Response to remarks on Phishing article
My Phishing article started some helpful discussions around the web, so I thought it would be worth bringing together some key points that emerged.
Let me start with Ben Laurie’s tweet, as it brings up two questions that can help me tie a number of others together.
Ben’s most relevant credentials regarding this discussion is that he is founding director of The Apache Software Foundation, a core team member of OpenSSL —he wrote Apache-SSL — and is working on Certificate Transparency, as a way of enabling auditing of certificates. He makes two points in that tweet that I will address separately.
Can any .gov.uk site vouch for any domain?
There are a couple of questions hidden in this one. One concerns which servers can vouch, and the other what they can vouch for.
Starting with the question of which domains can vouch. Yes, any .gov.uk site could be the one selected to be the register of UK companies. However, that is not because their domain name ends with the string of characters “.gov.uk”, but rather because the site is appropriately linked to by the UK root authority, which we are imagining is something easy to remember like https://gov.uk/. What exactly link should be has not been settled on, but it needs to be one that the browsers can recognise as being one through which gov.uk has given the other site a company registration authority. Currently this is *.companieshouse.gov.uk. The way the UK has decided to organise itself, this is the only website that can play that role.
But other countries may choose to do things differently. The German company registrar, for example, is www.unternehmensregister.de, and the portal for the German state seems to be bund.de. So there bund.de would link in the same way to the unternehmensregister.de which does not contain the string “bund”! In the US case, this is even more evident: there are a number of players there. The Securities and Exchange Commission (SEC) www.sec.gov fits the pattern of US government sites ending in .gov, but that is only for publicly traded companies. Every US state has its own registry. California, for example, is at businesssearch.sos.ca.gov. One can see a wide range of conventions just by looking at the long yet incomplete CompaniesHouse document on Overseas Registries. Moreover, why would one disallow Asian countries to have domain names written using non-alphabetic characters as made possible with International Resource Identifiers (IRI)?
Until now we have only discussed companies. A similar principle needs to be followed for army, police, schools, universities, and sites for other organisations. In the US Universities domains all end in .edu. It does not seem likely that there will be agreement worldwide to consider all such sites as being types of businesses, and so the responsibility of the business registry, even if they all keep people busy in one way or another.
So the proof procedure has to be one of following links from the trust anchor to the company domain following only links that are globally typed and globally unique — i.e. IRIs. Hardwiring the full domain names or doing logic on the patterns of such names could make browsers mark a whole range of websites as insecure following a re-arrangement at government level of domains, which happens from time to time, and is most likely to happen at the beginning of this project as it is deployed. In the proposal developed here each user need only be aware of his own countries trust authority name. All the others can be reached automatically from there, and none need to be hardwired.
Next comes the question as to what sites a company registry can vouch for, and perhaps what the proof procedure should be for it to do so? Initially, I would start off with the assumption that there need be no restrictions. So long as the owners of the company registry want to make that statement. After all, this action makes company owners legally responsible for what is going on at the site which is why people going to that site and seeing the official link will be able to trust it somewhat more. Why would someone claim ownership of what is written on a website for which they don’t want to assume legal responsibility if they can’t even determine what is written there?
User Experience (UX) has always been the hard part.
I completely agree. However, I think one has to understand why it has been so difficult. After all, we do see excellent UX design feats all the time around us in other industries. Why is it that this here is so difficult?
One reason I would argue is that for minimal certificates the only thing that they verify is that user of the browser is connected to the machine that the name refers to. With so little information there is only very little space for designers to explore, and many of those were considered.
This came out of a very helpful discussion on the letsencrypt community board which helped me fix a couple of errors I had made in my initial publication and got me to think more carefully about the UX part. In particular _az, a developer from Australia at fleetssl.com, pointed me to Peter Gutmann’s 01/04/2014 draft book “Engineering Security” and especially the “EV Certificates: PKI-me-Harder” chapter starting p72.
I set the topic of that discussion to be EV Certificates because it seemed to me that as soon as CompaniesHouse starts publishing information about which websites belong to the companies listed, letsencrypt.org could start offering EV Certificates automatically and for free. EV Certificates currently cost upward of $500 to $2000 a year to get, as the certificate authorities need to do some costly work to verify that the details of the company match even just the little amount that is placed inside the X509 Certificate. But, with a site such as api.companieshouse.gov.uk publishing UK company data in machine-readable form, that cost could disappear.
The interest of EV Certificates to this argument is that they contain more than just the domain name: they also contain the name of the company and its address. However, this extra information has not been helpful it seems, and the chapter on “PKI me harder” lists many of the problems that were encountered.
For example, some smaller devices started showing only the company name rather than the whole domain name, and since it is always possible to find a Certificate Authority that is not aware of a company in another country with the same name, it is not that difficult to find a CA to sign in good trust a name to a company that exists elsewhere too. That certificate can then be used to fool people. This is because company names are not Universal Resource Identifiers (URIs) and just as with all words in natural-languages can be ambiguous.
In order to get more information than the official name, the user has to click on the green padlock. And if he does he gets: the official address of the company headquarters! Is it then really difficult to understand the lack of interest people have in the details of an EV certificate? The first reaction one may have seeing that would be: good to know that when I need to find the address of a company I can look there in addition to the up-to-date web page on their domain that also gives me their telephone number, opening hours, etc… How often do you click on the green padlock when browsing the web? One definitively should whenever one is entering a credit card number or password. (Why we have such secrets that are so easy to misuse is another question).
So we have the following problem: EV Certificates are expensive and only useful to websites smaller than Google or Amazon, where people may not have remembered the domain name of the company by heart. But for smaller companies, they are expensive and don’t bring much extra information and are still Phishable due to well-known problems with CAs being distributed around the world and not aware of the names of all the other companies.
However, the proposal we put forward changes the game: the information published by the government accredited registries is now legally backed up information, can be a lot richer than what fits into a certificate, can be updated in real time, and does in no way rely on Certificate Authorities: it could work just as well by with the DNS-based Authentication of Named Entities (DANE) IETF standard which relies on DNS-SEC for tying a domain to a key.
There is also a lot more information to show, and the information can evolve over time. It is therefore possible to imagine browsers that actually show this information to users in an enticing way, before rendering the page that the user wanted to look at. One could imagine a cell phone browser on first teaching a new domain and then at the correct psychologically determined intervals (measured in weeks) and especially when important information has changed, showing a page describing the organisation responsible for that website: a globe highlighting the position of the headquarters, the names of the company directors, a link to their latest statements, flag any legal problems they may have and for public companies link to their stock market valuation. Websites that are not backed by a registry would show the same company info page as a blank page with a lot of question marks, which would be a clear signal to the user that he perhaps needs to realize that he is now on his own when dealing with this website. Skiing off piste is a lot of fun but one needs to take precautions.
That is as much as I can say for now. I will need to study Peter Gutmann’s book in more detail for my PhD, but as it is 700p long, that may take some time.
