{"id":7183,"date":"2018-08-27T13:17:19","date_gmt":"2018-08-27T17:17:19","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=7183"},"modified":"2020-12-15T09:53:47","modified_gmt":"2020-12-15T14:53:47","slug":"public-facing-government-websites-need-ev","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/public-facing-government-websites-need-ev\/","title":{"rendered":"Recently Unearthed Russian Operation reinforces why public-facing government websites need EV"},"content":{"rendered":"<h2>There may not be a better use-case for Extended Validation SSL certificates than government websites<\/h2>\n<p>One story that got lost in the torrent of national news last week was Microsoft shutting down six phony websites created by a group affiliated with the Russian government. The six websites were created to mimic websites related to public policy institutes and the US Senate. The Russian hackers were attempting to steal credentials and potentially infect the computers of anyone that tried to access the sites.<span id=\"newline\"><\/span><\/p>\n<blockquote><p>\u201cThe effort by the notorious APT28 hacking group, which has been publicly linked to a Russian intelligence agency and actively interfered in the 2016 presidential election, underscores the aggressive role that Russian operatives are playing ahead of the midterm elections in the United States,\u201d <a href=\"https:\/\/www.washingtonpost.com\/business\/economy\/microsoft-says-it-has-found-a-russian-operation-targeting-us-political-institutions\/2018\/08\/20\/52273e14-a4d2-11e8-97ce-cc9042272f07_story.html?noredirect=on&amp;utm_term=.c5071b7d509a\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">writes Elizabeth Dwoskins of the Washington Post<\/a>. \u201cU.S. officials have repeatedly warned that the November vote is a major focus for interference efforts. Microsoft said the sites were created over the past several months and that the company was able to catch them early, as they were being set up. It did not go into more specifics.\u201d<\/p><\/blockquote>\n<p>APT28 is also known as Fancy Bear.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignright size-medium wp-image-7192\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-175035208-1-300x300.jpg\" alt=\"Fake Russian sites reinforce why public-facing government websites need EV\" width=\"300\" height=\"300\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-175035208-1-300x300.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-175035208-1-768x768.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-175035208-1-1024x1024.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-175035208-1.jpg 1600w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/>While Microsoft reports that the websites were not used in an attack, these kinds of sites can be used for spear-phishing and as malware carriers. Spear-phishing is a highly specialized form of phishing where the attacker conducts surveillance and socially engineers an email that looks and feels authentic enough to get the recipient to take an intended action, in this case following a link and logging into a website.<\/p>\n<p>APT28 targeted:<\/p>\n<ul>\n<li>The Hudson Institute, a conservative Washington think tank actively investigating corruption in Russia. (my-iri.org)<\/li>\n<li>The International Republican Institute, a non-profit group that promotes democracy around the world. (hudsonorg-my-sharepoint.com)<\/li>\n<li>The US Senate, with three different websites that appeared to be affiliated with Congress\u2019s upper chamber. (adfs-senate.service; adfs-senate.email; adfs.senate.group)<\/li>\n<li>Microsoft itself, with a website that spoofed the company\u2019s own online products. (office365-onedrive.com)<\/li>\n<\/ul>\n<p>It\u2019s clear Fancy Bear was primarily targeting Microsoft users. Obviously, you have the fake Microsoft website, which is a pretty big indicator itself, but ADFS is an acronym that stands for Active Directory Federation Services, which is a <a href=\"https:\/\/www.thesslstore.com\/blog\/single-sign-on\/\">single sign-on<\/a> solution made by Microsoft.<\/p>\n<p>The way Microsoft took down the sites is fairly interesting. It used a legal maneuver that it has employed over a dozen times since 2016 to disable 84 sites run by APT28. It obtains a court order that legally enables it to transfer the malicious domains to its own servers where it can effectively shut them down and study them. Microsoft has also used this tactic to shut down botnets. Last Monday\u2019s court order was executed in Virginia.<\/p>\n<p>Now, there are a lot of political and legal implications that stem from Microsoft shutting down these websites. But we\u2019re going to focus on one very specific point: website identity.