Online Identity Is Important: Let’s Upgrade Extended Validation
1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Loading...

Online Identity Is Important: Let’s Upgrade Extended Validation

It’s time for the CA/Browser Forum to focus on the other half of its mandate

Let’s have a candid discussion about Extended Validation SSL. What’s working. What’s NOT. And what can be done to fix it so that all parties involved are satisfied.

But first, let’s zoom out and talk big picture. The vast majority of website owners almost never think of SSL. They worry about it once every year or so when it needs to be replaced, but it’s not really a major point of consideration. And even when it is, it’s on more of a macro level when managing certificates at scale. Most site owners and organizations don’t care about industry politics or what’s going on at some Forum in the same way that we don’t give a toss about what’s going on at the American Dairy Association. As long as there’s milk on the shelves we just assume everything’s fine.

Right off the bat, we can admit that some of the arguments put forth against EV are valid to some extent. But we also believe that identity is a major component of trust – a component that’s even more critical on the internet. That’s why – in light of the complete lack of alternatives – we think fixing EV is a worthy discussion. We think this proposal is a reasonable way to address most of the major criticisms leveled against EV by its critics.

So, today we’re going to talk about Extended Validation and what can be done to fix it. Then we’ll propose several changes to hopefully kickstart a larger conversation.

Let’s hash it out.

Is Extended Validation fulfilling its purpose?

Let’s start out with a quick overview of what specifically Extended Validation SSL is supposed to be accomplishing. This is the definition as it appears in the CA/Browser Forum’s EV Guidelines:

The primary purposes of an EV Certificate are to:

  • Identify the legal entity that controls a Web site: Provide a reasonable assurance to the user of an Internet browser that the Web site the user is accessing is controlled by a specific legal entity identified in the EV Certificate by name, address of Place of Business, Jurisdiction of Incorporation or Registration and Registration Number or other disambiguating information; and
  • Enable encrypted communications with a Web site: Facilitate the exchange of encryption keys in order to enable the encrypted communication of information over the Internet between the user of an Internet browser and a Web site.

Ok, so, number two is really just a basic function of any SSL certificate. It doesn’t matter if it’s DV, OV or EV – they all facilitate encrypted connections. It’s the first purpose that we’re really debating when we discuss Extended Validation.

So, let’s break it down like this:

Does EV identify the legal entity behind the website? Yes.

Is the way it presents that information – as well as sometimes even the information itself – confusing? Yes.

And that’s really the biggest point of contention.

Where some CAs are making a mistake – and please excuse our candor here – is focusing on the secondary purposes as they advocate for EV. In case you don’t have your copy of the EV guidelines handy, here’s what the secondary purposes are defined as:

2.1.2. Secondary Purposes

The secondary purposes of an EV Certificate are to help establish the legitimacy of a business claiming to operate a Web site or distribute executable code, and to provide a vehicle that can be used to assist in addressing problems related to phishing, malware, and other forms of online identity fraud. By providing more reliable third-party verified identity and address information regarding the business, EV Certificates may help to:

  • Make it more difficult to mount phishing and other online identity fraud attacks using Certificates;
  • Assist companies that may be the target of phishing attacks or online identity fraud by providing them with a tool to better identify themselves to users; and
  • Assist law enforcement organizations in their investigations of phishing and other online identity fraud, including where appropriate, contacting, investigating, or taking legal action against the Subject.

The extent of EV’s relationship with phishing is debatable, but continuing to harp on this distracts from the better part of the argument – that a mechanism for asserting identity is critical for the internet’s trust ecosystem.

That point is a lot harder to contend with, which brings us to…

Criticisms of EV

Generally, criticism of EV falls into one of three categories:

  • EV UI takes up real estate in the browser’s address bar
  • People don’t notice or don’t know to look for EV UI
  • The validation portion of EV is broken and unreliable

And again, each one of those criticisms has some validity. So, we’re going to take an objective look at each one before we lay out our proposal.

EV UI takes up real estate in the browser’s address bar

This is a criticism first leveled by Google during deliberations at the CA/B Forum.

