The Zero Trust Internet Protocol White Paper: Introduction
This section covers our vision, problem statement, and the proposed solution.
Updated: April 2021
Both White and Technical Papers have been updated to reflect everything we’ve learned over the past few years.
Why publish on Medium?
By providing a version of our white paper on Medium, we aim to achieve two things;
- Community engagement — please comment and question any section. If you find that your question or concern is answered elsewhere, please feel free to delete your comment so we don’t end up with more work than is necessary.
- Accessibility — it’s easier to read a Medium article on a mobile device than a PDF. We will republish our PDF documents as soon as they have been updated to reflect the changes made to our Medium articles.
Clicking on each heading will take you that section’s medium post. Each section has a table of contents, so you don’t need to use multiple browser tabs.
5. MetaCert’s Prior and Related Work
6. Design Goals
7. Solution: The MetaCert Protocol
8. Future Work
9. Token Sale Breakdown *(This section is not in the PDF)
Not a day goes by without news of a crypto company, major corporation or public institution suffering an Internet security breach, or innocent victims falling prey to online fraud. Internet security is a critical necessity for organizations and individuals, but remains one of the most difficult problems to contain because today’s security systems are designed to protect people from “known threats”. The data paints a bleak picture — focusing on known threats is no longer efficient or reliable. While it’s possible to stop most known threats most of the time, it’s technically impossible for any security system to stop unknown threats all of the time.
MetaCert, the author of this document, isn’t just a company; we are a group of individuals driven by our collective passion to protect people and organizations from personal and financial losses.
The team behind MetaCert worked for years to create and maintain Internet and mobile standards at the W3C, the standards body for the World Wide Web. MetaCert’s founding members helped to create the W3C Standard for URI Classification, formally replacing the incumbent standard, PICS in 2009. Today, the MetaCert team combines its expertise in setting the Internet standard for URI Classification with years of experience in the realm of online safety and security in order to move the world’s first zero trust URI registry to the Blockchain (a distributed ledger). Therefore, MetaCert will introduce an open protocol called the MetaCert Zero Trust Internet Protocol (“the Protocol”) that will improve the Internet’s trustworthiness and reputation.
Using distributed ledger technology, MetaCert will decentralize its categorized registry to democratize the submission, validation and dispute processes for URIs. Anyone with access to a basic phone or computer will be able to submit or validate trust and reputation information about URIs.
To enable the growth, development and utility of the Protocol, we are launching the MCERT Token (the “Token”). The Token will be the foundation of a tokenized economy that incentivizes community members to behave appropriately, mitigating the risk of bad actors and reducing community security vulnerabilities.
We see a world in which people are safe whenever they use email or browse the web.
We are building a query and response security protocol for the Internet, storing trust and reputation information about Uniform Resource Identifiers (URIs). A URI is a unique sequence of characters that identifies a logical or physical resource used by web technologies. URIs may be used to identify anything, including real-world objects, such as people and places, concepts, or information resources such as domain names, social media accounts, browser extensions, apps, APIs, bots, Tokens, and crypto addresses. Some URIs provide a means of locating and retrieving information resources on a network (either on the Internet or on another private network, such as a computer filesystem or an Intranet), these are Uniform Resource Locators (URLs). In short, you can think of a URL as one type of URI.
The Protocol’s registry is stored in metadata format, and therefore machine-readable and queryable with the MetaCert API. Potential consumers of the API service include security vendors, email providers, mobile operators, SMS gateway providers, internet service providers (ISPs), crypto exchanges, digital wallets, Wi-Fi hotspots, browsers, and mobile apps — in other words, any hardware or software application that provides access to the Internet.
The MetaCert API makes it easy for security vendors to build products and services that enable a Zero Trust strategy for web access. A zero trust strategy for web access will provide a new way to stop phishing-led cyberattacks. Phishing is a fraudulent attempt to obtain sensitive information such as usernames & passwords, credit card details and cryptocurrency private keys. Phishing is also used to install unwanted software to compromise computer networks and to spread malware and ransomware.
What Motivates Us
We believe in a free, open and safe Internet for everyone where the public can access the resources they want while avoiding hidden dangers.
You should have peace of mind whenever you use the Internet to access email, share files, use social media, or browse the web. You should be able to quickly and easily identify URIs and digital assets that you can trust, to avoid dangerous counterfeits.
We believe it should be easier for organizations to avoid phishing-led cyberattacks such as data leakage and ransomware attacks.
We believe it should be easier for Governments to avoid state-sponsored attacks.
We believe it should be easier for people to avoid phishing-led scams that are used for online fraud, identity theft and malware attacks.
These are just some of challenges that we believe can be addressed with a zero trust strategy for Internet security.
Internet security is no longer effective or reliable
Is this browser extension or app safe to download? Is this a counterfeit website? Can I trust the link in this email? Has this crypto wallet address been verified? Is this a fake Twitter account? Is the link inside this text message really from my bank?
Each of these questions implicates an important aspect of the Internet — Uniform Resource Identifiers (URIs). Cybercriminals are aggressively targeting people instead of computer networks because sending fraudulent messages and tricking them with deceptive websites is easier, less expensive, and far more profitable than trying to take advantage of computer-based exploits and vulnerabilities.
Web domain fraud is a growing risk for businesses, government agencies and Internet users everywhere. Every year, threat actors register millions of domains to impersonate brands and defraud those who mistakenly trust that a URI or webpage is legitimate.
According to the Verizon 2020 Data Breach Investigations Report, phishing drives 90% of all cybersecurity breaches.
Verizon’s analysis of 1600 cybersecurity incidents and 800 breaches found that phishing was involved in 90% of successful attacks. Despite years of phishing awareness training, employees are still getting fooled. Verizon even included a section in this year’s Data Breaches Investigations Report (DBIR) called, “Attack the Humans.” Why? Humans are your weakest link. You can create a new rule to block an automated web application server attack, but you can’t eliminate human nature.
Verizon found that every industry was highly susceptible to these attacks. When you consider that you only need one employee to be fooled by one email of the many they may receive in a single year, the percentages add up to that 60%+ likelihood of a company becoming a victim annually.
Verizon also evaluated phishing success rates in a controlled study. To do this, Verizon gathered a base of three million users across 2,280 organizations. They then ran 14,000 campaigns. The results were “7.3% of users across multiple data contributors were successfully phished — about 15% of all unique users who fell victim once, also took the bait a second time.”
These simulated phishing attacks were generic and not targeted. However, the more tailored, spear phishing attacks have a success rate about nine times higher. While the data compiled by Verizon suggests 219,000 people out of three million employees fell for a generic phishing scam, you could expect that number to rise to 1.8 million for spear phishing. Verizon calls these more sophisticated social engineering attacks pretexting and says these attacks are, “almost always targeted in nature (and hence over half of the marks were from the finance department), which means actors are doing their research to identify the right employee, and invent a believable story.”
Most phishing sites are live and active for only a few hours. After that, hackers typically register new counterfeit domains, or user accounts on websites such as GitHub. This allows them to evade detection and maintain an ongoing campaign without being detected and blocked.
According to a study by Google and the University of Florida, URLs used in targeted phishing scams like the one carried out on Twitter in 2020, only need to be active for 7 minutes for criminals to achieve their objective. URLs used in bulk phishing campaigns only require 13 hours to do most harm, the study found.
Network operator Orange Poland also found that 80% of mobile customers open phishing links inside SMS messages within the first 15 minutes, while only 10% wait until the following day, which demonstrates that waiting to validate and classify new dangerous URIs is no longer reliable or effective.
In Internet security, a blocklist is a basic access control mechanism that allows through all URIs that link to digital assets, except those explicitly classified as dangerous.
The reliance on blocklists for Internet security hasn’t changed since phishing was first detected on the AOL network in the 1990’s. Today’s security systems are reactionary — they’re designed to detect and prevent an attack via URIs that are classified as dangerous. This means a new dangerous URI must be discovered, reported, investigated, validated and added to a blocklist before protection can be initiated. When a security system offers “real time” protection, it’s referring to the time it takes to update their blocklist once a new threat has been validated. While the blocklist may be updated in milliseconds, it takes 2 to 3 days on average, to investigate and validate new threats.
It sometimes takes weeks, even months, for new dangerous URIs to be classified. The data paints a bleak picture — it is mathematically impossible for any security system in the world to detect and block every known dangerous URI before harm has been done. The traditional cybersecurity model of chasing after “known threats” with blocklists continues to play an important role, but it is no longer effective or reliable enough to thwart the rise in phishing-related cybercrime.
Most cybersecurity companies don’t curate their own blocklists — they license them from security vendors such as PhishTank (Cisco), Google, Microsoft, Akami and Symantec, who specialize in URI classification for new threats.
