
On the Perceived Value of EV Certs, Commercial CAs, Phishing and Let's Encrypt - JoshTriplett
https://www.troyhunt.com/on-the-perceived-value-ev-certs-cas-phishing-lets-encrypt/#
======
payne92
I think the history and architecture lesson here is clear: conflating privacy
with trust/identity was a huge mistake.

We could've had a mostly encrypted Internet a long time ago if encryption and
privacy were not hitched to a commercial identity certificate with crappy
maintenance tools.

I hope security architects going forward heed this lesson.

~~~
tptacek
This is a very common complaint, and it's not valid. You cannot have privacy
without some form of trust or identity. Network cryptography doesn't work that
way. We have to assume the adversary controls the network, and so can
manipulate any cryptographic handshake they see.

The "identity" in TLS exists principally in order to prevent network
adversaries from substituting their own keys for those of your intended peer.

~~~
ynniv
I think that's only true if your trust system recognizes the attacking key as
valid for the destination. DV seems to prevent that, absent typo squatting.

~~~
wbond
Whenever dealing with financial websites, I am always extremely suspicious of
a website that does not have an EV certificate because of the added level of
scruitiny applied to such certs. The number of mis-issued DV certs, and typos
means that it would be relatively easy to enter banking credentials to a well-
executed phishing site. It is going to be a lot harder to get an EV cert
issued to paypa1.com with “PayPal, Inc. [US]” as the organization.

The only website that I regularly have anxiousness about entering my
credentials on are Google properties. Since email can be used to reset pretty
much anything, Google is one of the most important set of credentials to
prevent falling into the wrong hands. Unfortunately they don’t seem to care
about EV certs.

Additionally, app-based OAuth screens with web login prompts regularly give me
pause. I don’t like not being able to see the URL and certificate information.

~~~
tracker1
It's funny, but this is where having a password manager really saves me... if
I don't have a login for a site I use often, I'll really scrutinize it...
sometimes login urls change, but not very often.

------
gok
EV would be a lot more interesting if browser UIs did something useful with
it, but there does seem to be major chicken/egg issue. An alert box which says
"Are you sure you want to send this credit card number to a site that can't
prove it's controlled by a legal entity?" may be useful for phishing
prevention, but no browser would ever implement it until EV is more
widespread.

------
AndyMcConachie
In other news, Comcast is rolling out DANE for SMTP.
[https://mail.sys4.de/pipermail/dane-
users/2017-July/000414.h...](https://mail.sys4.de/pipermail/dane-
users/2017-July/000414.html)

dig +multi _25._tcp.mx1.comcast.net TLSA

And I'd also note that mail.sys4.de has a TLSA record for HTTPS.

dig +multi _443._tcp.mail.sys4.de TLSA

------
philsnow
In the entire article, there is no mention of the (admittedly dangerous [0]
and not entirely foolproof [1]) HPKP header.

HPKP (HTTP Public Key Pinning) is a header you send to browsers telling them
"the only certificates / intermediate certificates you should trust for this
domain are: ABC, XYZ. that's it. if a non-matching cert gets presented for
this domain, go apeshit.".

Using HPKP, you can pin any level of certificate: you can pin your own leaf
certificate that you purchase from whomever (or that you get from Lets
Encrypt), you can pin that vendor's intermediate cert, you can pin that
vendor's root cert, whatever you want. You have to specify at least two pins,
and you can mix and match the level of the pins.

This is a key point: a lot of (all?) CAs have different intermediate
certificates for DV vs EV certificates.

If MyCompany Inc buys an EV Cert from ReputableCertVendor (and another from
IrreproachableCertVendor) and issues HPKP headers pinning to the EV
intermediates of those two vendors, then can't I have a reasonable expectation
that those two companies will take measures to make sure they don't issue EV
certificates for perceptually-similar domain names (and could I win a court
case against them if they did)? Is that level of assurance not what the
exorbitant fees are supposed to go towards?

[0] a colleague of mine calls it the "HPKP footgun"; if you bought a 1 year
cert 10 months ago, start pinning that cert's vendor's intermediate and one
other, and _then those two vendors go out of business the next day_, you are
going to have a really bad day in a couple months when your existing cert
expires (browsers that have visited in the last two months will only honor
certs from those two CAs, but you can't get a new one and your old one is
expired).

