Hacker News new | past | comments | ask | show | jobs | submit login
The Power to Revoke Lies with the Certificate Authority (scotthelme.co.uk)
171 points by okket on Apr 27, 2018 | hide | past | web | favorite | 80 comments



On EV certs, Troy Hunt rightly pointed that no one really cares about them and many major websites (amazon, youtube, facebook) don't even bother:

https://www.troyhunt.com/on-the-perceived-value-ev-certs-cas...


Well that certainly makes me feel a lot better about cheaping out on non-EV certs. Thanks for sharing.


I care :-(


Do you? Are you going to stop going to a site because it's missing a EV certificate?


No, but if I'm going to log in it forces me to check to make sure the domain is not something deceptively similar to what I expect, which takes mental energy and is therefore annoying.

Also, unlike apparently everyone else, I care who I'm communicating with, not what their domain is.


Here in the UK there is another problem with EV certs, there is no way of registering a "trading name" or "doing business as (DBA) name" against a company so you can only have an EV cert issues against your actual registered business name. If that is different from your trading name and what you use as your domain name then they are less than worthless. For example, if the company is "Widgets of London Limited" but trade online as "Widgets Online" with the domain "widgetsonline.com" they cant get an EV cert with "Widgets Online" as the name - even if they own the registered trademark of it.


Seems like you can, by registering a DUNS number, e.g. "Trade and DBA names are verified directly with registration agency or through a verified third party database such as D&B, Bloomberg, or Hoovers." (https://support.comodo.com/index.php?/Knowledgebase/Article/...)


You're confusing QGIS (the government source) and QIIS (the independent source) - the OP is correct, you'll need a government registered entry for the DBA and these don't exist in the UK.

Visit https://certsimple.com from the UK and you'll even see the UI change to remove the DBA option.

Trademarks aren't the same thing as DBAs, but a number of folks would like to get the EV guidelines extended to include trademarks.


Isn't the point of having "Limited" on your name to warn potential creditors that you're allowed to take their money and run? So hiding it seems to defeat the purpose of having it in the first place.


The idea behind EV's (to tie domain ownership to real-world legal entities) is sound, it's just that the implementation is poor.

If the EV badge identifies a legal entity plus its country of origin, then how is it supposed to be the CA's fault that there's this leaky abstraction of multiple legal entities with the same name in the same country? If we have a good idea and a poor implementation, then the correct response is to fix the implementation, not throw out the whole idea as fundamentally broken.

Unfortunately, there's also not much that the CAs can do to fix this by themselves. If we want to have a digital representation of a legal entity's identity, the best way to do that is to have a first-class digital identity rather than the hack of a system we have today which attempts to create a poorly supported, non-portable identity on the basis of emailed paperwork and phone calls. Such a first class identity - with private keys controlled by the legal entity, entrusted to the entity when it was first created - will allow clients to verify the identity against the source which actually governs it.

I can understand the privacy concerns surrounding the creation of legal digital personal identities - the creation of a definitive population ledger that goes along with it etc. But for companies? That the US doesn't have such a solution for companies in this day and age is just myopic.


But how would that help? Both Stripes would have a valid first class identity with valid keys. How are clients supposed to then check?


In the current system, the client must query the CA that issued the EV cert for the legal entity data. This presents a number of problems:

a) not all CAs will present enough distinguishing data to the client. Case in point: "Stripe Inc. [US]"

b) No consensus between CAs as to who will issue a cert for a given legal entity. In other words, there is such a thing as a CAA record for DNS and DV certs, but no such thing for EV certs and therefore no verification flow of for a given legal entity -> which CA is permitted to issue -> which domains have been certified for that legal entity

c) No support for more complex identity usecases including name changes, subsidiaries, brand licensing (this FedEx-looking site is run by Acme Local Fulfillment Inc. which has been licensed by FedEx to use the FedEx brand), etc.

Certificate Authorities are not in the business of establishing identity and so they are fundamentally doomed to doing a poor job of verifying identity. Instead of trying to coerce CAs into the identity business because of the inflexible and glacial pace at which government moves, we should be pressuring government to adopt more modern identification practices.


(a) Actually, the CA sends Stripe's actual business registration number in Delaware (4675506). It's the browser who chooses what to present.