According to Patrick Gelsinger, the CEO of VMware during his RSA keynote in 2019;
“The security industry’s obsession with the threat model is broken. The ‘Known-Good’ is the way forward”.
2FA, Computer Vision and AI
The reverse-proxy phishing technique makes life impossible for security companies that rely on computer vision, AI or virtual browser software. Created by Piotr Duszyński, Modlishka is a reverse-proxy tool that sits between a user and a legitimate website — like Sharepoint, Dropbox, Gmail or Salesforce. It’s a pen testing tool that demonstrates how a threat actor can automate phishing attacks with an ease never seen before and can even compromise accounts protected by two-factor authentication (2FA).
Typical phishing scams involve a phishing URL and a counterfeit website. A Modlishka-based phishing scam is different and much worse. Instead of being brought to a fake website, the victim receives authentic content from the legitimate website. The reverse-proxy silently redirects all traffic and everything the user types into the legitimate site to the Modlishka server.
Credentials and sensitive information such as a password or crypto wallet address entered by the user are automatically passed on to the threat actor. The reverse-proxy also asks users for 2FA tokens when prompted by the website. Attackers can then collect these 2FA tokens in real-time, to access the victims’ accounts.
Web Authentication (WebAuthn) / FIDO
WebAuthn is a web standard published by the W3C. Yubico along with Microsoft and Google are leading contributors. WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance.
FIDO is resistant to phishing because you must register the authenticator with each application that you want to have use it. For subsequent authentications, the domain that was registered with the authenticator is checked against the domain that the authentication request is coming from. If that domain does not match the registered domain then the authentication request will fail. This should alert users to the possibility they are being phished.
It’s worth noting that support for hardware-based authentication is considered a premium feature for many services; for example, if you use the password managers LastPass, Dashlane, or 1Password, you must upgrade to a Business, Premium, or Enterprise plan to enable a security key as a second factor. And, very few banks or financial institutions outside the cryptocurrency world support hardware-based 2FA. Moreover, hardware devices like YubiKey are only supported by a few hundred websites and services.
While hardware devices provide strong anti-phishing protection across a few hundred websites and services, end-users are exposed to targeted phishing attacks that impersonate an unsupported website. For an organization to be considered safe, it must stop employees from accessing over 95% of the Internet.
In summary, WebAuthn-based solutions are unlikely to protect organizations from a persistent targeted phishing attack.
Browser-based security (Extended Validation)
As you can see from the screen shot below, the domain name on the left is preceded with the company name in green. In this example, “Dropbox Inc, (US)” indicates that Dropbox had its identity verified by an independent trusted third-party called a Certificate Authority (CA). When a user clicks on the name, they would see that DigiCert was responsible for verifying their identity.
The idea was to provide online identity protection for brands while making it easy for end-users to tell the difference between the legitimate Dropbox website and a deceptive counterfeit.
During the verification of an EV SSL Certificate, the owner of the website passes a thorough identity verification process (a set of vetting principles and policies ratified by the CA/Browser forum) to prove exclusive rights to use a domain, confirm its legal, operational and physical existence, and prove the entity has authorized the issuance of the certificate. This verified identity information is included within the certificate.
Most people were confused between these two visual indicators because the browser UI and UX wasn’t intuitive. The basic padlock is designed to tell users when their connection to a website is encrypted. A padlock doesn’t represent anything related to trust or identity.
In 2019 however, Google, Mozilla, Opera and Brave, removed the visual indicator for website identity from their browser UI. Today, when a user opens a link, the browser padlock is the first thing they look for. It’s a well-known fact that most people rely on the padlock for trust related information. A padlock means a given website uses a Domain Validation (DV) certificate to encrypt the transmission of data between the user and a website. It doesn’t mean the website owner is who they say they are.
Every Certificate Authority issues DV certificates. Most CAs charge for them. But today, some automatically issue DV certificates for free — they want to see the entire web encrypted. It is clear from the data that cybercriminals favor free and easy-to-acquire DV certificates when building counterfeit websites for the purpose of attacking organizations, government agencies and consumers.
According to Let’s Encrypt, the automatic issuance of DV certificates for free plays a vital role in scaling the creation of a more privacy-respecting web through widespread encryption. But, it also means it’s cheap, fast and easy for cybercriminals to launch their attacks — on mass scale.