[1] HPKP is TOFU (trust on first use, meaning a user/browser has to reach
_your site first_ in order to get the "right" HPKP header. If their first
visit to mycompany.com is sslstripped or otherwise MITMed, that MITM can and
will strip the HPKP header before proxying the response, and then that
user/browser doesn't get the benefit of pinning). AFAIK you can't submit your
own pins to the browser preload lists like you can with HSTS:
[https://security.stackexchange.com/questions/143500/are-
ther...](https://security.stackexchange.com/questions/143500/are-there-any-
mechanisms-to-preload-http-public-key-pinning)

~~~
philsnow
Here, I have an idea for how to sell this to the CAs: establish a perceptual
distance metric, and the larger a perceptual distance "moat" a customer wants,
the more you charge them.

then if the customer is google.com, and they've paid for a moat of width 5,
and somebody tries to register these domains:

    
    
        domain       distance
        =====================
        google.com   0
        google.co    1
        goegle.com   1
        gargle.com   4
        gaggle.com   9
        example.com  40
    

then all those with distance <= 5 will get flagged for manual review and the
CA will offer google a chance to +1 or -1 it. The person trying to register
goegle.com can show trademark paperwork to try to override the -1 decision.

OK this is actually not a great idea (too easy to abuse). But what else are
all those sweet, sweet EV cert fees going towards?

~~~
tracker1
Actually, allow the registration of up to 5 distance, including xn--* tlds
translated... then require anyone registering closer than that to have an EV
cert... Have the price set to $20K-$100K/year per order of distance. For a
banking establishment, or mega site, it should be reasonable.

The option for anyone too close would be to get an EV cert... also requiring
EV for any domain within a distance of 4 to alexa top 100, 3 to the alexa top
1000 and 2 to the top 10000 would be a good start.

~~~
infogulch
This sounds awesome. Should greatly help against the biggest phishing threats,
and seems fair for both sides without getting lawyers involved.

My question is how would registrars coordinate this?

~~~
philsnow
> My question is how would registrars coordinate this?

A few of them get together and make a pact about how to measure similarity,
then convince browser vendors to treat their certificates specially (triple
padlocks!! 3 > 1, must be safer!!)?

------
zokier
While incidental to the bigger point, I'd point out that I went and actually
checked 8 banks in my country (which represents pretty much the whole banking
sector afaik); every single one of them has an EV cert on landing page. Two of
them (smaller ones) did not automatically upgrade my connection to https on
landing page which bit tarnishes the result, but overall I'd say the situation
is fairly good. Also all the names that appeared on address bars here were
sensible/expected ones, which is not always the case.

------
coding123
Regarding tech people knowing ev vs non-ev, there are very few companies that
need to know about them at all, the ones that get more than 10k hits per day
through a login. And if you work at say Apple a different team would be taking
care of certs, not everyday programmers, so we're talking a small percentage
of the tech crowd that needs to know about EV certs.

------
mrunkel
I find that EV certs are valued by web marketers and nobody else. It gets
written down on a project spec because they read it's "more secure" and the IT
team goes through the hoops of providing the very expensive EV cert.

A few years later (upon renewal time), it gets swapped out for a "normal" cert
and nobody notices.

~~~
daxorid
> I find that EV certs are valued by web marketers and nobody else

Fun fact: it was actually our marketing department that nixed our EV cert, on
the grounds that having the company's legal name in the address bar would be
"confusing" to customers who expected to only see the domain name.

~~~
walrus01
This sort of makes sense, and is something to plan for when incorporating or
licensing a new LLC. If you're going to have an online website that is
[https://widgets.com](https://widgets.com) , try to get your new company name
to be as close to Widgets Incorporated as possible.

------
the_common_man
Does an EV cert play any role in SEO?

~~~
hbcondo714
Yes, according to my former employer's marketing director but I never actually
saw any evidence of this.

------
petraeus
If you are a top 10 site you won't need an EV, but if you are in a small
business in a competitive market it could help.

~~~
BraveNewCurency
> if you are in a small business in a competitive market it could help.

Sure, it "could help". But let's say there are 2 identical sites. One site
upgrades from DV to EV. The other site takes the same money and invests it in
a Graphics Designer to make their home page look nicer.

Which one will sell more product? I'll put my money on the nicer-looking site
every time.

~~~
nsgi
Depends whether the redesign was actually necessary. Websites and software UIs
are often redesigned simply because the powers that be are bored with the
existing design (through familiarity). The users either don't use the site
enough to notice, or are annoyed with the new design because they have to re-
learn how to use the software. If it is effective, an EV certificate may have
a more positive impact than a redesign which just serves to provide a change
of scenery for the developers/management.

------
Animats
One problem with Let's Encrypt is that it discourages OV ("organization
validated") certs in favor of DV ("domain control only validated") certs. With
many of the commercial vendors, you get organizational info in a cert,
indicating who you're talking to. A DV cert doesn't have that, and is only one
step up from self-signed.

~~~
ancarda
Do they discourage or just not support? I've never seen Let's Encrypt claim OV
is pointless or anything like that.

However, what are the benefits of OV though? From checking Google, they seem
to display as regular DV certificates but have additional information in the
certificate. I don't think anyone actually looks at the certificate if you
have most users not even being aware of how EV SSL is shown.

~~~
Animats
I know; OV never really caught on. I use them with SiteTruth to read site
ownership and look up information about the company. This doesn't work for
Let's Encrypt sites. I think that if you're accepting money, you should have
at least an OV cert. Most shopping sites do.