(b) Why is this a problem?

(c) Is there any evidence of demand for those usecases? How would you even present them to the users in an understandable way?

"Certificate Authorities are not in the business of establishing identity and so they are fundamentally doomed to doing a poor job of verifying identity."

I don't see how that follows. In fact, I don't see how that's even possible. Whenever you do business with any entity besides the national registry - be it a bank, insurance company, notaries, or even another governmental department - they have to verify your identity. CAs just happens to give you a digital affidavit of the results.

Instead of trying to coerce CAs into the identity business because of the inflexible and glacial pace at which government moves, we should be pressuring government to adopt more modern identification practices.

I disagree; we already have problems with too-big-to-fail CAs; governments are even worse. A CA can be told "follow the CAB Forum rules or get kicked out". But you can't distrust a government when they're the only issuer for the sites of the whole country.

Low-coupling is not just good in software development.


At least it could allow automating retrieving public information of the actual entity by whatever system checks the certification. Now, how to interact with the user to improve cognisance of the entity considered based on the newly available data is another problem.


The certificate itself already automates the retrieval of public information. For example, Paypal's cert includes its full address, which has been verified by the CA:

PayPal, Inc. # Street: 2211 N 1st St # Locality: San Jose # State: California # Postal Code: 95131-2021 # Registered: Delaware, US

And we could include other information if we needed.


Indeed for organisations that have one, the serial number field for the Subject (not to be confused with the serial number of the _certificate_) will be a unique number in some register of companies. In the UK you can mechanically turn those into a URL that gives you the (meagre) Companies House listing, there's no reason the same couldn't be true in the US.

For PayPal this number is 3014267 and it'll be their registration number with the state of Delaware.

The EV rules require a CA to figure out if there is such a number and if so fill it in on the certificate. If there is no number, they're supposed to write something else (a registration date maybe? I don't remember)

(Sometimes a country has some companies that are so crazy old they pre-date the idea of registering companies, or turn out not to exist in their company register because the country created them by passing a law instead of formally registering them, or whatever, and these don't have serial numbers, e.g. I wouldn't be surprised if the Bank of England has no registered company number)


>If we have a good idea and a poor implementation, then the correct response is to fix the implementation, not throw out the whole idea as fundamentally broken.

The point is, nobody wants to fix it, because CAs are still making money.


I agree with the fundamental conclusion that, due to changes in the Internet, CAs are quickly becoming arbiters of what content is valid or not in the public's eyes -- a job they aren't ready for and never asked for. The article linked goes about discussing this issue in a hyperbolic manner and it commits a few critical thinking mistakes despite arriving at a valid conclusion.

Briefly, I'm going to focus on just one of these. I leave it to the reader to spot the others.

Ian Carroll got an Extended Validation (EV) for Stripe in another state to prove that EVs are forge-able. That is, although he followed the guidelines, he believed those guidelines weren't enough to safeguard an EV.

Then when the Certificate Authority (CA) finds out about this and revokes his deliberately misleading EV, Scott Helme writes the article linked accusing and detailing how CAs have too much power, because they can revoke an EV based on arbitrary decisions. He defines arbitrary decisions as "not following the guidelines".

To summarize: Ian Carroll abuses the guidelines to register a deceptive EV to prove that the guidelines aren't enough. Then Scott Helme accuses the CA of not following its own guidelines and of taking an arbitrary decision to revoke Carroll's abusive certificate.

They just can't win.


Your argument hinges on your word "abuse". Except there's no abuse. Nothing stops Ian from conducting business legally with that company name. If CAs have a problem, they need to fix the cert system. What should those guidelines look like? "You need to have a legal entity, but not one that conflicts with any big brand names people might know, even if you're legally entitled to conduct business under that name"?

There was no forgery.


This is kind of the point really isn't it. There was no forgery or abuse here, the certificate was issued in full accordance to the rules set out in the CA/Browser Forum Baseline Requirements and the EV SSL Guidelines.

If there were any abuse or forgery taking place here the certificate would have been revoked for those reasons and the CA would be held to account for mis-issuing a certificate. That's not what happened.

Given the name of the account that made the comment I'm curious about the affiliation of the author, perhaps they would share that in the interest of transparency?


