Sometimes the internet creates strange bedfellows.
In 1982, an Economist at Clemson University named Bruce Yandle concocted an economic theory that he articulated using the old tale of the Baptists and the Bootleggers.
As the anecdote goes, both the Baptists and the Bootleggers agreed that the bars and liquor stores should be closed on Sunday. The Baptists were teetotalers and wanted them closed to get a break from the demon drink. The bootleggers wanted them closed so they could sell their wares.
The outcome, says Yandle, is “durable regulation that will stick around as long as the Baptists and the Bootleggers have a common objective.”
Keep that theory in mind because it’s never been more applicable to the SSL industry than in the current debate over Browser UI and how it displays for DV SSL certificates.
That occurred to me this morning, following this interaction:
I want to abolish security indicators, you want to sell them. That we “agree” on abolishing DV indicators is more a coincidence than any kind of agreement on the issue.
— hanno (@hanno) December 6, 2017
Granted, I don’t think the Certificate Authorities and resellers that are “trying to sell” SSL certificates are as nefarious as bootleggers. But certainly, some in the industry do seem to feel that way.
Regardless, I think by this point we can all agree the Secure DV SSL indicator needs to go. It’s creating more problems than its solving. And while discussions of a uniform UI and EV treatment remain, there seems to be a consensus on DV.
There are two main factors behind why the DV UI is failing. The first is the rapid proliferation of DV SSL certificates. The second is Google’s change to its UI itself.
Starting at the beginning of the year, Google began marking websites with DV or OV SSL certificates “Secure,” and it is slowly beginning to mark HTTP sites “Not Secure.” Though Google tested for different UIs, the one it ultimately decided on was the “Secure”/”Not Secure” binary. As pretty much everyone throughout the industry knows, users don’t have much of an idea what the old visual indicators meant and this was an attempt to simplify things for them.
Unfortunately, it went the other way. People mistook “Secure” for safe and acted accordingly.
Phishing is now at an all time high. According to one threat report, phishing is up 74% in Q3 2017. There are 1.4 million new phishing sites created each month, on average. And according to a PhishLab report issued yesterday, a quarter of all phishing is now done via HTTPS.
It’s being done using DV certs, too. Here’s a look at the last 30 days, 99.5% of the HTTPS phishing sites sampled were DV.
And that makes a lot of sense. It’s easy to get a DV SSL certificate nowadays. There are free CAs, DV certs come bundled as part of hosting packages now and there are even programs with commercial CAs where you can get a DV SSL certificate without paying a cent.
We think this is great. The problem is: if Domain Validated SSL is the new default, why is it getting such a strong indicator?
Now, from all of thus data, there’s no way you could prove a causal link between Google’s UI and this decided uptick in HTTPS phishing. But there is DEFINITELY a correlation. Keep in mind, the chart below is from last Spring, that line would be at the top of the graph now.
My understanding of Google’s ultimate plan was that it wants to eliminate the Secure DV SSL indicator once enough of the internet has migrated to HTTPS. And that probably seemed like the ideal way to do it at the time.
Things have changed. The current UI makes phishing websites with SSL certificates – which is now about one in four sites – more effective.
The Secure DV SSL indicator needs to go.
When even the Baptists and the Bootleggers can agree on that—you know it’s time.