
The Power to Revoke Lies with the Certificate Authority - okket
https://scotthelme.co.uk/the-power-to-revoke-lies-with-the-ca/
======
cm2187
On EV certs, Troy Hunt rightly pointed that no one really cares about them and
many major websites (amazon, youtube, facebook) don't even bother:

[https://www.troyhunt.com/on-the-perceived-value-ev-certs-
cas...](https://www.troyhunt.com/on-the-perceived-value-ev-certs-cas-phishing-
lets-encrypt/)

~~~
ta76567656
I care :-(

~~~
gruez
Do you? Are you going to stop going to a site because it's missing a EV
certificate?

~~~
ta76567656
No, but if I'm going to log in it forces me to check to make sure the domain
is not something deceptively similar to what I expect, which takes mental
energy and is therefore annoying.

Also, unlike apparently everyone else, I care _who_ I'm communicating with,
not what their domain is.

------
samwillis
Here in the UK there is another problem with EV certs, there is no way of
registering a "trading name" or "doing business as (DBA) name" against a
company so you can only have an EV cert issues against your actual registered
business name. If that is different from your trading name and what you use as
your domain name then they are less than worthless. For example, if the
company is "Widgets of London Limited" but trade online as "Widgets Online"
with the domain "widgetsonline.com" they cant get an EV cert with "Widgets
Online" as the name - even if they own the registered trademark of it.

~~~
icebraining
Seems like you can, by registering a DUNS number, e.g. "Trade and DBA names
are verified directly with registration agency or through a verified third
party database such as D&B, Bloomberg, or Hoovers."
([https://support.comodo.com/index.php?/Knowledgebase/Article/...](https://support.comodo.com/index.php?/Knowledgebase/Article/View/702/0/ev-
certificate-validation-checklist))

~~~
nailer
You're confusing QGIS (the government source) and QIIS (the independent
source) - the OP is correct, you'll need a government registered entry for the
DBA and these don't exist in the UK.

Visit [https://certsimple.com](https://certsimple.com) from the UK and you'll
even see the UI change to remove the DBA option.

Trademarks aren't the same thing as DBAs, but a number of folks would like to
get the EV guidelines extended to include trademarks.

------
solatic
The idea behind EV's (to tie domain ownership to real-world legal entities) is
sound, it's just that the implementation is poor.

If the EV badge identifies a legal entity plus its country of origin, then how
is it supposed to be the CA's fault that there's this leaky abstraction of
multiple legal entities with the same name in the same country? If we have a
good idea and a poor implementation, then the correct response is to fix the
implementation, not throw out the whole idea as fundamentally broken.

Unfortunately, there's also not much that the CAs can do to fix this by
themselves. If we want to have a digital representation of a legal entity's
identity, the best way to do that is to have a first-class digital identity
rather than the hack of a system we have today which attempts to create a
poorly supported, non-portable identity on the basis of emailed paperwork and
phone calls. Such a first class identity - with private keys controlled by the
legal entity, entrusted to the entity when it was first created - will allow
clients to verify the identity against the _source which actually governs it_.

I can understand the privacy concerns surrounding the creation of legal
digital personal identities - the creation of a definitive population ledger
that goes along with it etc. But for _companies_? That the US doesn't have
such a solution for companies in this day and age is just myopic.

~~~
icebraining
But how would that help? Both Stripes would have a valid first class identity
with valid keys. How are clients supposed to then check?

~~~
solatic
In the current system, the client must query the CA that issued the EV cert
for the legal entity data. This presents a number of problems:

a) not all CAs will present enough distinguishing data to the client. Case in
point: "Stripe Inc. [US]"

b) No consensus between CAs as to who will issue a cert for a given legal
entity. In other words, there is such a thing as a CAA record for DNS and DV
certs, but no such thing for EV certs and therefore no verification flow of
for a given legal entity -> which CA is permitted to issue -> which domains
have been certified for that legal entity

c) No support for more complex identity usecases including name changes,
subsidiaries, brand licensing (this FedEx-looking site is run by Acme Local
Fulfillment Inc. which has been licensed by FedEx to use the FedEx brand),
etc.

Certificate Authorities are not in the business of establishing identity and
so they are fundamentally doomed to doing a poor job of verifying identity.
Instead of trying to coerce CAs into the identity business because of the
inflexible and glacial pace at which government moves, we should be pressuring
government to adopt more modern identification practices.

~~~
icebraining
(a) Actually, the CA sends Stripe's actual business registration number in
Delaware (4675506). It's the browser who chooses what to present.