He requested an EV certificate for his legal business name. He didn't cheat anything here and both Comodo and GoDaddy concluded that he met all of the requirements to receive an EV certificate. When multiple different companies all conduct the due diligence necessary to issue an EV certificate and come to the same conclusion, I think it's fair to say that he should have an EV certificate for Stripe as that is his legitimate legal business name.


I'm not sure how EV certs have continued to be a thing for so long.

Does anybody trust an EV cert more than a DV cert? It's hard enough to get the average person to check for the green padlock before they enter their password, how can we hope to convince anybody to check the company details in the certificate?


I did a contract in a corporate environment where the SSL interception proxy passed-through any site with an EV certificate.

I first noticed that it wasn't intercepting my connection to my bank, and then after some experimentation, that turned out to be the pattern. Sounds stupid, but there you go, somebody uses EV as a signal for something.


You made me curious - I work at a company that does that.

As it turns out it appears to intercept everything except connections to major high street banks.


I wonder whether they're doing it by IP, DNS, SNI, or certificate. because if it's by SNI or DNS, it's pretty easy to get pass the intercepting proxy.


It's by certificate although the company does run an HTTP proxy for techies that doesn't MITM certs.

These days I can't be bothered to circumvent. If I want to do any sort of sensitive browsing at work (e.g. online banking) I just tether my laptop to my phone.


In my experience, EV certs are not a technical thing but a marketing thing. EV certs show your name in the address bar, so it's certainly more visible. If an EV cert boost sales by 1% and costs 500$ a year, then it will make sense for even the smallest webshop. And as long as this is the case, there will be a market for EV certs.


Ordinary SSL certificates only require you to have access to domain's DNS records, or to the server where they point to. They only prevent MITM attacks, and you cannot really know who is behind some domain.

With the EV certs, you can be assured that it actually belongs to the company it claims to belong. If I see "PayPal, Inc. (US)" in the address bar, I'm sure I'm accessing the correct server. However, I didn't really know that business names are not unique between different US states, but I assume this is not the case for other countries.

The issue with EV certs is how they are presented in the browser, since they are indistinguishable to the ordinary certs, at least to the majority of the users.


However, I didn't really know that business names are not unique between different US states, but I assume this is not the case for other countries.

Uniqueness of business entity names is something you should never ever assume or rely on.


> I'm not sure how EV certs have continued to be a thing for so long.

EV certs are currently the cash cow of certificate authorities. If you'd take away EV certs it would become apparent that there's no valid business model for CAs any more.

So the whole CA industry kinda depends on keeping the illusion that EV is a valid concept.


Yes, but only for banks, Government services and things like that.

I really wouldn't care for a web shop etc.


I think it's fine that they revoked the cert because Ian's site looked exactly like Stripe. The point he made still stands though: That the EV is pretty much only lipstick.


By "site", are you referring to the actual site, or the EV indicator? Because the site itself doesn't look anything like Stripe's[1].

[1]: https://stripe.ian.sh/


The Tweet shows part of the site as identical to Stripe's: https://twitter.com/iangcarroll/status/940281927789146112

I think the current look was updated later.


It was screenshots taken for the purposes of demonstration and wasn't his publicly hosted site. Do you think that he'd take that kind of risk?


What kind of risk?


I thought they had a bit more background checks for EV certificates but apparently it looks more like some placebo effect than anything else.


As far as I know, he legitimately had a company named "Stripe, Inc". It was just registered in a different state.


Yeah but I thought EV certificates involved phone calls, manual checks of the website, some basic security compliance... All the kind of manual paperwork & background checks that the standard certificate would not do.


right. and he passed the checks because his perfectly legitimate company is also called stripe inc and is also in the US, just in a different state.

now stripe could take this up with the courts about how ian is confusing consumers and so forth, and they would win. but they didn't - they went straight to the CAs, and the CAs folded on an arbitrary rather than legal decision, which is a little concerning, but also not too concerning. the CAs were probably were just alerted to the fact that ian was running a website in an obvious bid to confuse people, and decided to revoke his cert. and honestly I think that's a fine, reasonable response to what ian did -- to help protect people from fraud. what wouldn't be a fine reasonable response is to do the same if he were in fact doing real business as a different stripe with non-confusing logos in a different market, not trying to look confusing on purpose.

there's no reason to be worried about having your legitimate cert revoked because of things like this, just like there's no reason to be worried about having your legitimate website kicked off cloudflare because of daily stormer. ultimately his point is that if EV SSL can do this, it is shit, and on that I agree.


