If the title wasn’t enough of a clue, this blog is about the recent debate over the value of EV SSL that has caught the information security industry by storm. I feel it’s about time that GlobalSign get their two cents in and defend our position as an EV SSL Certificate provider. Unless you have been living under a box, you know that several researchers have published articles on the value of EV.
Scott Helme published one that shows how the company name in the URL bar can sometimes cause confusion, this is after James Burton shows that he can get a certificate from Symantec using a fake company he set up in the UK. He suggested that a hacker could get access to credentials off the dark web and use those to set-up a fake company, then purchase a fake domain and an EV SSL to secure that domain. Researcher Ian Carroll conducted a slightly different experiment, registering a fake company, but in the name of a company that already exists, Stripe. He registered the business in a different country, applied for a certificate on https://stripe.ian.sh instead of the real https://stripe.com and showed that in Safari, the URL bar looks exactly the same for both sites.
These articles have sent a wave of debate across the industry about the value of EV SSL. I have been closely following this conversation but have to say, it has been hard not to get angry about it. Angry at the misinformation that has been plaguing this industry for years and angry that we are all to blame for this.
I think we have all lost the true meaning of EV SSL. Certificate Authorities can be blamed for marketing EV SSL incorrectly and making it sound like EV Certificates could single-handedly combat phishing and magically increase your sales, but security researchers and pro-DV supporters can also be blamed for forgetting about the value of EV in securing the internet. Browsers too are at fault for not giving EV a UI that is fit for purpose; something that the average consumer would understand and recognise appropriately. I hope to look at some of the main issues with EV SSL in this blog and I will be using quotes from the Mozilla Dev Security Policy Group on Google.
The Purpose of an EV SSL
Can EV SSL be used for phishing? Yes, as we have seen from the above research. But for a hacker to go through the effort of buying a fake identity, registering a fake business, paying for a premium certificate and waiting 3-5 days to be validated on an EV SSL order to start conducting their criminal activity, they would have to be pretty determined. Especially when they already know they can get a free DV in a matter of seconds that gives them a padlock most consumers are likely to trust anyway.
This was the point of EV SSL. When the CA/Browser (CA/B) Forum laid out the guidelines for EV they specifically stated that the purpose of an EV SSL certificate is to:
a) identify the legal entity that controls a website and
b) enable encrypted communications with a website.
More specifically regarding point ‘a’, it says that EV is meant to:
“[p]rovide a reasonable assurance to the user of an Internet browser that the web site the user is accessing is controlled by a specific legal entity identified in the EV Certificate by name, address of Place of Business, Jurisdiction of Incorporation or Registration and Registration Number or other disambiguating information”
The main thing here is reasonable assurance. We cannot guarantee or know 100% that the website you are on is one of a legitimate business (and an EV Certificate doesn't vouch for the activities of the business), but we can show you who they are.
So you might be asking, what is the point?
Privacy vs Identity
Since the Internet has existed there has always been two security issues that the information security community have been trying to solve.
- Privacy – how do we ensure that a third-party cannot read private communication between Bob and Alice?
- Identity – how can Alice ensure that it really is Bob communicating with her?
These are very similar to the issues at hand prior to the Internet existing. Postal deliveries used envelopes and wax marks to keep them from being opened but someone could still open your mail and forge your personalized wax insignia to perform an old school version of a man-in-the-middle or phishing attack. The fact is, there are no guarantees, only mitigation. But mitigation is important nonetheless.
This takes me back to previous arguments that have been made in the industry about DV being used for phishing, which is ultimately an identity issue – visitors can’t tell who is running the site and who they’re communicating with. On March 20th 2017, Vincent Lynch from the SSL Store published a blog that showed 1,000 certificates issued with the term “PayPal” in them. More than 99% intended for phishing sites.
While companies like Let’s Encrypt have been praised for bringing an easy and effective way to obtain free DV certificates to the market, this has come with the added burden of being an enabler to millions of phishing websites that can now abuse the green padlock to look more trustworthy. Adding to this, is the recent addition of a “secure” label in some browser UIs for all sites using SSL – so even a phishing site would be labeled “secure” because it is using a DV Certificate.
The problem here is a conflation of privacy and identity – the padlock, HTTPS, and, in some cases, “secure” label shown in browsers are only intended to vouch for privacy (that the connection to the site is encrypted), but site visitors assume a certain level of legitimacy when they see those security indicators.
Scott Helme put it very well in his article when he said:
The "Secure" indicator means that the browser has connected to a server which has presented a valid certificate for the domain name we were connecting to that was issued by a CA that the browser trusts and an encrypted connection has been established. That's it. That all the green HTTPS in the address bar means. The problem is that many people believe that it means a lot more than that and that it affords the site some kind of credibility.
It seems some method for making the identity behind a website transparent to visitors could go a long way to help with this confusion – some way to say “your submissions are being encrypted AND you’re communicating with who you think you are”. To me, this verified identity information is the real value of EV and why, in my opinion, it is here to stay.
As discussed above, one of the purposes of EV is to identify the legal entity that controls a website. This information is already in the certificate; it’s just a matter of making it easily consumed by the visitor. How this information is presented is another question - I’m not arguing that how it’s done today is the best method or couldn’t be improved – but I think instead of being quick to dismiss EV altogether, we should instead be discussing how to make the most of its strict identity verification processes and potentially improve how this information is presented to visitors...which brings me to my next point regarding browser UI.
