In collaboration with several other certificate authorities, DigiCert has proposed 4 enhancements to the EV SSL validation processes
On the Internet, nobody knows youre a dog.
Cartoonist Peter Steiner penned those words in a cartoon strip all the way back in 1993. The cartoon was funny and made a lot of people laugh, but it was highlighting a serious issue that was just developing back thenhow easy it was to trick people via the anonymity of the internet. Unfortunately, Peter nailed it! Today, that problem is even bigger than anyone even Peter could have imagined1 in 25 branded emails is actually a phishing email.
So, why is online identity so important? How will DigiCertsproposal help consumers?
Lets hash it out.
The internet is flooded with unknown actors, and a lot oftimes theyre up to nefarious activitiesphishing, bullying, catfishing, scamming,preying on children, swatting, and more. Thats why most internet users tend tobe suspicious of interactions with people, websites, and companies they dontknowtypically, we want to know the real-world identity of the individuals andcompanies we interact with online.
What would you think if you went to your local shoppingcenter and saw a shop with no business name, like this?
Youd be intrigued but you probably wouldnt trust that company. Youd certainly have some questions! Customers dont trust anonymity they want to know who theyre doing business with.
The same thing is true online customers want to know who theyre buying from. At your local mall, its pretty easy to tell who youre buying from theres a physical store with signage and staff right in front of you. Online, though, identity can be slippery. As Steiner pointed out, you can be a dog, a scammer, or a predator and nobody will know until its too late.
In an environment saturated with anonymous trouble-makers, EV SSL is a great tool consumers can use to confidently see who runs a website, helping them decide whether to trust the website owner or not. Thats why we strongly support making EV SSL as strong and usable as possible people want/need what it can provide. And thats why were excited to see DigiCert leading the charge to update and enhance EV SSL.
DigiCert is proposing four specific ways to update and enhance the CA/B Forum standards for EV SSL certificates. These enhancements will make EV SSL stronger and satisfy some weaknesses pointed out by security researchers. Lets go through each of them, and see how theyll help improve online identity for all:
A CAA record is a DNS entry that lets website managers restrict which CAs may issue certificates for their domain. Its a great tool for fighting shadow IT certificates ensuring that an organizations certificates are centrally managed and authorized.
But currently CAA records can only specify certificateauthorities. DigiCert is proposing expanding CAA records so domain admins can controlor restrict the validation level of certificates that can be issued for theirdomain. For example, a website admin could restrict their domain to only issue EVSSL certificates from a certain CA.
Why This Is Beneficial:
Lets look at a hypothetical scenario. Lets say example.com hires a freelance web designer to update their blog with a fresh, new design for 2020. That designer isnt authorized to issue SSL certificates for the domain. But lets say the website designer installs a WordPress file editor plugin, so they can complete domain control validation and get an SSL certificate issued. Example.com now has an SSL certificate issued by an unauthorized party they dont control the certificate or the private key, which is a significant security issue. What happens when the certificate expires?
If example.com had implemented a CAA record that restrictedthe domain to EV certificates from DigiCert CA only, the web designer wouldnthave been able to get that certificate issued because any attempt to get acertificate type not identified in the CAA record would fail.
If youve got a feeling of dj vu right now, it might be because we mentioned this idea back in October 2019. TL;DR:
LEIs are Legal Entity Identifiers, they were created in the aftermath of the financial crisis that occurred a decade ago. They are numerical codes recognized by 150 different countries. The entire system is overseen by a Swiss non-profit called GLEIF. An LEI can help prevent collisions and confusion. Now, I can already hear the objections percolating, that, like confusing organizational names, people wont know what to do with an LEI number. But there are several workarounds for that. For one, the browser could just use the LEI code and generate the associated information. Granted that might require an additional call, which may be anathema to browsers but its an option. You could also make it easy to click on the LEI number and follow it to a database with the information. This would require the user to take an action, but some might find it useful. But more than anything, it could send up a red flag when an eCommerce website or some other organization that transacts in valuable data DOESNT have an LEI.
Why This Is Beneficial:
Adding LEIs to EV SSL certificates offers two key benefits:
If you look up a company in the LEI database, youll get areport with a lot of details about the organization. Starting with basic info:
And even including information about subsidiaries and parentcompanies:
In the end, this info is ripe for being used as another datapoint to solve any corporate identity assurance use case. Like EV SSL, theinfrastructure is already in place, why not use it (or at least consider it) forresolving such an apparent problem?
Under the current EV guidelines, each certificate authority decides what data sources they will use for validation of organization details in EV SSL certificates. (Keeping in mind that theyre validating organizations across hundreds of countries, there can be a lot of variation in the quality of data sources being used from country to county.) DigiCert is proposing that the CA/B forum specify a standardized list of acceptable data sources to use in the EV validation process.