So the whole premise for why there should be *any* UI treatment is predicated on 2.1.2 (2), which clearly spells out that EV is a marketing tool, wrapped in the guise of a security tool. I do not feel you can offer a more charitable read of that section… Literally the entire value proposition of EV reduces to “CAs want to sell billboards in the browser’s security UI”. And the fundamental point is that such UI is security critical – it’s the line of death between trustworthy and untrustworthy content.

What Google’s rep just alluded to is a concept that is fairly sacrosanct to many in the browser community. Eric Lawrence elaborates on in a blog post:

If a user trusts pixels above the line of death, the thinking goes, they’ll be safe, but if they can be convinced to trust the pixels below the line, they’re gonna die.

Browser line of death

Everything above the red-dotted line is under the browser’s control, everything below it is untrusted content. That’s not to say that it’s necessarily malicious, just that the browser has no control over it. If one of the primary functions for any browser is to keep its users safe, ceding this much of the window only complicates that objective.

The reason Google is so sensitive about the space that an EV Visual Indicator occupies is because the browsers are already allowing some untrusted data to live above the line of death now, too. Lawrence illustrates this concept by creating zones:

Browser line of death

As Lawrence terms it, an attacker has control over all the zones in red, leaving the browsers very little real estate to try and keep a user anchored and safe. If the browsers are going to continue renting space to CAs for a unique visual indicator, they want to make sure that there is sufficient value in that arrangement.

That’s totally fair.

And we’ve taken that into considering with what we’re proposing. I think it’s a bit cynical to say the CAs just want to sell billboards, but that’s pretty on-brand for the CA/B Forum. Moving on…

People don’t notice or don’t know to look for EV UI

We wrote last week about the general lack of civility at the CA/B Forum, as well as the fact that any research put forward by the CAs is judged to be tainted and unreliable. It’s treated like junk science.

And the rest of the Forum talks about whether the EV indicator is useful like it’s been empirically proven.

Here’s the thing: it hasn’t.

Measuring whether or not people notice or use a trust indicator is incredibly difficult to quantify. You can’t do it with a survey. 

The human brain can process images it sees for as little as 13 milliseconds. As Nicholas Rule, a social psychologist that teaches at the University of Toronto, writes in the Association for Psychological Science’s Observer Magazine:

Before we can finish blinking our eyes, we’ve already decided whether we want to hire, date, hate, or make friends with a person we’re encountering for the first time. These first impressions color the way we interact with other people from that point forward. And all of this happens outside of our awareness, in the unconscious processes of the mind, research shows.

But that’s first impressions of people. What about websites?

The average internet user forms a trust decision within 50 milliseconds of arriving on a website. This according to a study performed by the Human-Oriented Technology Lab at Carleton College and published in the journal, Behaviour & Information Technology.

Our minds process millions of things on a daily basis on a sub-conscious level. This is called subliminal stimuli, it occurs beneath our threshold for conscious perception.

As Karin B. Jensen – who has a PHD in Neuroscience and teaches Psychiatry at Harvard – wrote in the International Review of Neurobiology just last year:

Subliminal means that a stimulus is presented below (sub) the threshold (limen) for conscious recognition, yet the stimulus can still affect behavior as it has been registered at a basic level of perception…

The point I’m making is NOT that EV registers on a subliminal level. It’s that WE DON’T KNOW.

I’ve just cited science that was rigorously researched and reviewed by experts in their respective fields. By contrast, this is the methodology employed by Google in the study that’s widely cited as showing the current security UI doesn’t work:

To motivate the need for new security indicators, we critique existing browser security indicators and survey 1,329 people about Google Chrome’s indicators.

So, to be clear, this is just a survey. Conducted by Google polling its own customers. And the phrasing “to motivate the need for…” sort of feels like Google already knew what it was hoping to find before it even started its survey. This would be considered tainted if it had come from the CAs. But petty grievances aside, this is far from scientific. It’s tough to get exact figures on how many users Google Chrome has. But its mobile app alone has been downloaded more than 5 billion times. I mention this because 1,329 people is an infinitesimal sample size. And it’s not measuring any of the cognitive aspects of the decision.

