Interesting People mailing list archives
More on Re: Warning: Microsoft/Verisign scam on the horizon
From: David Farber <dave () farber net>
Date: Fri, 27 Oct 2006 04:36:08 -0400
Begin forwarded message: From: Cliff Bamford <bamford () oz net> Date: October 27, 2006 12:50:57 AM EDT To: dave () farber netSubject: More on Re: [IP] Warning: Microsoft/Verisign scam on the horizon
Mr. Kemp has obviously looked into this diligently and intelligently. If the scam slipped by him, ordinary users won't have a snowball's chance.
Displaying the CN or ON along with the Cert Issuer's credentials does indeed seem reasonable (modulo perceived increased complexity -- but let's ignore that for this discussion). The point is that such displays are equally valid with existing certificates. In fact, such displays are only a click or two away in most browsers. Furthermore, the processes that Verisign proposes to use [see i) and ii) in Mr. Kemp's message] to authenticate a cert holder are ALREADY followed for existing certs -- see http://www.verisign.com/ssl/ssl-information- center/faq/index.html . If a more rigorous process for validating the identity of cert holders is devised, surely it should be the consensus opinion of all knowledgeable members of the browser development and user community --- not Verisign and Microsoft speaking ex cathedera.
But that's almost beside the point. The real scam is much subtler (but no less real or dangerous). Explaining it from the technology upwards is extraordinarily tedious -- but seeing the scam "from the top down" -- in behavioral terms -- is easier:
End users are rightly concerned about using the Internet. They are looking for clear assurances of safety ---things as simple as walking into the right bricks-and-mortar bank. But the digital universe, being built on imperfect abstractions, simply cannot provide those kinds of verisimilitude signals. They can only provide faulty electronic simulacrums --- like Verisign's Secured Seal™ --- and now the green bar.
What the green bar actually says is: The site you have reached has paid extra (and passed a marginally more rigorous investigation) to certify they are entitled to use the web address that appears in the address bar.
But the green bar will frequently be interpreted as meaning something like: This site is super secure. You don't have to worry about phishing (more true than not), or identity theft (not true at all --- customer databases collected by companies with EVCs or High Assurance certs will still be leaked with the same depressing frequency)
And indeed, the Microsoft/Verisign green bar does nothing to dispel the latter misinterpretation, and much to encourage it. That's the scam.
Cliff Bamford From: john kemp <john.kemp () mac com> Date: October 26, 2006 11:43:38 AM EDT To: dave () farber net Subject: Re: [IP] Warning: Microsoft/Verisign scam on the horizon Hello, With all due respect to Mr. Bamford, I'm not sure if I yet understand exactly what the scam is. I went to Microsoft's IE 7 blog, and found [1], describing how the URL bar will turn green if an SSL certificate is a "high assurance certificate". Furthermore, the name (presumably Common Name or Distinguished Name from the certificate) of the business is displayed next to the URL - in other words, the user can see that the business name is (hopefully) related to the domain name of the business (which seems reasonable). I then went to Verisign's page [2] "High Assurance SSL FAQ" to discover that a high assurance SSL certificate is granted only after a certain process (yet to be described by the "CA/Browser authority") is followed. On [2], some items expected to be included in this process are: i) authenticate the authority of the person requesting the certificate - presumably, that means checking whether this person is actually employed by the company on whose behalf the person is requesting the certificate? ii) verification of the business with government or other third parties.I will note that the exact process is not yet described anywhere I can find.
So, my personal opinion of this so far is: 1) I think displaying the business name obtained from the cert in the URL bar is a reasonable thing to do - it provides the possibility of a visual check by the user to see whether the URL and business name are related. In many cases (particularly banks) I'd expect the domain name in the URL to contain almost the exact business name. SO that seems like a good hint. 2) The bar turning green because of the usage by the site owner of a "high assurance SSL certificate" /may/ turn out to be useful, probably depending on how easy (or not) it becomes to obtain one of these certificates, or the ability of those with malicious intent to spoof them. Will Internet Explorer accept such certificates only if issued by Verisign? Or is it possible for me to be my own certificate authority? Who will determine the validity of a particular CA accepted in this high-assurance certificate market? Is this a scam? I'm not sure. Should we continue to check carefully that we are doing business over the Internet with whom we think we are doing business, regardless of this innovation or any other? Yes. That's just like making sure that you walk into the right building to make a deposit in your savings account. Regards, - John [1] http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx [2]http://www.verisign.com/ssl/ssl-information-center/faq/high-assurance- ssl.html
David Farber wrote:
Begin forwarded message: From: Cliff Bamford <bamford () oz net> Date: October 26, 2006 10:45:34 AM EDT To: dave () farber net Subject: Warning: Microsoft/Verisign scam on the horizon Dave: for IP if you wish... Microsoft doesn't like the fact that Firefox is chipping away at its Internet Explorer monopoly. It has teamed up with another outfit withequally uncertain corporate morals: Verisign. Together, they are going to implement a masterpiece of marketing hype called "extended validationcertificates (EVCs)” I’ll explain what those are below, but first hereare my predictions about the effects EVCs will have on our online lives:Extended validation certificates will: 1. Further screw up the already dismal security of the Internet 2. Confuse and mislead nearly everybody 3. Help Microsoft scare people back to Internet Explorer 4. Allow Verisign to charge premium prices for a bunch of almost meaningless "upgrades" The way this will work is: when you visit a site that has purchased an EVC from Verisign, if you are using a recent version of Internet Explorer, the address bar at the top of your browser window will turn green --- supposedly indicating that you are connected to a "super secure" site. This is brilliant marketing, but technically, it is 99% baloney. Digital certificates are electronic credentials that your browser usesto insure that you are actually communicating with the website you thinkyou're communicating with. They don't work very well, in part because this is a very difficult problem involving elusive concepts like "the true identity of an organization, as reflected in the equipment it attaches to the Internet" --- or worse, "the website you think you're communicating with". The problem was slowly being solved, but neither Microsoft nor Verisign (nor, to be fair, anybody else) was willing towait for a solution. So the current version of digital certificates wasimplemented, in a manner that left serious holes in the security fence that certificates were supposed to provide. Most of the holes have been patched, but the original, fundamentalissues of identity and authentication are still unsolved. Until a goodsolution to those abstract problems is found and widely implemented(that’s at least 5 to 10 years away), the term “fully validated digitalcertificate” is an oxymoron.But peopled want assurance that they are safe while surfing the wild anddangerous Internet --- and they don’t want to waste much time understanding the details. Which is why a green bar is a brilliant marketing idea --- even if it actually means next to nothing. Microsoft is a masterful marketing company, but it doesn’t do securityvery well. Remember January 2004, when Bill Gates promised us that spam would be ended by 2006? The reason that Bill couldn’t keep his promisewas ultimately due to the same kinds of problems with identity and authentication that apply to digital certificates -- "extensively validated" or otherwise.Bill’s promise about spam was empty. The green bar in Internet Explorer will be almost equally empty. Unfortunately, many people will probablyfall for the razzle-dazzle. Cliff Bamford Here’ some background information: Original URL: http://www.theregister.co.uk/2006/10/25/verisign_extended_validation/ Verisign backs Vista security green streak By Chris Williams (chris.williams () theregister co uk) Published Wednesday 25th October 2006 12:04 GMT The Mozilla Foundation risks losing the browser battle if it fails to keep up with Microsoft by incorporating new security technology into Firefox, a Verisign exec has claimed.According to Verisign product marketing director Tim Callan, the "loosecollection of technoanarchists" which make up the open source development community has frustrated efforts to build new security features into its new browser.Verisign is at the RSA Europe Conference in Nice talking up a new breedof online security certificate. The padlock encryption symbol used by browsers has been effectively meaningless for some time, and consumer paranoia surrounding fraud remains a barrier to using online commerce for many. In response, the verification industry in the form of the CA browser forum has come up with extended validation SSL, where the certificate really is a guarantee of kosher status. Honest. Murphy's law says extended validation will be broken by the bad guys sooner or later. Callan said the industry had learned from the fossilised nature of SSL, and the new standard will be continuallyupdated to keep pace with organised crime. "That's how it goes...I'm notgoing to lie and say we can beat them with a static defence," he said.The system is implemented in IE7 by turning the address green for sitesholding a extended validation certificate. Redmond is keeping the feature under wraps until the release of Vista in January, when the first wave of extended validation certificates will be issued to thelikes of PayPal and Amazon. Along with many others, Verisign are workingtowards a January 24 release date which was briefly bean-spilled by Amazon on Vista pre-orders. Callan puts Mozilla's apparent heel-dragging on the new security technology down to the character of its development community. Severalcommunity members have been involved in the development process howeverand are "acutely aware of the most minor details" of the project.One snarl-up for Mozilla may have been working out an alternative to therest of Microsoft's site-rating system. As well as getting dishing outgreen address bars, servers at Redmond will blacklist dodgy and suspectsites, which can look forward to red and amber flashing up.A Firefox implementation of extended validation can only be a matter oftime, since the Mozilla Foundation knows in order to compete it cannot afford for its browser to be just as good as IE7; it has to be better. Verisign say 99 per cent of sites will be get the "ok" and the address bar left white. Only outfits which fork out for an extended validationSSL will get the psychological filip of "green for go". Firms will haveto stump up about 150 per cent of what they currently do for an SSL certificate.Microsoft-beating security meant the first Firefox browser found its wayonto millions of desktops. When Vista finally ships, a big Microsoftpublic awareness campaign will be aimed at making extended validation a de facto standard, which will pile pressure on Mozilla to update Firefoxsharpish. ®
------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- More on Re: Warning: Microsoft/Verisign scam on the horizon David Farber (Oct 27)