(b) Why is this a problem?

(c) Is there any evidence of demand for those usecases? How would you even
present them to the users in an understandable way?

 _" Certificate Authorities are not in the business of establishing identity
and so they are fundamentally doomed to doing a poor job of verifying
identity."_

I don't see how that follows. In fact, I don't see how that's even possible.
Whenever you do business with any entity besides the national registry - be it
a bank, insurance company, notaries, or even another governmental department -
they have to verify your identity. CAs just happens to give you a digital
affidavit of the results.

 _Instead of trying to coerce CAs into the identity business because of the
inflexible and glacial pace at which government moves, we should be pressuring
government to adopt more modern identification practices._

I disagree; we already have problems with too-big-to-fail CAs; governments are
even worse. A CA can be told "follow the CAB Forum rules or get kicked out".
But you can't distrust a government when they're the only issuer for the sites
of the whole country.

Low-coupling is not just good in software development.

------
EVCAca
I agree with the fundamental conclusion that, due to changes in the Internet,
CAs are quickly becoming arbiters of what content is valid or not in the
public's eyes -- a job they aren't ready for and never asked for. The article
linked goes about discussing this issue in a hyperbolic manner and it commits
a few critical thinking mistakes despite arriving at a valid conclusion.

Briefly, I'm going to focus on just one of these. I leave it to the reader to
spot the others.

Ian Carroll got an Extended Validation (EV) for Stripe in another state to
prove that EVs are forge-able. That is, although he followed the guidelines,
he believed those guidelines weren't enough to safeguard an EV.

Then when the Certificate Authority (CA) finds out about this and revokes his
deliberately misleading EV, Scott Helme writes the article linked accusing and
detailing how CAs have too much power, because they can revoke an EV based on
arbitrary decisions. He defines arbitrary decisions as "not following the
guidelines".

To summarize: Ian Carroll abuses the guidelines to register a deceptive EV to
prove that the guidelines aren't enough. Then Scott Helme accuses the CA of
not following its own guidelines and of taking an arbitrary decision to revoke
Carroll's abusive certificate.

They just can't win.

~~~
MichaelGG
Your argument hinges on your word "abuse". Except there's no abuse. Nothing
stops Ian from conducting business legally with that company name. If CAs have
a problem, they need to fix the cert system. What should those guidelines look
like? "You need to have a legal entity, but not one that conflicts with any
big brand names people might know, even if you're legally entitled to conduct
business under that name"?

There was no forgery.

~~~
Scott_Helme_
This is kind of the point really isn't it. There was no forgery or abuse here,
the certificate was issued in full accordance to the rules set out in the
CA/Browser Forum Baseline Requirements and the EV SSL Guidelines.

If there were any abuse or forgery taking place here the certificate would
have been revoked for those reasons and the CA would be held to account for
mis-issuing a certificate. That's not what happened.

Given the name of the account that made the comment I'm curious about the
affiliation of the author, perhaps they would share that in the interest of
transparency?

------
notatoad
I'm not sure how EV certs have continued to be a thing for so long.

Does anybody trust an EV cert more than a DV cert? It's hard enough to get the
average person to check for the green padlock before they enter their
password, how can we hope to convince anybody to check the company details in
the certificate?

~~~
regecks
I did a contract in a corporate environment where the SSL interception proxy
passed-through any site with an EV certificate.

I first noticed that it wasn't intercepting my connection to my bank, and then
after some experimentation, that turned out to be the pattern. Sounds stupid,
but there you go, somebody uses EV as a signal for something.

~~~
crdoconnor
You made me curious - I work at a company that does that.

As it turns out it appears to intercept everything _except_ connections to
major high street banks.

~~~
gruez
I wonder whether they're doing it by IP, DNS, SNI, or certificate. because if
it's by SNI or DNS, it's pretty easy to get pass the intercepting proxy.

~~~
crdoconnor
It's by certificate although the company does run an HTTP proxy for techies
that doesn't MITM certs.

These days I can't be bothered to circumvent. If I want to do any sort of
sensitive browsing at work (e.g. online banking) I just tether my laptop to my
phone.

------
z3t4
I think it's fine that they revoked the cert because Ian's site looked exactly
like Stripe. The point he made still stands though: That the EV is pretty much
only lipstick.

~~~
pfg
By "site", are you referring to the actual site, or the EV indicator? Because
the site itself doesn't look anything like Stripe's[1].

[1]: [https://stripe.ian.sh/](https://stripe.ian.sh/)

~~~
icebraining
The Tweet shows part of the site as identical to Stripe's:
[https://twitter.com/iangcarroll/status/940281927789146112](https://twitter.com/iangcarroll/status/940281927789146112)

I think the current look was updated later.

~~~
Scott_Helme_
It was screenshots taken for the purposes of demonstration and wasn't his
publicly hosted site. Do you think that he'd take that kind of risk?

