical frauds committed using IDNs etc.

Yep, homograph attacks are a whole other can of worms.

> CAs remain economically motivated to cut costs--that's why even EV is failing to deliver as promised.

Agreed.

One more datapoint I'll add is that EV, for code signing, is a sufficiently greater burden that Microsoft has for a while now treated non-EV certs of apps that aren't frequently run as utterly untrustworthy. You either need to achieve a certain "enough people run this without issues" score, or to have an EV cert. Having an EV cert requires a more complicated validation process, and also a physical USB token, which frankly makes the build process more obnoxious — but it does gives an ever-so-slight added level of safety to users.

But I'm not trying to defend CAs. Nor to say that DANE is useless. I'm just saying the holy grail remains as uncharted today as it did a quarter century ago — neither web of trust nor a centralized authority quite seem to be it.

Leave a Comment