DigiCert Leads Initiative to Enhance EV SSL Certificates – Security Boulevard

In collaboration with several other certificate authorities, DigiCert has proposed 4 enhancements to the EV SSL validation processes

On the Internet, nobody knows youre a dog.

Cartoonist Peter Steiner penned those words in a cartoon strip all the way back in 1993. The cartoon was funny and made a lot of people laugh, but it was highlighting a serious issue that was just developing back thenhow easy it was to trick people via the anonymity of the internet. Unfortunately, Peter nailed it! Today, that problem is even bigger than anyone even Peter could have imagined1 in 25 branded emails is actually a phishing email.

So, why is online identity so important? How will DigiCertsproposal help consumers?

Lets hash it out.

The internet is flooded with unknown actors, and a lot oftimes theyre up to nefarious activitiesphishing, bullying, catfishing, scamming,preying on children, swatting, and more. Thats why most internet users tend tobe suspicious of interactions with people, websites, and companies they dontknowtypically, we want to know the real-world identity of the individuals andcompanies we interact with online.

What would you think if you went to your local shoppingcenter and saw a shop with no business name, like this?

Youd be intrigued but you probably wouldnt trust that company. Youd certainly have some questions! Customers dont trust anonymity they want to know who theyre doing business with.

The same thing is true online customers want to know who theyre buying from. At your local mall, its pretty easy to tell who youre buying from theres a physical store with signage and staff right in front of you. Online, though, identity can be slippery. As Steiner pointed out, you can be a dog, a scammer, or a predator and nobody will know until its too late.

In an environment saturated with anonymous trouble-makers, EV SSL is a great tool consumers can use to confidently see who runs a website, helping them decide whether to trust the website owner or not. Thats why we strongly support making EV SSL as strong and usable as possible people want/need what it can provide. And thats why were excited to see DigiCert leading the charge to update and enhance EV SSL.

DigiCert is proposing four specific ways to update and enhance the CA/B Forum standards for EV SSL certificates. These enhancements will make EV SSL stronger and satisfy some weaknesses pointed out by security researchers. Lets go through each of them, and see how theyll help improve online identity for all:

A CAA record is a DNS entry that lets website managers restrict which CAs may issue certificates for their domain. Its a great tool for fighting shadow IT certificates ensuring that an organizations certificates are centrally managed and authorized.

But currently CAA records can only specify certificateauthorities. DigiCert is proposing expanding CAA records so domain admins can controlor restrict the validation level of certificates that can be issued for theirdomain. For example, a website admin could restrict their domain to only issue EVSSL certificates from a certain CA.

Why This Is Beneficial:

Lets look at a hypothetical scenario. Lets say example.com hires a freelance web designer to update their blog with a fresh, new design for 2020. That designer isnt authorized to issue SSL certificates for the domain. But lets say the website designer installs a WordPress file editor plugin, so they can complete domain control validation and get an SSL certificate issued. Example.com now has an SSL certificate issued by an unauthorized party they dont control the certificate or the private key, which is a significant security issue. What happens when the certificate expires?

If example.com had implemented a CAA record that restrictedthe domain to EV certificates from DigiCert CA only, the web designer wouldnthave been able to get that certificate issued because any attempt to get acertificate type not identified in the CAA record would fail.

If youve got a feeling of dj vu right now, it might be because we mentioned this idea back in October 2019. TL;DR:

LEIs are Legal Entity Identifiers, they were created in the aftermath of the financial crisis that occurred a decade ago. They are numerical codes recognized by 150 different countries. The entire system is overseen by a Swiss non-profit called GLEIF. An LEI can help prevent collisions and confusion. Now, I can already hear the objections percolating, that, like confusing organizational names, people wont know what to do with an LEI number. But there are several workarounds for that. For one, the browser could just use the LEI code and generate the associated information. Granted that might require an additional call, which may be anathema to browsers but its an option. You could also make it easy to click on the LEI number and follow it to a database with the information. This would require the user to take an action, but some might find it useful. But more than anything, it could send up a red flag when an eCommerce website or some other organization that transacts in valuable data DOESNT have an LEI.

Why This Is Beneficial:

Adding LEIs to EV SSL certificates offers two key benefits:

If you look up a company in the LEI database, youll get areport with a lot of details about the organization. Starting with basic info:

And even including information about subsidiaries and parentcompanies:

In the end, this info is ripe for being used as another datapoint to solve any corporate identity assurance use case. Like EV SSL, theinfrastructure is already in place, why not use it (or at least consider it) forresolving such an apparent problem?