~~~
icebraining
What kind of risk?

------
realusername
I thought they had a bit more background checks for EV certificates but
apparently it looks more like some placebo effect than anything else.

~~~
Operyl
As far as I know, he legitimately had a company named "Stripe, Inc". It was
just registered in a different state.

~~~
realusername
Yeah but I thought EV certificates involved phone calls, manual checks of the
website, some basic security compliance... All the kind of manual paperwork &
background checks that the standard certificate would not do.

~~~
tribby
right. and he passed the checks because his perfectly legitimate company is
also called stripe inc and is also in the US, just in a different state.

now stripe could take this up with the courts about how ian is confusing
consumers and so forth, and they would win. but they didn't - they went
straight to the CAs, and the CAs folded on an arbitrary rather than legal
decision, which is a little concerning, but also not too concerning. the CAs
were probably were just alerted to the fact that ian was running a website in
an obvious bid to confuse people, and decided to revoke his cert. and honestly
I think that's a fine, reasonable response to what ian did -- to help protect
people from fraud. what wouldn't be a fine reasonable response is to do the
same if he were in fact doing real business as a different stripe with non-
confusing logos in a different market, not trying to look confusing on
purpose.

there's no reason to be worried about having your legitimate cert revoked
because of things like this, just like there's no reason to be worried about
having your legitimate website kicked off cloudflare because of daily stormer.
ultimately his point is that if EV SSL can do this, it is shit, and on that I
agree.

~~~
ryanlol
>they went straight to the CAs, and the CAs folded on an arbitrary rather than
legal decision, which is a little concerning, but also not too concerning. the
CAs were probably were just alerted to the fact that ian was running a website
in an obvious bid to confuse people, and decided to revoke his cert. and
honestly I think that's a fine, reasonable response to what ian did --

Bullshit.

It is utterly insane to accuse him of running this page in an "obvious bid to
confuse people"
[https://web.archive.org/web/20171211181630/https://stripe.ia...](https://web.archive.org/web/20171211181630/https://stripe.ian.sh/)

It is also utterly ridiculous to describe this as "helping protect people from
fraud". There was no fraud.

>there's no reason to be worried about having your legitimate cert revoked
because of things like this, just like there's no reason to be worried about
having your legitimate website kicked off cloudflare because of daily stormer

FWIW I've had my website kicked off Cloudflare and countless of domain names
suspended because a SF BigCo hired an very big international law firm to keep
my site offline at any cost.

I wouldn't put it past them to try and get certificates revoked too, but they
tend to be able to put out enough pressure to get the domain names suspended
pretty fast.

(My site sells legally scraped public data from that BigCo's website, instead
of suing me they prefer to just keep my site offline)

~~~
icebraining
_It is utterly insane to accuse him of running this page in an "obvious bid to
confuse people"_

Scroll down a bit on that page, and you'll see this image:
[https://web.archive.org/web/20171211213402im_/https://stripe...](https://web.archive.org/web/20171211213402im_/https://stripe.ian.sh/firefox.png)

Maybe that page was updated later in the day, but before the Web Archive
captured it.

~~~
ryanlol
I'm aware of the image, and even if the page actually looked like that for 10
minutes while he was taking the screenshot I'd still think it's obvious that
his intent was not to confuse people with this site.

[https://crt.sh/?id=393002115&opt=ocsp](https://crt.sh/?id=393002115&opt=ocsp)

Just compare the revocation date and the archive.org date. At best they
revoked the cert after it had been used to serve a completely different site
for many months.

------
paulbarton
EV's are a waste of time. Sites should focus on HSTS, DNSSEC and a CAA record
and all the other things that make a difference and actually provide some
material benefit and some protection to the end user rather than a green
traffic light approach to security.

------
brightball
I always like the idea of what EV Certs are intended to be, I just don't think
the browser exposure to general public users has any value.

Factoring in EV Certs for systems that are scanning the internet and trying to
separate things that might need more validation...think news agencies and the
search engines or social media that distribute their content. This illustrates
both the benefit and the consequence of that model at the same time.

It would be ideal if there were some type of EV appeals committee to deal with
revoked certs that could mandate a revoked EV be reinstated in a situation
like this.