>they went straight to the CAs, and the CAs folded on an arbitrary rather than legal decision, which is a little concerning, but also not too concerning. the CAs were probably were just alerted to the fact that ian was running a website in an obvious bid to confuse people, and decided to revoke his cert. and honestly I think that's a fine, reasonable response to what ian did --

Bullshit.

It is utterly insane to accuse him of running this page in an "obvious bid to confuse people" https://web.archive.org/web/20171211181630/https://stripe.ia...

It is also utterly ridiculous to describe this as "helping protect people from fraud". There was no fraud.

>there's no reason to be worried about having your legitimate cert revoked because of things like this, just like there's no reason to be worried about having your legitimate website kicked off cloudflare because of daily stormer

FWIW I've had my website kicked off Cloudflare and countless of domain names suspended because a SF BigCo hired an very big international law firm to keep my site offline at any cost.

I wouldn't put it past them to try and get certificates revoked too, but they tend to be able to put out enough pressure to get the domain names suspended pretty fast.

(My site sells legally scraped public data from that BigCo's website, instead of suing me they prefer to just keep my site offline)


It is utterly insane to accuse him of running this page in an "obvious bid to confuse people"

Scroll down a bit on that page, and you'll see this image: https://web.archive.org/web/20171211213402im_/https://stripe...

Maybe that page was updated later in the day, but before the Web Archive captured it.


I'm aware of the image, and even if the page actually looked like that for 10 minutes while he was taking the screenshot I'd still think it's obvious that his intent was not to confuse people with this site.

https://crt.sh/?id=393002115&opt=ocsp

Just compare the revocation date and the archive.org date. At best they revoked the cert after it had been used to serve a completely different site for many months.


> Bullshit.

no, not bullshit. see the screenshots in this thread and the tweet in the post itself where the two stripe sites are compared side by side. making a "look how useless EV SSL is" site through a phishing example isn't a good strategy for maintaining an EV SSL cert, clearly. he was practically asking them to revoke it, and they gave him what he wanted.

> (My site sells legally scraped public data from that BigCo's website, instead of suing me they prefer to just keep my site offline)

it sounds reasonable that cloudflare kicked you off, too. you may not be breaking the law, but you're not respecting BigCo's terms of service and you can't expect a red carpet given the nature of the business you're in. seems like an interesting/fun game of cat and mouse, in any case :)

I'd be much more worried about this kind of thing if it were happening to good/neutral actors. but as presented it just seems like the centralized internet doing a pretty OK job of policing itself.


>the screenshots in this thread and the tweet in the post itself where the two stripe sites are compared side by side

It's not at all clear whether or not the page was ever publicly accessible like that. It certainly doesn't appear that he was distributing the link to the page if/when it looked like that.

https://web.archive.org/web/20171211181630/https://stripe.ia...

https://crt.sh/?id=393002115&opt=ocsp

The site looked like this for at least 4 months until the cert was revoked.

"obvious bid to confuse people" was a pretty harsh accusation, and you have essentially nothing back it up.

>site through a phishing example

Even if he had copied the stripe page, that still wouldn't make it phishing.


> It is utterly insane to accuse him of running this page in an "obvious bid to confuse people" [...]

And what about this? https://stripe.ian.sh/firefox.png


That's called using developer tools to create a mockup of a page.


they went straight to the CAs

Is there any evidence that Stripe had anything to do with this?


EV's are a waste of time. Sites should focus on HSTS, DNSSEC and a CAA record and all the other things that make a difference and actually provide some material benefit and some protection to the end user rather than a green traffic light approach to security.


I always like the idea of what EV Certs are intended to be, I just don't think the browser exposure to general public users has any value.

Factoring in EV Certs for systems that are scanning the internet and trying to separate things that might need more validation...think news agencies and the search engines or social media that distribute their content. This illustrates both the benefit and the consequence of that model at the same time.

It would be ideal if there were some type of EV appeals committee to deal with revoked certs that could mandate a revoked EV be reinstated in a situation like this.