Under the current EV guidelines, each certificate authority decides what data sources they will use for validation of organization details in EV SSL certificates. (Keeping in mind that theyre validating organizations across hundreds of countries, there can be a lot of variation in the quality of data sources being used from country to county.) DigiCert is proposing that the CA/B forum specify a standardized list of acceptable data sources to use in the EV validation process.

Why This Is Beneficial:

Using standardized data sources will offer several benefits:

Since EV SSL certificates are all about showing customersthe verified identity of the organizations theyre interacting with, trademarksare a logical add-on. As DigiCerts Dean Coclin explains:

Trademarks are well known, understood, unique and can be validated. Consumers recognize them and so if a browser wanted to include the trademark in their UI, they could do so with confidence that it had been properly validated. If they dont, thats fine, but it would be in the cert for any relying party to examine.

Why This Is Beneficial:

Trademarks are another way for consumers to be sure theyre interacting with the company they think they are. For example, Windex is a trademark owned by the SC Johnson company. But many consumers probably dont know the Windex brand is actually owned by SC Johnson. The current EV guidelines state that it can only say SC Johnson. However, if their EV SSL certificate displayed the Windex trademark, that might help a consumer be more confident that theyre on the official and intended website.

Manage Digital Certificates like a Boss

14 Certificate Management Best Practices to keep your organization running, secure and fully-compliant.

Ultimately, for EV SSL certificates to reach their fullpotential in helping users, the browsers need to research, identify andintroduce a more effective interface for displaying identity information tousers. (Incidentally, the browsers identity interface wouldnt have to belimited to data from EVit could contain data from other verified sources toprovide consumers all the data they need to make an informed decision.)

Since Chrome and Firefox removed the old green address bardue to concerns that it wasnt effective, the onus is on the browsers todevelop a new UI that helps users understand who is running the websitestheyre interacting with. In my opinion, removing EV without replacing it witha viable alternative did the world a huge disservice. EV may not have helped 100%of internet users, but it certainly helped more than 0%. It wasnt perfect, butit was all the internet had. Its like saying, since automobile accidents stillhappen at intersections, get rid of all traffic lights until we think ofsomething better. For some reason, logic just seemed to go out the window onthis one.

It doesnt seem like too big of an ask for the browsercommunity to seriously come together and help create a universal display thatwill help consumers with the identity of websites that they interact with. Ithink if browsers put their users interests first, the answer will come veryeasily.

I took 15 minutes with my team and came up with a half-bakedidea that seems to make quick sense. One of the big things that the EVnaysayers harped on was that the green address bar needed education tounderstand what it actually meant. They believed that it should require notraining or education and that it should just be immediately understood. Well,in minute three of our discussion, we realized that all of the social media channelsover the past decade have already educated the world on this exact problem. Thesocial media eco-system recognized issues with identity and addressed ithead-on years ago by introducing the verified account status symbol. A verifiedaccount status is reserved for high-profile accounts of companies, brands orindividuals that are especially vulnerable to impersonation.

For obvious reasons, fake accounts that are used toimpersonate a popular user on a social media platform could easily causeirreparable brand damage to both the real account holder and the platformsbusiness model. Thats specifically why the verified account status and symbolexist. Well, since the social media channels have already done the educatingand have fully conditioned users at scale to look for verified account symbolswhen consuming content, why not adopt that developed behavior to work inbrowser environments? It can quickly be used to address online identity on awider scale than just social media. Seems like the logical next step. Does it somehowgo against browser business models?

Below is what we came up with over a cup of coffee. For DVSSL, since the lock doesnt mean what it used to, simply hide it. Then letsintroduce two, or maybe just one, verified website symbol. Id bet that if youdid a study, users would immediately understand what this means. Withouteducation. With conviction.

Mousing over the verified icon could display a tooltipshowing more specifics on what the icon means.

If you click on it, something like this could display. Itsvery similar to what used to be displayed, but with a few tweaks.

Just to reiterate, this idea would be after the EV guidelines have been enhanced. Im sure there are more things worth consideration, but this took us 15 minutes in an informal meeting setting. I wonder what a group of browser security experts and security researchers could come up with if they tried to solve online identity head on for the sake of Internet users. At the least, its worthy of a real discussion where all parties come together to really solve a larger issue for the greater good of society. Not just go through the motions.

On the Internet, nobody knows youre a legit website.DigiCert is trying to do something about it. Browsers, youre up.

*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store authored by Bill Grueninger. Read the original post at: https://www.thesslstore.com/blog/digicert-leads-initiative-to-enhance-ev-ssl-certificates/

Here is the original post:
DigiCert Leads Initiative to Enhance EV SSL Certificates - Security Boulevard

Related Post

Comments are closed.