Asking someone “did you notice this” is unreliable. That’s why witnesses are often discounted in criminal trials. There’s a proven disparity between what we process and what we remember. Even the godfather of user research himself, Jakob Nielson (no relation to Leslie) once wrote:

Too frequently, I hear about companies basing their designs on user input obtained through misguided methods. A typical example? Create a few alternative designs, show them to a group of users, and ask which one they prefer. Wrong. If the users have not actually tried to use the designs, they’ll base their comments on surface features. Such input often contrasts strongly with feedback based on real use.

Case in point, I drive 45 minutes to work each morning. On the way I make use of all kinds of symbols and indicators to help me navigate, but if you stopped me the moment I got out of the car and showed me a picture of a sign or symbol I drove past on the way, I couldn’t tell you if I remembered it or not. And even if I could that would be unreliable because you didn’t actually see me use it that way.

I also couldn’t tell you if I’d noticed it had been removed. But the corollary of that isn’t that it’s not useful. That’s taking a leap.

Most of the “research” on this topic is just anecdotal or its methodology only scrapes the surface of the human judgment process.

Again, the point I’m making ISN’T that the UI does or doesn’t work. It’s that the research we have on both sides of the debate doesn’t really prove anything.

The validation portion of EV is broken and unreliable

This point has some substance – but it’s overstated. And none of it is “un-solveable” as some so adamantly claim. Specifically, when it comes to EV SSL, there are two major points of contention here.

  • The process can be exploited by attackers
  • The information provided can be confusing

Let’s start with the first one, that the process can be exploited. Ian Carroll and James Burton both produced proofs of concepts that showed how the EV system can be abused. Burton created a misleading organization name. Carroll created a naming collision. Technically both Burton and Carroll’s exploit checks both boxes because the verified information is also confusing.

At the time, Burton opined:

EV is on borrowed time and deprecating EV is the most logical viable solution right now and brings us one step forward in vanishing the old broken web security frameworks of the past. Now that both me and Ian have demonstrated the fundamental issues with EV and the way its displayed in the UI, it’s only time until the REAL phishing starts with EV.

Now, please show me the data if I’m wrong, but that last part really hasn’t happened, has it? There hasn’t been an explosion of EV phishing. If you’re going to argue EV doesn’t stop phishing that’s fine, but it’s also not being used for phishing, either. The few cases where there’s been a rogue EV certificate were the result of site compromise. And there’s a bit of conflation with the EV code signing certificates for sale on the dark web and EV SSL certificates. The latter is not all that prevalent. Again, show me the data if I’m wrong.

While the validation portion of EV (and pretty much all SSL) could do with some tweaking and improvements, you really do need to jump through a number of hoops to exploit it. (And many of those hoops require government filings, which criminals typically try to avoid.) And the point where things broke down with Carroll’s POC was with the UK Companies House – not the CAs.

The other criticism is that sometimes the information provided by EV can be confusing. Carroll’s exploit was confusing because it created a name collision with the Stripe payment company. The SSL Store™ deals with this, too. The SSL Store™ is a DBA, so our EV name plate says “Rapid Web Services, LLC.”

Our proposal: Mouse-over UI with LEIs included

Our proposal really has three prongs, we just didn’t feel like putting the third in the header because education just isn’t all that provocative (really, none of this is).

  • Mouse-over UI
  • Browser Home page educational messages
  • LEIs

Like we did with the complaints, we’ll go through each of these suggestions one-by-one. Each is made to help address the major criticisms opposing EV.

Positive mouse-over EV UI

Let’s start with the actual UI suggestion, which is to place the EV UI in a mouse-over or hover-over box that displays the first time someone mouses over the address bar, and then again when someone hovers over it for a couple of seconds. The indicator should also be differentiated with a positive symbol, too. Ideally something like Apple’s Safari UI, which presents EV URLs in green. This would indicate more information is available.