There is a place where using the EV model of more comprehensive verification can be beneficial...it's just not to the general public in a browser bar.


I don't see the problem. If it was really a phishing site, law enforcement now has the legal address of your registered company and whatever metadata they collect as part of incorporation. I'd say EV worked perfectly.


> I'd say EV worked perfectly.

Ian run a legit site, not phishing, so what's perfect in revoking his EV cert and not giving back cash?


> Ian run a legit site, not phishing

He originally had a site that looked extremely similar to stripe's official website: https://news.ycombinator.com/item?id=16939094


I can't find any copies of that in any cache showing it was ever actually online, simply mocked-up photos posted to social media.


Posted by Ian himself. Why would he go to the trouble of mocking it up?


Presumably to demonstrate that a phishing site using such a certificate would be visually indistinguishable from the targeted site.


There's a difference between resolving something locally or setting up a demo for the purposes of capturing screenshots and having a website resolve on the public Internet and serve that content.


The only thing you need to know about EV is this: If an attacker puts up a MITM site with a valid DV cert, your browser will be like, cool, let's use this less-verified cert instead, because a CA signed it, even though the last time I visited it was an EV cert. Your browser doesn't care, users don't care, it doesn't actually improve security.


When I pay with PayPal I usually ask myself if the website I'm on right now is genuine. I check if it's https, I check if the name is on the cert (the green lipstick) and, most important, if my password manager trusts this site by let it search for credentials matching the current url. Oh,of course I'm not on a public wlan... Can't it be easier?


What's the reason a public WLAN is important? Isn't the whole point of HTTPS to avoid man-in-the-middle attacks?


1: Look at the domain... https://www.paypal.com/.* https://www.stripe.com/* etc

2: PayPal/Stripe do have their one touch/sso stuff, if sign up with to that you'll have at least an indication if things go weird.

Otherwise you are right. It's a problem but it's a problem with the web, not specifically any payment processors which are all honestly doing anything they can to make these issues a non-issue.


Looks at the domain can be deceiving because of IDN homograph attacks.


IDN homograph attack should not be an issue in your address bar - unicode letter trickery e.g. pаypal.com with a cyrillic а should be shown as xn--pypal-4ve.com ; it's something that can be solved and is being solved on the UI level.


IDN is not that simple. Sometimes you want punycode (flüge.de) sometimes you don't (xn--pypal-4ve.com).

It's not like you can just disable punycode for all sites, because now you just create a new phishing risk for those sites that used it (xn--pypal-something and xn-flge-something look close enough)


Oh nice, they've fixed it in every major browser?


The browser vendors disagree about what the rule should be, to avoid homograph attacks, but it's reasonable to say that if you suffer a Unicode homograph attack in your browser, the first people to blame are at the browser vendor.

Some feel that the correct approach is to whitelist TLDs that have a responsible homograph rule (so, not .com) and show punycode in all other TLDs. Others want to detect whether a name seems "confusing" by some heuristic and show the punycode instead only in that case.


Interesting, thanks. Is it difficult to just try to DNS-query for all possible confusing homographs, and display punycode unless all responses are negative? Not sure if that would overload DNS servers too much (maybe limit it to 3 characters and display punicode otherwise to avoid exponential blowup?), but it should be very cacheable.


Firefox users can visit about:config and manually set the value "network.IDN_show_punycode" to True, to fix this. Tested and working, and I'm not sure why this isn't already the default for users whose language setting is English.


IMHO not yet on every browser, but long as you know that it's fixed in your browser, checking the domain name in address bar will work for you.


Revoking lies sounds like an amazing power.


I was also confused for a moment. The title is an example of a garden path sentence[0]. You get several word into the sentence parsing it one way before you get to a word that doesn't match your initial parsing, so you have to go back to the beginning again and reparse it.

[0]: https://en.wikipedia.org/wiki/Garden_path_sentence


At my work (all B2B SaaS), we have a lot of financial customers that go far down the rabbit hole with us on security and never once have any of them given us grief on DV certs. Most of them also use DV certs. What I don't see much of is LetsEncrypt.



Why don't US EV certs specify the state, if that's important in distinguishing US company names?


Apparently they do [1]; browsers just choose not to show this.