Why This Is Beneficial:
Using standardized data sources will offer several benefits:
Since EV SSL certificates are all about showing customersthe verified identity of the organizations theyre interacting with, trademarksare a logical add-on. As DigiCerts Dean Coclin explains:
Trademarks are well known, understood, unique and can be validated. Consumers recognize them and so if a browser wanted to include the trademark in their UI, they could do so with confidence that it had been properly validated. If they dont, thats fine, but it would be in the cert for any relying party to examine.
Why This Is Beneficial:
Trademarks are another way for consumers to be sure theyre interacting with the company they think they are. For example, Windex is a trademark owned by the SC Johnson company. But many consumers probably dont know the Windex brand is actually owned by SC Johnson. The current EV guidelines state that it can only say SC Johnson. However, if their EV SSL certificate displayed the Windex trademark, that might help a consumer be more confident that theyre on the official and intended website.
Manage Digital Certificates like a Boss
14 Certificate Management Best Practices to keep your organization running, secure and fully-compliant.
Ultimately, for EV SSL certificates to reach their fullpotential in helping users, the browsers need to research, identify andintroduce a more effective interface for displaying identity information tousers. (Incidentally, the browsers identity interface wouldnt have to belimited to data from EVit could contain data from other verified sources toprovide consumers all the data they need to make an informed decision.)
Since Chrome and Firefox removed the old green address bardue to concerns that it wasnt effective, the onus is on the browsers todevelop a new UI that helps users understand who is running the websitestheyre interacting with. In my opinion, removing EV without replacing it witha viable alternative did the world a huge disservice. EV may not have helped 100%of internet users, but it certainly helped more than 0%. It wasnt perfect, butit was all the internet had. Its like saying, since automobile accidents stillhappen at intersections, get rid of all traffic lights until we think ofsomething better. For some reason, logic just seemed to go out the window onthis one.
It doesnt seem like too big of an ask for the browsercommunity to seriously come together and help create a universal display thatwill help consumers with the identity of websites that they interact with. Ithink if browsers put their users interests first, the answer will come veryeasily.
I took 15 minutes with my team and came up with a half-bakedidea that seems to make quick sense. One of the big things that the EVnaysayers harped on was that the green address bar needed education tounderstand what it actually meant. They believed that it should require notraining or education and that it should just be immediately understood. Well,in minute three of our discussion, we realized that all of the social media channelsover the past decade have already educated the world on this exact problem. Thesocial media eco-system recognized issues with identity and addressed ithead-on years ago by introducing the verified account status symbol. A verifiedaccount status is reserved for high-profile accounts of companies, brands orindividuals that are especially vulnerable to impersonation.
For obvious reasons, fake accounts that are used toimpersonate a popular user on a social media platform could easily causeirreparable brand damage to both the real account holder and the platformsbusiness model. Thats specifically why the verified account status and symbolexist. Well, since the social media channels have already done the educatingand have fully conditioned users at scale to look for verified account symbolswhen consuming content, why not adopt that developed behavior to work inbrowser environments? It can quickly be used to address online identity on awider scale than just social media. Seems like the logical next step. Does it somehowgo against browser business models?
Below is what we came up with over a cup of coffee. For DVSSL, since the lock doesnt mean what it used to, simply hide it. Then letsintroduce two, or maybe just one, verified website symbol. Id bet that if youdid a study, users would immediately understand what this means. Withouteducation. With conviction.
Mousing over the verified icon could display a tooltipshowing more specifics on what the icon means.
If you click on it, something like this could display. Itsvery similar to what used to be displayed, but with a few tweaks.
Just to reiterate, this idea would be after the EV guidelines have been enhanced. Im sure there are more things worth consideration, but this took us 15 minutes in an informal meeting setting. I wonder what a group of browser security experts and security researchers could come up with if they tried to solve online identity head on for the sake of Internet users. At the least, its worthy of a real discussion where all parties come together to really solve a larger issue for the greater good of society. Not just go through the motions.
On the Internet, nobody knows youre a legit website.DigiCert is trying to do something about it. Browsers, youre up.