Other relevant articles about DV use in phishing:
Taking screenshot’s straight out of Ian Carrol’s research, you can see that EV SSL looks quite different depending on what browser you are looking at.
1. Safari – completely hides the URL!! This can’t be good for users who are trying to spot a phishing website.
2. Chrome – at this point in time, Chrome shows EV with the company name in green after the padlock. To view any more details about the company behind the certificate, you have to go through a few mouse clicks and dive into the certificate details.
In the Mozilla discussion group, Ryan Sleevi pertained to the point that Chrome may even strip this special characteristic from its browser:
As you know, Chrome is still evaluating the value of EV having special UI, as discussed in past CA/Browser Forum meetings . This doesn't opine on the value of EV to the ecosystem overall, but rather, the value in browsers distinguishing such certificates or affording specialized UI.
3. Firefox – unlike Chrome, does allow you to view the city and state of an incorporation within two mouse clicks. But as Ian rightly points out, a user would have to know where the company they are ordering from is headquartered before they check if this info matches.
It just seems odd that representatives from Google are suggesting removing the EV UI completely when standardizing an EV UI seems like a huge leap into solving the problems associated with its value.
Sure, not everyone would be bothered to check the country and state of the website they are buying from but with better awareness, maybe we will when we visit major websites like PayPal. Remove EV treatment completely and you have a situation where no single Internet user can make judgment on the legitimacy of a website. Only after someone has been duped will the site enter a phishing filter. I would prefer a world where browser recognition is clear and Internet users are educated on what to look out for, so less people are duped and everyone is making decisions based on their own judgement.
Some have argued that EV validation is part of the problem. According the guidelines, a Certificate Authority (CA) must verify:
- an applicant’s legal existence or identity,
- an applicant’s physical existence,
- an applicant’s operational existence.
An applicant must qualify as a private organization by filing with an incorporating or registration agency in its jurisdiction. In many cases, this will mean that there is a registration number. But as we have seen, it’s very easy to apply and register a business. There are no checks done by the Government Entities to the applicant, but what would they be checking for? So that’s where number two and three come in.
While a CA would check that the business has been registered, there are a few more checks required to make sure the business entity actually exists. Physical existence of the entity can be cheated with a virtual office so extra checks should now be required to ensure that the location is real and not virtual. A slightly more keen eyed vetting rep would have looked at Ian Carroll’s application and noticed that the Stripe business location was not quite ‘physical’ (perhaps by looking at Google maps street view).
Additionally, and maybe most importantly, the CA/B Forum says that we should be checking a business entity’s operational existence. This ensures the applicant is actually running a business. It doesn’t require us to check if they are running a legally and ethically correct business, but this requirement should have still made a vetting rep question the Stripe application.
At GlobalSign, we pride ourselves on our strict vetting procedures where, at times, we go above and beyond requirements set about in the CA/B Forum. For example, we have internal procedures that dictate any company that has been registered for less than a certain time is approached with extra caution. We look at an organization from a holistic point of view and use multiple touchpoints to determine if they are registered, doing business in a physical location and actually operating a business.
Our own Doug Beattie said it in the Mozilla group:
it is in the CA's own best interest to improve the policies and requirements behind EV issuance. The finance industry has regulations generally known as "Know Your Customer" (KYC) that are intended to stave off such things as money laundering, terrorist financing, and such. While not directly applicable to CA's and EV, KYC nonetheless might serve as a model whereby clients are scrutinized before certain actions are permitted by the CA.
For example, it seems indefensible to me that a CA should issue a EV cert to a company that has no prior history and offers only the thinnest of evidence to its legitimacy, as was documented in the original reports. All CA's must do better in that regard. I don't think it's unreasonable for CA's to have a documented, pre-existing relationship with a EV requester prior to the actual EV issuance.
Where Do We Go From Here?
It’s true, we are a big part of our own problem here and that’s why the CA Security Council is banding together to make the EV SSL debate their top priority. Together with the CA/B Forum, changes will be made to impact the value of EV.
I personally think three things need to happen and happen fast:
- EV SSL Certificates need to stop being marketed as a silver bullet against phishing. While they do provide a way for companies to tie their identity to their websites and for visitors to see that identity, which can help distinguish legitimate sites using EV from imposter sites using DV certificates, EV certificates alone cannot, and will not, put an end to phishing.
- Browsers need to work with CA’s, not against them. Yes, they are in charge of their products and how their products are seen in the market, but they are also in charge of how Digital Certificates (not their product) are seen in the market. Mozilla and Google both have alliances with Let’s Encrypt and therefore cannot be seen to really care about EV SSL. Something should be done to enforce policy and standardize the UI - padlock for DV, something else for EV, and insurance that URLs will not be obfuscated, as was the case for Safari with EV. This should be discussed in the CA/B Forum.
- Stricter vetting procedures and practices need to be worked on and aligned across all CAs to ensure that more thorough checks are done on an applying organization and that there is little to no chance that a fake or illegitimate company can apply and get an EV SSL Certificate.
Luckily, we have an amazing team of people here at GlobalSign who will be working hard to put provisions in place even before any policy is set. DV is great for ensuring privacy but we also know how important it is to ensure identity in communication too. Protecting Internet users by covering both of these grounds is what we think is needed and we will do our best to fight for this.