This approach has a few benefits:

  • Doesn’t take up browser real estate
  • Offers space to include more information
  • It’s harder for users to miss

Nobody on the internet is clamoring for less identity information to be available. Well, nobody reputable. As more and more people become aware of data security on account of the never-ending torrent of breaches in the news daily, trust and identity are increasingly important. This would provide a surefire way to display some information about the organization running the website in a way that’s more noticeable to the user. If they don’t like it, let them turn it off with a flag or a setting, but most people will appreciate the expanded information.

Right now, Mozilla offers a solid model for how this could go:

Example mouseover UI for EV

Unfortunately, in its current iteration you have to click on the padlock, then on the little arrow next to the connection field. And most people really don’t know where to look to find it this way.

But if you start showing this data the first time someone mouses over the address bar they’ll start looking for it. Aesthetically the browsers can do it however they want, but if we at least partially standardize this approach some of the education takes care of itself, once people notice it’s there they’ll find it useful.

That brings us to…

Educational messages on browser start pages

When you open a web browser it takes you to a start page with some favorites, maybe some news – but plenty of unused real estate. Consider that 95% of people never change their default settings and statistically that means 19 of 20 internet users are seeing the same screen when they start up.

The other thing these pages have in common, which we just alluded to – besides the fact almost every browser user sees them on a regular basis – is that they have a lot of empty space.

And that space would be a perfect place to stick a small message advertising this new feature. Some browsers already display informational messages like this:

Mozilla Firefox messages to browser users

Because one of the misnomers that comes with the “people don’t notice/know to look for it” argument is that the CAs have somehow failed to educate their customers about EV. But the CAs HAVE educated their customers. That’s why some organizations use EV in the first place. It shouldn’t be incumbent upon the CAs to educate the browsers’ customers. Should they do more? Probably. Is it solely their responsibility? No, the browsers need to be doing it, too. This is a partnership, SSL certificates are a support product. CAs don’t have a mainline to the browsers’ customers, the browsers do.

And frankly, educating users shouldn’t even be that hard. Again, a quick notification on the Browser Home page should be sufficient. But we need to standardize a UI first or no amount of education is going to have the intended effect.

Add LEIs to certificates

There’s a ballot at the CA/B Forum right now that’s debating whether this should happen. Here’s some background: LEIs are Legal Entity Identifiers, they were created in the aftermath of the financial crisis that occurred a decade ago. They are numerical codes recognized by 150 different countries. The entire system is overseen by a Swiss non-profit called GLEIF. The numbers are divvied out by Local Operation Units (LOUs).

Given the overlap between issuing digital certificates and issuing LEIs, a number of CAs are already operating as LOUs. Unfortunately, there’s one recalcitrant member of the forum that’s gone so far as to suggest they will unilaterally block this ballot and potentially distrust CAs that issue certificates with LEIs included.

It’s hard to understand why. An LEI can help prevent collisions and confusion. As Stephan Wolf of GLEIF wrote in a recent CA/B Forum email:

The whole point of including an LEI is efficiency so organizations have a uniform, globally recognized and standards based unique 20 digit identifier that is machine readable, will never be reused, and can be used to access other data using the same number. 

Now, I can already hear the objections percolating, that, like confusing organizational names, people won’t know what to do with an LEI number. But there are several workarounds for that.

For one, the browser could just use the LEI code and generate the associated information. Granted that might require an additional call, which may be anathema to browsers – but it’s an option. You could also make it easy to click on the LEI number and follow it to a database with the information. This would require the user to take an action, but some might find it useful. But more than anything, it could send up a red flag when an eCommerce website or some other organization that transacts in valuable data DOESN’T have an LEI.

Again, this debate is still in its infancy – but as Wolf wrote to Google:

The LEI should be embedded in other eco systems for the greater good. I would like to state that LEI adds another layer of trust to EV certificates. Given your concerns about trust and evaluation, you should put yourself at the forefront of this project. The LEI has a lot of value for the Google user base among more.

Does anyone have a better idea?