*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store authored by Bill Grueninger. Read the original post at: https://www.thesslstore.com/blog/digicert-leads-initiative-to-enhance-ev-ssl-certificates/
Here is the original post:
DigiCert Leads Initiative to Enhance EV SSL Certificates - Security Boulevard
- GLOBAL INTERNET SECURITY FIREWALL MARKET LATEST DEVELOPMENTS, SHARES, AND STRATEGIES EMPLOYED BY THE MAJOR PLAYERS - The Fuel Fox - March 30th, 2020
- Coronavirus Proves We Need the Internet Now More than Ever Before - The National Interest - March 30th, 2020
- The story behind that little padlock in your browser - Horizon magazine - March 30th, 2020
- Finder helps secure the Internet in a time of crisis - CMO - March 30th, 2020
- New Security Report from WatchGuard Shows Explosion in Evasive Malware - socPub - March 30th, 2020
- One senator wants vendors to ensure their internet connectivity devices are secure - fifthdomain.com - March 30th, 2020
- How a VPN works - The Upcoming - March 30th, 2020
- Cryptocurrency Wallets: Everything You Ever Wanted To Know - hackernoon.com - March 30th, 2020
- Sentrybay and Raqmiyat on delivering secure work from home solutions - Tahawul Tech - March 30th, 2020
- Dot-com price rises on their way over the next four years: ICANN approves Verisign contract, walks off with $20m - The Register - March 30th, 2020
- Global Internet Security Market Overview By Threats, Major Opportunities, Drivers, Risk Analysis and Trends - Sound On Sound Fest - March 30th, 2020
- These are the companies offering free software during the coronavirus crisis - IT PRO - March 30th, 2020
- The real insider threat is the use of security software - TechRadar - March 23rd, 2020
- EFF and COVID-19: Protecting Openness, Security, and Civil Liberties - EFF - March 23rd, 2020
- Preparing for November's election must be a national priority | TheHill - The Hill - March 23rd, 2020
- COVID-19 decoy doc, Cloudflare tools used to spread Blackwater malware - SC Magazine - March 23rd, 2020
- Technology saves the day as Kenyan firms send staff to work from home - The East African - March 23rd, 2020
- In Industrial Realm, Trustworthy Software Ensures - IoT World Today - March 23rd, 2020
- Security Software in Telecom Market is Growing Rapidly Due to Increasing Internet Penetration - Press Release - Digital Journal - March 23rd, 2020
- How safe is your brand in the hands of a remote workforce? - Bizcommunity.com - March 23rd, 2020
- Do Netflix And YouTube Really Need To Slash Video Quality To Save The Internet? - Forbes - March 23rd, 2020
- How Organizations Can Retain Talent Amidst the Infosec Skills Gap - tripwire.com - March 23rd, 2020
- Hackers are preying on fears of Covid-19, says cyber security experts - Hindustan Times - March 23rd, 2020
- These Jaw-Dropping Facts Will Change Your Mind About the Internet of Things - The Motley Fool - March 23rd, 2020
- Security Think Tank: Amid panic, how to find a sound level of security - ComputerWeekly.com - March 23rd, 2020
- As universities shut their doors, international students are left in limbo - The Verge - March 23rd, 2020
- Keeping content safe in the IP era | Industry Trends - IBC365 - March 23rd, 2020
- Students concerned with lack of internet access, job security in light of online transition - University of Virginia The Cavalier Daily - March 23rd, 2020
- How Safe is Your Brand in the Hands of a Remote Workforce? - Techfinancials.co.za - March 23rd, 2020
- US Bureau of Census : PRESS RELEASE | MARCH 20, 2020 Statement on 2020 Census Internet Response Security Precautions To protect the integrity of the... - March 23rd, 2020
- Fake coronavirus news is spreading faster than the virus - The Star Online - March 23rd, 2020
- Facebook didnt have to be this way - BusinessLine - March 23rd, 2020
- How Are Digital Natives Shaping the Future of Data Privacy? - Infosecurity Magazine - March 23rd, 2020
- Zero Trust Internet is the Answer - Infosecurity Magazine - March 23rd, 2020
- German government prepares for internet censorship and deployment of the armed forces - World Socialist Web Site - March 23rd, 2020
- Internet of Things (IoT) Security Technology Market Is Expected To Thrive At Impressive Cagr By 2027 Key Players:... - March 23rd, 2020
- Norton Secure VPN - The cocoon of cybersecurity - Blasting News United States - March 13th, 2020
- New rules proposed to boost security of home routers - The Straits Times - March 13th, 2020
- Leaders should act now to counter national security threat to US elections | TheHill - The Hill - March 13th, 2020
- Cybersecurity 2020: The Trends SMBs will Need to Prepare For - CISO MAG - March 13th, 2020