There is a place where using the EV model of more comprehensive verification
can be beneficial...it's just not to the general public in a browser bar.

------
dingo_bat
I don't see the problem. If it was really a phishing site, law enforcement now
has the legal address of your registered company and whatever metadata they
collect as part of incorporation. I'd say EV worked perfectly.

~~~
Promarged
> I'd say EV worked perfectly.

Ian run a legit site, not phishing, so what's perfect in revoking his EV cert
and not giving back cash?

~~~
dingo_bat
> Ian run a legit site, not phishing

He originally had a site that looked extremely similar to stripe's official
website:
[https://news.ycombinator.com/item?id=16939094](https://news.ycombinator.com/item?id=16939094)

~~~
Scott_Helme_
I can't find any copies of that in any cache showing it was ever actually
online, simply mocked-up photos posted to social media.

~~~
dingo_bat
Posted by Ian himself. Why would he go to the trouble of mocking it up?

~~~
pfg
Presumably to demonstrate that a phishing site using such a certificate would
be visually indistinguishable from the targeted site.

------
peterwwillis
The only thing you need to know about EV is this: If an attacker puts up a
MITM site with a valid DV cert, your browser will be like, cool, let's use
this less-verified cert instead, because a CA signed it, even though the last
time I visited it was an EV cert. Your browser doesn't care, users don't care,
it doesn't actually improve security.

------
SeriousM
When I pay with PayPal I usually ask myself if the website I'm on right now is
genuine. I check if it's https, I check if the name is on the cert (the green
lipstick) and, most important, if my password manager trusts this site by let
it search for credentials matching the current url. Oh,of course I'm not on a
public wlan... Can't it be easier?

~~~
figgis
1: Look at the domain...
[https://www.paypal.com/.*](https://www.paypal.com/.*)
[https://www.stripe.com/*](https://www.stripe.com/*) etc

2: PayPal/Stripe do have their one touch/sso stuff, if sign up with to that
you'll have at least an indication if things go weird.

Otherwise you are right. It's a problem but it's a problem with the web, not
specifically any payment processors which are all honestly doing anything they
can to make these issues a non-issue.

~~~
mehrdadn
Looks at the domain can be deceiving because of IDN homograph attacks.

~~~
PeterisP
IDN homograph attack should not be an issue in your address bar - unicode
letter trickery e.g. pаypal.com with a cyrillic а should be shown as xn--
pypal-4ve.com ; it's something that can be solved and is being solved on the
UI level.

~~~
mehrdadn
Oh nice, they've fixed it in every major browser?

~~~
tialaramex
The browser vendors disagree about what the rule should be, to avoid homograph
attacks, but it's reasonable to say that if you suffer a Unicode homograph
attack in your browser, the first people to blame are at the browser vendor.

Some feel that the correct approach is to whitelist TLDs that have a
responsible homograph rule (so, not .com) and show punycode in all other TLDs.
Others want to detect whether a name seems "confusing" by some heuristic and
show the punycode instead only in that case.

~~~
mehrdadn
Interesting, thanks. Is it difficult to just try to DNS-query for all possible
confusing homographs, and display punycode unless all responses are negative?
Not sure if that would overload DNS servers too much (maybe limit it to 3
characters and display punicode otherwise to avoid exponential blowup?), but
it should be very cacheable.

------
taneq
Revoking lies sounds like an amazing power.

~~~
poizan42
I was also confused for a moment. The title is an example of a garden path
sentence[0]. You get several word into the sentence parsing it one way before
you get to a word that doesn't match your initial parsing, so you have to go
back to the beginning again and reparse it.

[0]:
[https://en.wikipedia.org/wiki/Garden_path_sentence](https://en.wikipedia.org/wiki/Garden_path_sentence)

------
LinuxBender
At my work (all B2B SaaS), we have a lot of financial customers that go far
down the rabbit hole with us on security and never once have any of them given
us grief on DV certs. Most of them also use DV certs. What I don't see much of
is LetsEncrypt.