Though I don't know that most people could tell you in which state Stripe is registered, even if they know it's probably Delaware. Heck I think a lot of people could look at the state name, say "hunh, I didn't realize Stripe was a Montana company!", and proceed to be phished.

[1] https://news.ycombinator.com/item?id=16939238


A green security badget is easier to sell then SSL/TLS/encryption .


There are several points in this post but the bulk of it is, I feel, one of those classic fallacies that journalists or security hobbyists often engage in:

"I found what looks like a flaw in a system but I didn't try to exploit it for real, look how clever I am"

So his mate registered a company with the same name as another company and got an EV cert. Well done. Everyone knew that was possible already, at least everyone who has gone through the process. It doesn't matter much:

1. Ian wasn't actually a phisher or criminal. If he had been, and had used that EV cert to phish Stripe customers, he'd have been reported to the police using the details from the CA and possibly prosecuted. Bear in mind he had to register a company in the USA, not Kazakhstan.

2. Therefore in reality it is very rare for phishers to use EV SSL certificates. Actually I've never seen it.

So is this a demo that the system is horribly flawed? I don't think so. It's rather similar to people who send 10 spams to some accounts they just registered themselves and claim they've found a way to beat a spam filter so the whole thing is useless ... well, no, you weren't actually a spammer so the filter did the right thing. You're testing a flaw you think sounds realistic but isn't. Another common case of this, someone who beats a DRM system on a game 6 months after it was released and then talks about how useless copy protection is, not realising that after 6 months almost all sales happened already so the system worked just fine from the developers perspective.

What about revocation? Is the CA exercising undue control here? Probably not. CAs have language in the contracts you agree to at the time about how you're not trying to misrepresent yourself as if you were someone else. Ian's argument that he registered a name that happens to be identical to a well known payment processor, but in another state, is technically correct, which is of course the best kind of correct. But the underlying purpose was clearly impersonation, which is a violation of the agreements and thus not only grounds for revocation, but to not do so would rather undermine the whole system - why should Ian get away with it when others do not?

If stripe.ian.sh had been an actual operating company that happened to have experienced an unfortunate naming conflict with the other Stripe, I bet the CAs would not have revoked. They'd have found some reasonable solution - probably by letting the cert continue, on the grounds that no malicious behaviour was taking place in violation of the agreements. But it wasn't - it was just a dummy site.

Overall I don't understand Scott or Ian's point. Yes, legal names aren't globally unique. Did anyone think they were? Yes, Chrome's EV UI is rubbish and the big players other than Apple tend to have an institutional dislike of EV certs because of historical clumsy attempts at market segmentation pricing by CAs, that were totally unreasonable for companies with lots of servers. Yes, EV is imperfect.

The alternative though is paypal-customer-centerr.com ... which is better, how, exactly? It isn't.

If Scott Helme or Ian Carroll don't like how EV works today, why not go find actual criminal abusers and propose specific improvements that would stop them - perhaps making Chrome's address bar work more like Safari's. Otherwise this is just another blog pointing out security stuff that doesn't really matter.


"If he had been, and had used that EV cert to phish Stripe customers, he'd have been reported to the police using the details from the CA and possibly prosecuted. Bear in mind he had to register a company in the USA, not Kazakhstan."

Are you _from_ the USA? Or do you believe its propaganda from outside?

You don't need to even be able to point to the USA on a map to set up a US company and do all this paperwork. You fill out a few forms on a web page, pay a little bit of money, American lawyers sort everything else out. They keep some of the money, the State keeps the rest, everybody is happy. Oh, except your victims. They can call the cops of course, but the State obeyed the law, and the Lawyer just does paperwork. It's not a crime to be the lawyer for a crook.

Why don't crooks do this today? Well, there are two answers. For big crimes, stuff like crooked property deals, they absolutely do this already, it's completely routine. For a phishing site they don't bother because it's not necessary. If 90% of visitors to your unsecured http://paypal-credit-checking.example/ fill out the form, and you get that up to 99% by obtaining a DV certificate for it, why spend $500 setting up a US corporation for the extra one percent? But if you persuade everybody EV is great, then sure, that's what they'll do next.


>For a phishing site they don't bother because it's not necessary.

It also wouldn't scale, domains get blacklisted within minutes or hours, getting an EV cert takes longer than that.





Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: