Bad news on web security

Browsers are killing EV certificates

Safari already did it on iOS, Chrome just did it and Firefox will follow Google’s movements shortly: the removal of visual indicators for EV certificates is killing one of the most useful security measures a user has to check the security of a web page.

How do I know if I’m browsing with security?

When you browse to a website, basically two things can happen:

• the browser stops you, as it considers the page to be unsafe
• the browser loads the page and it’s up to you to decide whether the communication is secure or not

Some examples of the first case:

a page detected as phishing blocked by Firefox

a page blocked because server’s authentication is not trusted by Chrome

At such blockages, the user must stop immediately. Since there are elements to consider the page as insecure it would be foolish loading it anyway (we will leave for a future article the actions that a user can exercise in such cases).

If the browser shows the page, two options are possible:

• the page does not have any security
• the page has security features (checked by the browser)

In either case, the browser will show, at the first level of the user interface, some visual indicators that help to determine the existing security.

So, as a user, I have to master my tool and know where these visual indicators appear. All browsers have a security zone (not modifiable by the page displayed) that shows the security features of the web page being visited.

The security zone

In most browsers the security zone is in a fixed position: to the left of the address bar. This allows the user to quickly and easily check the security zone before interacting with (even before starting to read) the web page.

Next screenshot shows the security zone (in Firefox), the only place to look when the page has just loaded:

Security Zone on Firefox

Some browsers do not set a fixed place for the security zone, which forces the eyes to move along the address bar, making it difficult a quickly check.

Each browser uses different indicators and lets the user interpret their meaning. Some examples when you browse with and without privacy guarantee:

Security Zone of different browsers browsing with and without privacy

Last two examples of table above show browsing to onion services. These services are on the Tor network and you need a Tor proxy to access them. Although normal browsers can be used to reach these services, it’s recommended to use the Tor Browser.

We all learn and practice automatically some measures that protect us in certain situations: look both sides before crossing a street, check that no one looks over my shoulder when I get cash from an ATM, … look at the security zone of a browser when loading a website has to be one of them.

How do I know if the web server is the real one?

Browsers can guarantee us that navigation uses a private channel. But privacy is only one half of security. Just as important as maintaining the communication private is knowing who I’m talking to. Am I communicating with the organization I wanted?

And this is where digital certificates come into play. They are documents signed by trusted third parties that identify the web server. The browser checks the validity and trust of the certificate, but it’s the user’s responsibility to check that the website is legitimate (and this should be easily done, without any extra actions).

Although CA (Certificate Authorities, the trusted third parties) use different classifications for their products, we could say that there are only two types of certificates:

• standard: authenticates a DNS domain
• EV (Extended Validation): authenticates an organization

Standard certificates

If a website uses a standard certificate, security depends on whether the user knows (previously) the DNS domain of the organization visited and whether that DNS domain is validated (by the user) in the address bar when first page is loaded.

Some examples of indicators in security zone when browsing to websites using standard certificates:

The table above shows a website with a privacy guarantee (is what the browser states in the security zone). But users can only consider the page secure if they check that the DNS domain is the valid domain for the service. Do you think this page is from Google? Do you know who is behind the DNS domain google.cn? Is the real Google and allows you to search without any security? Look:

Can a user be fooled when using standard certificates? Of course, there are countless types of deception that have worked on many times:

1. using a fake domain that only differs on TLD (example: paypal.cn instead of paypal.com)
2. using a fake domain that changes some letter for another one visually similar (example: paypaI.com instead of paypal.com)
3. using a fake domain not related with the actual domain (example: paypal.com.veryevil.com instead of paypal.com)
4. setting a man-in-the-middle attack (MITM) with a fake root CA installed on device (DNS domain doesn’t change in this case)
5. and so on…

In all these attacks, when the fake website uses HTTPS, the browser’s security zone is not helpful (because both the legal site and the fake site guarantee privacy). Browsing will only be safe if the user knows perfectly (previously and every time it changes) and checks the DNS domain of the visited service. But not always: even when checking DNS domain, under an attack like the one described in the fourth example, there is no way to detect the attack with the information in the address bar.

EV Certificates

If a website uses an EV certificate, security only depends on the user knowing (previously) the legal identity (organization name and jurisdiction) of the service. DNS domain is irrelevant, users don’t have to know the DNS domains or be aware of them and websites can change them at any time.

Some examples of indicators in security zone when browsing to websites using EV certificates:

Maybe you’ve just discovered this service and it’s the first time you’ve browsed to that website. You don’t know anything about the DNS domain… but with EV info at first level you immediately know the company offering this service.

It is much easier and faster for a user to check security with an EV certificate (name and jurisdiction of an organization) than with a standard certificate (DNS domains). Unfortunately, most browsers are hidden this useful information.

Can a user be fooled when using EV certificates? Of course, there are some types of deception that have worked on occasion:

1. registering a fake company with a similar name (for example: Payqal, instead of Paypal)
2. by registering a fake company with the same name in another country (e.g. PayPal in VN instead of Paypal in US)
3. registering a fake company, with the same name and in the same country (there has been some case, although it is highly difficult in most cases)

For years, organizations have been protecting their trade names and preventing other companies from using their brands. Thus, these attacks are very difficult to achieve in most cases. In any case, the cost and complexity is far greater than cheating with standard certificates.

It should be noted that EV certificates are an effective protection against man-in-the-middle attacks (even with a false root CA installed on a device). We have seen that this attack was undetectable with standard certificates. However, it is an attack that is immediately detected with EV certificates (as long as the user is aware, of course). We’ll look at it in more detail…

Let’s see an actual example where a user has to determine the security of a website. There is a huge difference depending on whether the certificate is EV or standard. Suppose you are an Italian people making business with the Deutsche Bank and you have reached two different URLs (maybe you are following a link in an email, in search engine results…):

• https://www.deutsche-bank.it/index.html
• https://www.db.com/italia/index.htm

What’s the good one? Are both real? Is it a fake one of them? Are both fake?

If standard certificates are used (or the browser hates EV certificates and does not display first-level indicators), it depends on your knowing of DNS domains of Deutsche Bank:

Does the user have to know all the DNS domains of a service? Does the user have to know how to perform whois queries? Does the user have to trust the whois data? Does the user have to phone the service to have the DNS domain confirmed every time it seems unusual?

If you think search engines are the solution, you’re wrong. Blindly trusting on search engine results leaves you in the hands of paid ads, SEO tricks and frequent attacks, for example: download malware when looking for a password manager.

If EV certificates are used (and the browser honored them) everything is really simple:

As you can see, both URL are obviously legitimate.

Wait! Can an evil agent register a fake company with name “Deutsche Bank AG” based in Germany? I very much doubt it. And, in such a case, the legitimate Deutsche Bank would immediately know that a dangerous EV certificate has been issued, thanks to Certificate Transparency, a mandatory register of all signed certificates.

Security measures

Like all security measures, neither type of certificate is the ultimate shield that protects us from all attacks, but both are valid to protect the user. And EV certificates protect against more attacks and allow safer and easier use of web service.

Being attacked with a man-in-the-middle (MITM) and having a fake root certificate installed can seem complicated and we can think that we will never be in such a situation. But computer security can easily be lost… let’s see an example.

Some laptop manufacturers thought they could make more money by installing a fake root certificate and injecting ads onto the web pages the user visited. Just by buying one of these laptops and connecting to malicious networks (an evil free Wifi at an airport, for example) we were already in the situation described: MITM attack with a fake root certificate installed.

Things got worse, obviously. The private key of the root certificate became public and anyone could issue false certificates that our system would trust. In any evil network the user was lost, without being able to determine if a site was legitimate or not… All users? Or were there users who immediately detected the problem?

Suppose again you’re an Italian people making business with the Deutsche Bank. You know Deutsche Bank is using EV certificates, so you only trust a web when you see “Deutsche Bank AG (DE)” on the security zone. If you were unlucky enough to buy one of these laptops, at least you weren’t cheated. If someone tried to steal your money with a fake bank website, you immediately detected the problem. An EV certificate cannot be forged.

If you know the service uses an EV certificate, like this one:

You detect that there is a problem when the EV information does not appear, as in this attack:

This is important: if you know that a website is using an EV certificate, only when you check the name and country in the security zone are you sure that the website is legitimate. Even a successful validation as a standard certificate indicates that there is a problem and that you should stop browsing. Well… until now, that browsers have decided to kill EV certificates.

For a conscience user, EV certificates detects and stop MITM attacks, even when a fake root certificate is installed on device.

EV information will be now at second level (you must click on security zone), but nobody (nor technical people, nor security people) click every time on security zone to check details. Basic information for checking the security of a web page has been lost.

Browser manufacturers (and security gurus) prefer an address bar without some security indicators, with a lot of empty space, like this one:

They think it’s better to omit the EV information (even omit needed information)… Better for who? Maybe empty space is useful for security? Is it harmful to include information that helps users check security?

When does an EV certificate help us?

We have seen, with the example of tainted laptops, how knowing beforehand that a service uses an EV certificate is very useful. It prevents us from falling into a MITM attack and ensures (when all is OK) that we are contacting the organization we wanted, confidentially.

Is it necessary to know if a service uses EV certificates to make them useful? Of course not…

Let me tell you a personal story: I recently heard about quite interesting financial products. But I had never heard of the bank that offered them before. This is always problematic… isn’t it a scam?

In any case, I decided to go to the website offering these products (hosted in a DNS domain I didn’t know before). As soon as the page was loaded (without even looking at its content), all my doubts dissipated:

The EV certificate assures that the CA has carried out all the necessary checks to guarantee that I am interacting with one of the banks I know. Simply this bank is offering products under another trademark and another DNS domain. But the company behind it (I know which one is for the EV certificate) gives me the confidence to be interested in these products.

Could it be a fraud where someone has registered a false company with the name of this bank? I’d say it’s impossible. A bank with more than 50 years of existence would not let its official name be registered by another company in the same country.