------
ytch
Previous discussion:
[https://news.ycombinator.com/item?id=15904513](https://news.ycombinator.com/item?id=15904513)

------
TazeTSchnitzel
Why don't US EV certs specify the state, if that's important in distinguishing
US company names?

~~~
colanderman
Apparently they do [1]; browsers just choose not to show this.

Though I don't know that most people could tell you in which state Stripe is
registered, even if they know it's _probably_ Delaware. Heck I think a lot of
people could look at the state name, say "hunh, I didn't realize Stripe was a
Montana company!", and proceed to be phished.

[1]
[https://news.ycombinator.com/item?id=16939238](https://news.ycombinator.com/item?id=16939238)

------
z3t4
A green security badget is easier to sell then SSL/TLS/encryption .

------
peoplewindow
There are several points in this post but the bulk of it is, I feel, one of
those classic fallacies that journalists or security hobbyists often engage
in:

"I found what looks like a flaw in a system but I didn't try to exploit it for
real, look how clever I am"

So his mate registered a company with the same name as another company and got
an EV cert. Well done. Everyone knew that was possible already, at least
everyone who has gone through the process. It doesn't matter much:

1\. Ian wasn't actually a phisher or criminal. If he had been, and had used
that EV cert to phish Stripe customers, he'd have been reported to the police
using the details from the CA and possibly prosecuted. Bear in mind he had to
register a company in the USA, not Kazakhstan.

2\. Therefore _in reality_ it is very rare for phishers to use EV SSL
certificates. Actually I've never seen it.

So is this a demo that the system is horribly flawed? I don't think so. It's
rather similar to people who send 10 spams to some accounts they just
registered themselves and claim they've found a way to beat a spam filter so
the whole thing is useless ... well, no, you weren't _actually_ a spammer so
the filter did the right thing. You're testing a flaw you think sounds
realistic but isn't. Another common case of this, someone who beats a DRM
system on a game 6 months after it was released and then talks about how
useless copy protection is, not realising that after 6 months almost all sales
happened already so the system worked just fine from the developers
perspective.

What about revocation? Is the CA exercising undue control here? Probably not.
CAs have language in the contracts you agree to at the time about how you're
not trying to misrepresent yourself as if you were someone else. Ian's
argument that he registered a name that happens to be identical to a well
known payment processor, but in another state, is _technically_ correct, which
is of course the best kind of correct. But the _underlying purpose_ was
clearly impersonation, which is a violation of the agreements and thus not
only grounds for revocation, but to not do so would rather undermine the whole
system - why should Ian get away with it when others do not?

If stripe.ian.sh had been an actual operating company that happened to have
experienced an unfortunate naming conflict with the other Stripe, I bet the
CAs would not have revoked. They'd have found some reasonable solution -
probably by letting the cert continue, on the grounds that no malicious
behaviour was taking place in violation of the agreements. But it wasn't - it
was just a dummy site.

Overall I don't understand Scott or Ian's point. Yes, legal names aren't
globally unique. Did anyone think they were? Yes, Chrome's EV UI is rubbish
and the big players other than Apple tend to have an institutional dislike of
EV certs because of historical clumsy attempts at market segmentation pricing
by CAs, that were totally unreasonable for companies with lots of servers.
Yes, EV is imperfect.

The alternative though is paypal-customer-centerr.com ... which is better,
how, exactly? It isn't.

If Scott Helme or Ian Carroll don't like how EV works today, why not go find
_actual_ criminal abusers and propose _specific_ improvements that would stop
them - perhaps making Chrome's address bar work more like Safari's. Otherwise
this is just another blog pointing out security stuff that doesn't really
matter.

~~~
tialaramex
"If he had been, and had used that EV cert to phish Stripe customers, he'd
have been reported to the police using the details from the CA and possibly
prosecuted. Bear in mind he had to register a company in the USA, not
Kazakhstan."

Are you _from_ the USA? Or do you believe its propaganda from outside?

You don't need to even be able to point to the USA on a map to set up a US
company and do all this paperwork. You fill out a few forms on a web page, pay
a little bit of money, American lawyers sort everything else out. They keep
some of the money, the State keeps the rest, everybody is happy. Oh, except
your victims. They can call the cops of course, but the State obeyed the law,
and the Lawyer just does paperwork. It's not a crime to be the lawyer for a
crook.

Why don't crooks do this today? Well, there are two answers. For big crimes,
stuff like crooked property deals, they absolutely do this already, it's
completely routine. For a phishing site they don't bother because it's not
necessary. If 90% of visitors to your unsecured [http://paypal-credit-
checking.example/](http://paypal-credit-checking.example/) fill out the form,
and you get that up to 99% by obtaining a DV certificate for it, why spend
$500 setting up a US corporation for the extra one percent? But if you
persuade everybody EV is great, then sure, that's what they'll do next.

~~~
ryanlol
>For a phishing site they don't bother because it's not necessary.

It also wouldn't scale, domains get blacklisted within minutes or hours,
getting an EV cert takes longer than that.