The final point we’re going to make is about the CA/B Forum itself. Last month we made a case for a return to civility. Pretty much just asking everyone to stop acting like assholes. But one of the things we mentioned in that article is that the CA/B Forum is really only fulfilling half of its mandate. From its own bylaws:

The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of leading Certificate Issuers and vendors of Internet browser software and other applications that use certificates (Certificate Consumers).

Members of the CA/Browser Forum have worked closely together in defining the guidelines and means of implementation for best practices as a way of providing a heightened security for Internet transactions and creating a more intuitive method of displaying secure sites to Internet users.

And here’s the thing, nobody that’s advocating for the end of EV has any kind of constructive suggestions for how to accomplish what it was designed for. And what EV is trying to do is pretty universally regarded as a good thing. It’s just a matter of its efficacy.

If there was a competing approach that was being served as a replacement that would be one thing. But eliminating it without any vision towards a replacement does not make the internet safer or more secure. And that’s not in line with the Forum’s stated goals. It seems like discarding EV with no viable alternative just sets the whole internet backwards.  

The internet can’t afford to wait for us to figure something else out. Again, identity has never been more critical. If you have another way to approach authentication and ID online, let’s hear it. Otherwise, we should start figuring out how to fix EV. Most of the CAs want to have that conversation. Whether or not it actually gets discussed – and earnestly – is up to the browsers.

As always, leave any comments or questions below…

8 comments
  • This is a well written piece with some valid discussions. As I am new to the EV/OV/DV debate I don’t fully understand the browsers objections to the EV. As an IT veteran I never fully understood the differences or why I should choose an EV cert over a DV cert. The argument that the EV information takes up too much space in the location bar is ludicrous. How often are users typing locations versus selecting where they want to go from a search? What is the real motive from the browsers?

    • “What is the real motive from the browsers?”

      ^ That’s the million dollar question! Just guessing here, but maybe they’re building their own identity solution they want to sell, or maybe an anonymous internet makes certain international expansion easier for them?

  • My suggestion:

    Put the EV indicator as a green smart bar below the address bar that the user can close. It should appear on every visit to an EV protected site. You can include the Org name, Country, LEI and a link to a description about EV there. The best way to experiment is by partnering with a browser. Maybe its time for the CAs to sponsor a browser and partner with it to improve effectiveness of showing SSL identity to site visitor.

    As to the EV green bar is not even recognized or given attention to, theyre wrong. It is definitely recognized. Most people associate it with banks. Most Orgs want it so theyre sites will be easily recognizable like bank websites.

    I dont fully understand why the browsers want to discontinue the green bar when business typically buy EV to display their identity on the address bar. Its a feature, a visual feature at that. They say it takes visual space. Then improve your UI. For example with Firefox there are so many empty unused space on the row of the address bar!

    I agree that this EV feature should be improved and not killed. Why theyre so bent on killing this feature and use it to blackmail the CAs? Perhaps Google wants to enter the CA space too? Oh the hypocrisy. Oh pls the anti-trust. Google is becoming too big. Its monopolizing how we see the web. Maybe its time the web shouldnt be controlled by 1 browser? Any lawmakers there? Well it already monopolizes how information is served on the web!

    What needs fixing and differentation is OV and EV. OV also includes Org identity albeit in the certificate only. No one views the certificate at all. Laymen that is. Visual queues are needed. Smart bar below address bar is the key.

    EV – green smart bar with all the Org info
    OV – smart bar telling user how to check Certificate to view Owner identity and pls indicate SSL used is OV

    That is right smart bar should indicate SSL type. It should link to an info on what that type represents. Education is also key.

    These browsers always put Lets encrypt to the forefront but they wont say that because of it, SSL misuse was propagated. Most phish sites are now with lock icon. And since this a foundation that relies on donations, then who can say exactly how long will it stay? Most sites with LE I see have expired certs and this will be the case when their servers processing SSL requests suddenly get turned off due to whatever reason maybe due to lack of funds, ddos or flood of requests.

    -PG

  • LEI can readily augment the valuable identity data that CAs already put in EV. The G20 approved LEI number links to who is who AND also who owns whom data, and essentially represents strongly verified organisational identity. LEIs are already extensively used by the financial markets and banks for advanced KYC. If inserted into certs by CAs, this will greatly help deliver much deeper KYC insight for everyone. The world needs more identity NOT less!