There are a lot of occasions where an EV certificate will give us the necessary confidence to continue using a website. Let’s see another example…

You are interested in airline customer fidelity programs and, with your favorite search engine, you’re looking for related sites. Let’s suppose that among the first results you find these:

• https://upgradedpoints.com/
• https://www.simplymiles.com/

Will they be reliable websites? Since you don’t know any of the websites, you decide to visit each one to see what they look like and what security they provide:

Both websites set up a private channel. But one of them uses an EV certificate, which identifies the institution operating the web, a well-known airline company. It is obvious that this website provides much more confidence than the other (where only confidentiality in communications is guaranteed, but I don’t know who I’m talking to).

Although highly unlikely, if someone were to register a company with the same name in the same or another country, the original company would immediately detect the issuance of an EV certificate with a problematic name.

Status of certificates

When validating a certificate and deciding whether it is trustworthy or not, it is very important to check that it is not revoked (that is: the owner has not cancelled it before it expires).

Due to some flaws, we’ve been hearing for years that revocation doesn’t work, so some browsers have decided not to perform these checks. EV certificates also have advantages in this respect: all browsers have to check their status.

Browsers have tremendous potential to change the world and make the web more secure. When it was determined that SHA1 was a weak algorithm or that the Certificate Transparency policy was necessary, the browsers set a deadline for the changes (remove SHA1, register the certificates…). All CA (Certification Authorities), public or private, and all web service owners had to adapt to the changes on the scheduled dates. And the web is now more secure.

However, no one has wanted to fix the status check of a certificate. It has reached the point where each browser has tried to use its own mechanism, without consensus or standards. And, as in other occasions, the solution is very simple: a deadline is set in which the certificate checks will be “hard” (either a positive response is obtained or the certificate is given as invalid) and we will have a solution to this problem.

What’s more, if browsers had already put a stop to OCSP problems, we would already have the OCSP stapling and must-staple mechanisms extended to 100% of websites, with robust and secure implementations. Enabling better security and privacy for users.

Arguing against EV certificates

Unfortunately, some arguments are used against EV certificates that have nothing to do with security.

One of them is that the most popular websites do not use them. Do we have to follow blindly what these sites do? There are many studies that show vulnerabilities and bad practices on the most popular websites, for example they use obsolete software, have cross domain failures… If they know best how to do things, do we have to use vulnerable software versions? Have bugs to look like them?

Seriously, security measures have to be evaluated for themselves, not for the use the “big” make of them. Otherwise, we would stop using many valid technologies.

For example, the status_request extension of TLS (aka OCSP stapling) is a security mechanism that improves the process of checking the status of a certificate and helps maintaining user’s privacy. It could be said that everybody considers this extension as a good security measure… everybody?

Only three of the 10 most visited websites in the Alexa ranking implement OCSP Stapling:

$ while read web
> do
>   echo $web;
>   echo Q |
>   openssl s_client -status -connect $web:443 2> /dev/null |
>   grep -i -e 'Cert Status:' -e 'OCSP Response: no'
> done < alexaTop10
www.google.com
OCSP response: no response sent
www.youtube.com
OCSP response: no response sent
www.baidu.com
OCSP response: no response sent
www.tmall.com
OCSP response: no response sent
www.qq.com
    Cert Status: good
www.sohu.com
OCSP response: no response sent
www.facebook.com
OCSP response: no response sent
world.taobao.com
OCSP response: no response sent
www.wikipedia.org
    Cert Status: good
www.yahoo.com
    Cert Status: good

So, do we abandon OCSP Stapling? Do we stop implementing it on our website to look like the big websites?

Remember your mother’s words: “If your friends jumped off a cliff, would you too?”

Another argument against it is that users do not know how to interpret the information provided by an EV certificate.

That’s (partially) right. I know many users, many of them technical people (many of them dedicated to computer security), who have never taken the time to understand and learn the advantages of an EV certificate.

However, it’s one of the simplest security measures to understand and most used once it is known. I’ve been teaching computer security for many years and discovering EV certificates is one of the many pleasant surprises students get. And they extend this knowledge in a simple way.

Studies show that most people don’t understand many traffic signs. Should these signs be removed from the roads? Or should more effort be put into education?

What happens next?

Since the valuable information provided by an EV certificate becomes hidden, websites will stop requesting EV certificates and start using only standard certificates.

And users will lose an essential security measure to navigate safely. Browsers are promoting the removal of a measure that is useful to improve the security of the web and that in no case is harmful.

We should not allow it!

Notes

1. Software changes frequently, so the facts in this post are accurate at the time of writing (09/29/2019). If you read this post on different date things could be very different.
2. There is always an exception for every security claim. For example: “TLS guarantees privacy”… true, in general; but TLS fails in this purpose if the protocols used are obsolete, ciphersuites aren’t robust, etc. Writing this post I’ve made statements that can be found “not always 100% true”. I know. But I’ve omitted the “exceptions”, trying to contain the length of the article
3. Screenshots are of Spanish versions of browsers. I hope it didn’t make reading difficult for you. All browser screenshots had taken using private mode (aka incognito mode).