- Namecheap, EFF and the Dangerous Internet Wild West - CircleID - March 13th, 2020
- EARN IT Act threatens end-to-end encryption - Naked Security - March 13th, 2020
- Apples WWDC 2020 is on in a purely digital way - Pickr - March 13th, 2020
- The EARN IT Bill Is the Government's Plan to Scan Every Message Online - EFF - March 13th, 2020
- The pitfalls of being an influencer: What parents should know and do - We Live Security - March 13th, 2020
- 25 tips for navigating the internet today - Alton Telegraph - March 13th, 2020
- Interos Raises $17.5M from Venrock and Kleiner Perkins to Grow Third-Party Risk Management Platform - GlobeNewswire - March 13th, 2020
- Why Are Internet Security Standards Badly Deployed and What to Do About It? - CircleID - March 12th, 2020
- The Internet of Things is a security nightmare reveals latest real-world analysis: unencrypted traffic, network crossover, vulnerable OSes - The... - March 12th, 2020
- How The Internet Of Things Can Transform Workplace Safety | Baird Capital | Security News - SecurityInformed - March 12th, 2020
- The Internet Avoided a Minor Disaster Last Week - WIRED - March 12th, 2020
- Applying the 80/20 rule to cloud security - Help Net Security - March 12th, 2020
- Internet Security Audit Market Report 2020: Acute Analysis of Global Demand and Supply 2025 with Major Key Player: Symantec, Intel Security, IBM,... - March 12th, 2020
- The Hidden Dangers of China's Digital Silk Road - The National Interest - March 12th, 2020
- Students Showed Trend Micro a World Without the Internet - Business Wire - March 12th, 2020
- Android anti-virus products put to the test which are the best at stopping new malicious apps? - Graham Cluley Security News - March 12th, 2020
- Internet security Market 2020 | Applications, Challenges, Growth, Shares, Trends and Forecast To 2026 - Packaging News 24 - March 5th, 2020
- Eight ways to improve cyber-hygiene in the enterprise - Security Boulevard - March 5th, 2020
- The Top 8 Concerns for CISOs in 2020 - Security Boulevard - March 5th, 2020
- iboss Wins Customer Service Department of the Year - Computer Services Silver Award in the 2020 Stevie Awards for Sales and Customer Service - Yahoo... - March 5th, 2020
- 2020 Premium Ethical Hacking Certification Bundle Is Up For A Limited Time Discount Offer Avail Now - Wccftech - March 5th, 2020
- These are the first passwords hackers will try when attacking your device - ZDNet - March 5th, 2020
- US threatens to pull big techs immunities if child abuse isnt curbed - TechCrunch - March 5th, 2020
- Why SSL Encryption Will not Become a Victim of its Own Success - Infosecurity Magazine - March 5th, 2020
- Let's Encrypt: OK, maybe nuking three million HTTPS certs at once was a tad ambitious. Let's take time out - The Register - March 5th, 2020
- Modernizing Threat Management for the Evolving Attack Surfaces of OT, IoT and IoMT - Security Intelligence - March 5th, 2020
- Global Internet Security Audit Market Analysis, Key Insights, and Forecast 2025 By Application, Type, End User and Region - Feed Road - March 5th, 2020
- It has been 15 years, and we're still reporting homograph attacks web domains that stealthily use non-Latin characters to appear legit - The Register - March 5th, 2020
- WhatsApp Provides Information to Intelligence Services - What is the Safest Messenger? - Communal News - March 5th, 2020
- Dear passwords: Forget you. Here's what is going to protect us instead - USA TODAY - March 3rd, 2020
- Do these three things to protect your web security camera from hackers - ZDNet - March 3rd, 2020
- Internet security Market 2020 Analysis by Overview, Growth, Top Companies, Trends, Demand and Forecast to 2026 - Packaging News 24 - March 3rd, 2020
- Navigant Research Report Shows Global Annual Revenue for Home Automation and Security Is Expected to Reach $72 Billion in 2028 - Oklahoman.com - March 3rd, 2020
- NetAbstraction Announces Support for Private and Secure Access to the Dark Web - Yahoo Finance - March 3rd, 2020
- Chinese security firm says CIA hacked Chinese targets for the past 11 years - ZDNet - March 3rd, 2020
- What will be the Internet Security Market Profit Margin, Consumption, Cagr and Revenue in the Forecast Period 2020-2029 - Sound On Sound Fest - March 3rd, 2020
- Global Internet Security Software Market 2020 Growth Factors, Technological Innovation and Emerging Trends 2025 - Monroe Scoop - March 3rd, 2020
- A billion Wi-Fi devices suffer from a newly discovered security flaw - MIT Technology Review - March 3rd, 2020
- It's Time for the US to Step Back Up Against Intellectual Property Theft - The Diplomat - March 3rd, 2020
- Colorado leads the way in election security but ballot counting still carries risk - KRDO - March 3rd, 2020