    • Correct. But another problem is most vistors dont know how to make use of the site SSL. The identity features are applied but arent properly used/utilized by the visitors. Most dont even check the certificates hence the browsers asking if they are of any use at all.

      That is why there should be a Smart bar under the address bar informing the user of the type of SSL, the Org name and the option to view the cert details to corroborate site identity.

      These identity features are hidden. The browsers should utilize them correctly instead of killing the feature.

      I agree that SSL are for encrypting traffic first and foremost but thats why we also have different types of SSL to make sure you are communicating with the correct server by supplying verified identity details. These details should be fronted and not hidden!

  • Of course browsers should make identity data in certs readily available. The existing identity data in EV is however limited and can quickly be out of date. The LEI code is a reference to a live data base free to everyone and gets updated as changes occur and open to challenge. LEI data augments the existing identity data captured in EV. Perhaps there needs to be sufficient identity data present to warrant browsers to make the identity data readily available. Could the identity data be displayed also via smart site seals in some way? If the identity data represents strong organisational identity it would be feasible to insure transactions associated with the domain. Hopefully business sense will prevail. Meantime LEI adoption continues regardless driven by financial regulation, new use cases eg payment industry and best practise.

  • Isnt LEI the same with DUNS? Most CAs use DUNS but I find data there to be outdated and they take so long to update. As far as I know LEI is not free and is paid for by subscription.

    With regards to site seals, site seal is optional and is placed on the website. Sometimes its placement is obscure. Sometimes it is blocked by addons or the server is unreachable. The smart bar is similar to the Internet explorer bar you see in this picture with regards to Activex

    http://3.bp.blogspot.com/_ekxQkyj9-D8/TRSdD5ev-HI/AAAAAAAAAIU/3dbTdvZIeMU/s1600/active-x-2-bb2.gif

    Its always on top, you can easily add more details to it and can also be easily closed. It can say – “This site uses an Extended validation certificate issued to etc etc, to view ceritifcate click here, to know more about etc etc”. This will be a browser feature whereas the site seal isnt.

    With regards to identity data in EV being out quickly out of date? For 2 years and for established businesses, I doubt that. Besides, even if cert expiry is 2 years, there should be yearly audit of Org details. If there is change they have to update or reissue. If not, ssl will be revoked. I guess this is where LEI comes in if it is indeed realtime. But who will enforce this? Who will monitor changes? Will CAs have to review client details yearly or remind clients to do so? If found outdated, will CAs revoke the ssl or suspend?

    • LEI has similarities to DUNS in that essentially they are regularly updated databases; however legal entities and LEI issuers are contractually bound to update LEI records when there is a change. Also LEI data is only valid for 12 months and has to be renewed to remain valid. Importantly there is also a public challenge capability such that anyone can query a LEI record and the LEI issuer is duty bound to verify/update. The LEI database is also available for FREE to everyone and can be queried via portal and/or API. Since the LEI is a reference within a certificate, clearly if identity data changes during the validity of the SSL, the SSL doesn’t need to be re-issued. The CAs can perform a valuable identity service essentially matching correct LEI to cert; this is similar to LEI being matched with other important identifiers eg BIC which is again readily available via the GLEIF website. The LEI eco-system has been designed specifically for uniquely identifying organisations globally to assist enterprises eg banks have direct access to advanced KYC functionality. On that basis I would suggest if the LEI data is expired it would make sense for the digital certificate to be revoked and/or browser warning messages could warn that LEI data was expired. I personally love the concept of the “smart bar”; but to get round the chicken egg conundrum, first IMHO the digital certificate needs to contain rich valuable identity data to warrant the browser OEM efforts to do something with the identity data; currently the identity data in certs needs a re-vamp!

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *

Author

Patrick Nohe

Hashed Out's Editor-in-Chief started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. He also designs the visuals for Hashed Out and serves as the Content Manager for The SSL Store™.