Organizations around the world continue to pay Certificate Authorities for EV certs even though consumers no longer see a visual indicator inside their browser UI. You can click the padlock icon to gain access to the certificate information, to see if it was verified by a trusted third-party, but this rarely happens, if ever.
In 2017, Let’s Encrypt issued more than 15,000 DV certificates for domains that contained the term “PayPal”.
Zero Trust is a security model based on a strict identity verification process. The framework dictates that only authenticated and authorized users and devices can access applications and data. But, it does not protect those applications and users from advanced threats on the Internet because aside from MetaCert, no other company is verifying Internet addresses at scale.
The zero trust model was created by John Kindervag, during his tenure as a vice president and principal analyst for Forrester Research, based on the realization that traditional security models operate on the outdated assumption that everything inside an organization’s network should be trusted. It has become more and more important for modern day digital transformation and its impact on business network security architecture.
According to Gartner, 80% of organizations are committed to implementing a zero trust security model by 2022. [PDF]
We believe the entire zero trust philosophy is weakened because everything is assumed to be dangerous unless verified — everything except for URIs. Zero trust is weakened if an authenticated user can open a dangerous link inside an authorized browser or application.
We believe the problem can be distilled into three main issues:
- Trying to protect people with the traditional threat model is no longer reliable or effective
- Zero trust strategies are weakened when users are allowed to have access to the Internet.
- Users are not adequately capable of detecting and avoiding security threats
The Proposed Solution
In summary, we believe Internet security needs to be reinvented. Instead of trying to protect people from known danger on the Internet, we should tell them to ‘assume every URI is dangerous unless verified’.
How we got here
Over the years, MetaCert has researched and developed one of the world’s most advanced crawlers and threat intelligence systems for categorizing URIs. Using our proprietary technology, innovative approach and help from thousands of people in our community, we have built one of the biggest sources of trust and reputation information about URIs in the world.
After eradicating the phishing epidemic on Slack for the cryptocurrency world during the second half of 2017, we learned that it was technically impossible to protect traders and investors from every new phishing scam before at least one person or organization became a victim. Even when new threats were classified and blocked within a few minutes, there were always victims. Why? Because it required a victim to report their case before anyone could know about the counterfeit URI or service. MetaCert didn’t eradicate the threat of an attack, but we did make it cost prohibitive for threat actors to continue their attacks inside Slack, so they moved their attacks to other platforms such as Telegram and Twitter, where there was, and still is, less protection.
The social experiment
With the shift to remote work and the aggressive adoption of team collaboration software and cloud-based services, most users spend more time inside their browser than any other program. Whether you use email, social media, messaging, cloud-based services, or team collaboration software, your browser is the one program they all have in common — every link you click, opens inside your default browser. Browser software can either be the entry point for all danger, or it can be the firewall that keeps everyone safe.
In December 2017 we decided to try a social experiment. The goal was to see if we could make it extremely easy for people to tell the difference between what’s safe and what’s not. We built a browser extension for Chrome, Firefox, Opera and Brave. We asked users to completely ignore the browser padlock and instead, rely on MetaCert’s shield, which we added to their browser toolbar.
End-users were instructed to assume every login page, app, bot, checkout page, social media account and website was dangerous, unless the MetaCert shield turned green. We didn’t know it at the time, but we later learned that this approach could be best described as “Zero Trust” security.
MetaCert’s Zero Trust approach for Internet addresses is resistant to phishing because MetaCert has registered each digital asset that you might want to use. For subsequent authentications, the URI that was registered with MetaCert is checked against the URI that the authentication request is coming from. If that URI does not match the registered URI then the authentication request will fail and the shield will not turn green. This should alert users to the possibility they are being phished. This is not technically anti-phishing awareness training, but it is a form of safety related training that works.
With 85,000 active crypto traders and investors as power users, who incidentally, are amongst the most widely targeted people on the Internet for phishing-related fraud, not a single person fell for a dangerous link over a 12 month period. Our experiment seemed to work. But we wanted to dive into the numbers to see if the utility was realized and to see if the new concept had achieved product/market fit.
The solution was so well received, that end-users took to Twitter, requesting website owners to seek verification before they would log into their website. Some website owners sought verification before being prompted by their users. We took great pride from the fact that even companies like MetaMask, who had their own anti-phishing security built into their browser add-on, sought the verification of their domain names from MetaCert. When MyEtherWallet realized their DNS was compromised MetaCert was the first to be informed. This allowed us to quickly change the classification from “Verified” to “Phishing”, preventing users from losing all of their crypto.
Deep dive into the data
We followed Sean Ellis’ methodology to find out if we had product/market fit with the new zero trust model for Internet access. Ellis was the head of marketing at LogMeIn and Uproar from launch to IPO. He was the first marketer at Dropbox, Lookout and Xobni, and he coined the term “growth hacker” in 2010. Our goal was to conduct a survey to get feedback from people who had recently experienced “real usage” of the product. The key question to ask according to Ellis, is:
“How would you feel if you could no longer rely on MetaCert’s green shield?”
- Very disappointed
- Somewhat disappointed
- Not disappointed
- N/A I no longer use MetaCert
According to Ellis, to get an indication of product/market fit, you need to know the percentage of people who would be “very disappointed” if they could no longer use your product. In his experience, it becomes possible to sustainably grow a product when it reaches around 40% of users who try it that would be “very disappointed” if they could no longer use it.
For this percentage to be meaningful, we needed to have a fairly large sample size. In Ellis’ experience, a minimum of 30 responses is needed before the survey becomes directionally useful. At 100+ responses he is much more confident in the results.
When releasing an update for a browser extension to end-users, you submit it to the browser store — the store automatically updates every user to the latest version, silently in the background. We took advantage of the silent update capability. 85,000 users were prompted with a banner at the top of their browser. There was no way for them to stop it from appearing. And they were unable to close the banner until they clicked on one of the answers to Ellis’ question. We asked “How disappointed would you be if you could no longer rely on the Green Shield?”. Given that some users would have been upset by this interruption with our forced question, we didn’t know what to expect. We did see a small spike in the number of uninstalls that day, so we did pay a small price for this research.
Of the 85,000 people who answered this single question, 63% said they would be very disappointed if they could no longer rely on the Green Shield. Over 5,000 users went on to complete the survey with 20 questions.
As of April 2021, not a single person has fallen for a dangerous URI or counterfeit digital asset when protected by MetaCert’s unique zero trust model.
We concluded from the data, that people can learn to rely on a zero trust strategy for URI and web-based authentication.
Today, MetaCert verifies billions of URIs across mainstream domains and sub-domains — including automatically classifying highly regulated ccTLDs and gTLDs like .GOV and .BANK.
The future is open source decision making
MetaCert is building a query and response protocol that stores open sourced and community verified information on resources such as domain names, IP addresses, social media accounts, bots, applications, crypto wallet addresses or autonomous system identities. The Protocol stores and delivers content in a human and machine readable format. The information stored in the registry can be used by anyone to build products or services to address phishing-led issues such as brand protection, data leakage, identity theft, online fraud, malware and ransomware.
Using the blockchain, it is now possible to create new open systems that curate data sets through smart contract rewards, incentivize good behavior and mitigate the risk of bad behavior using fairly applied counter-measures and punishments. Once structured and populated on the main blockchain or its side chains, this curated registry becomes immediately eligible for global distribution on a mass scale.
The Protocol is a special case of this incentivized curation and distribution network, extolling security, openness, and transparency across the entirety of its operations. The Protocol will contain the world’s foremost high-quality information and determinations on URI reputation and it cannot be edited without an audit trail for all to see.
With the Protocol, the trust and reputation of the Internet is placed back into the hands of everyday people. It will be enabled through a system of checks and balances to ensure high quality participation and authentic behavior that is incentivized by a Tokenized economy.
Clicking on each heading will take you that section’s medium post.
5. MetaCert’s Prior and Related Work
6. Design Goals
7. Solution: The MetaCert Protocol
8. Future Work
9. Token Sale Breakdown *(This section is not in the PDF)
🖌 Please feel free to respond with questions or comments about anything you read in our White Paper or Technical Paper directly within Medium, and be sure to engage with other members of the community who also have questions or comments.
🔐 MetaCert Protocol is based on established enterprise-grade technology that powers live products. These products protect hundreds of thousands of people on the Internet today, but this is just the start. We need the community to help us iterate this work. Together we can help make the Internet a safer place for everyone.
☞ Don’t forget to click 👏🏻 to let MetaCert and others know how much you appreciate this post.
☞ Try the browser-based security. https://metacert.com
☞ Join our Telegram channel where you can engage with the core team and the community. https://t.me/metacert