<\/p>\n<h2>The fake Russian websites all used DV SSL certificates<\/h2>\n<p>Let\u2019s preface with this: we are not criticizing Domain Validation SSL certificates here. We are simply observing the conditions that enabled these websites to look more legitimate. All six used DV SSL certificates, which allowed the websites to receive a \u201cSecure\u201d tag in the address bar of most desktop browsers, while giving it the traditional green padlock indicator on mobile browsers.<\/p>\n<p>We\u2019ve <a href=\"https:\/\/www.thesslstore.com\/blog\/browsers-helping-https-phishing\/\" target=\"_blank\" rel=\"noopener noreferrer\">made no secret of our distaste of the current DV security indicators<\/a>. And to its credit, Google seems to have come to its senses and will be removing positive indicators for websites that have DV SSL installed in the next few updates of its Chrome browser.<\/p>\n<p>Let\u2019s take a look at the six certificates in question:<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"132\"><strong>Domain<\/strong><\/td>\n<td width=\"135\"><strong>Certificate FQDN:<\/strong><\/td>\n<td width=\"92\"><strong>Issued On<\/strong><\/td>\n<td width=\"85\"><strong>Verification<\/strong><\/td>\n<td width=\"180\"><strong>Details<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><u>hudsonorg-my-sharepoint.com<\/u><\/td>\n<td width=\"135\">hudsonorg-my-sharepoint.com<\/td>\n<td width=\"92\">Mar 22, 2018<\/td>\n<td width=\"85\">Domain Validated<\/td>\n<td width=\"180\"><a href=\"https:\/\/crt.sh\/?id=372250509\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https:\/\/crt.sh\/?id=372250509<\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><u>office365-onedrive.com<\/u><\/td>\n<td width=\"135\">office365-onedrive.com<\/td>\n<td width=\"92\">Apr 25, 2018<\/td>\n<td width=\"85\">Domain Validated<\/td>\n<td width=\"180\"><a href=\"https:\/\/crt.sh\/?id=419954326\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https:\/\/crt.sh\/?id=419954326<\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><u>senate.group<\/u><\/td>\n<td width=\"135\">adfs.senate.group<\/td>\n<td width=\"92\">Jun 27, 2017<\/td>\n<td width=\"85\">Domain Validated<\/td>\n<td width=\"180\"><a href=\"https:\/\/crt.sh\/?id=305392600\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https:\/\/crt.sh\/?id=305392600<\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><u>my-iri.org<\/u><\/td>\n<td width=\"135\">sharepoint.my-iri.org<\/td>\n<td width=\"92\">Apr 16, 2018<\/td>\n<td width=\"85\">Domain Validated<\/td>\n<td width=\"180\"><a href=\"https:\/\/crt.sh\/?id=399462567\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https:\/\/crt.sh\/?id=399462567<\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><span style=\"text-decoration: underline;\">adfs-senate.services<\/span><\/td>\n<td width=\"135\">No certificate found*<\/td>\n<td width=\"92\"><\/td>\n<td width=\"85\"><\/td>\n<td width=\"180\"><\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><u>adfs-senate.email<\/u><\/td>\n<td width=\"135\">No certificate found*<\/td>\n<td width=\"92\"><\/td>\n<td width=\"85\"><\/td>\n<td width=\"180\"><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Information on two of the six certificates was not available, possibly because they were issued before the requirement for CAs to publish every issuance into a Certificate Transparency log, which makes them harder to track down.<\/p>\n<p>I wouldn\u2019t call it a problem, because according to many around the industry it\u2019s more of a feature than a bug, but DV SSL offers a complete lack of identity information. It does authenticate a server, which as many critics of business authentication certificates will tell you, is exactly what it\u2019s supposed to do.<\/p>\n<p>But let\u2019s be honest, <strong>to the average internet user server authentication is absolutely meaningless<\/strong>. Here\u2019s the identity information included in the four logged certificates:<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"623\">Subject Name:<br \/>\ncommonName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 =\u00a0hudsonorg-my-sharepoint.com<br \/>\norganizationalUnitName\u00a0\u00a0\u00a0=\u00a0Free\u00a0SSL<br \/>\norganizationalUnitName\u00a0\u00a0\u00a0=\u00a0Domain\u00a0Control\u00a0Validated<\/td>\n<\/tr>\n<tr>\n<td width=\"623\">Subject Name:<br \/>\ncommonName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0 =\u00a0adfs.senate.group<br \/>\norganizationalUnitName\u00a0\u00a0\u00a0\u00a0=\u00a0Free\u00a0SSL<br \/>\norganizationalUnitName\u00a0\u00a0\u00a0\u00a0=\u00a0Domain\u00a0Control\u00a0Validated<\/td>\n<\/tr>\n<tr>\n<td width=\"623\">Subject Name:<br \/>\ncommonName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 =\u00a0office365-onedrive.com<br \/>\norganizationalUnitName\u00a0\u00a0\u00a0\u00a0=\u00a0Free\u00a0SSL<br \/>\norganizationalUnitName\u00a0\u00a0\u00a0\u00a0=\u00a0Domain\u00a0Control\u00a0Validated<\/td>\n<\/tr>\n<tr>\n<td width=\"623\">Subject Name:<br \/>\ncommonName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 =\u00a0sharepoint.my-iri.org<br \/>\norganizationalUnitName\u00a0\u00a0\u00a0\u00a0=\u00a0PositiveSSL<br \/>\norganizationalUnitName\u00a0\u00a0\u00a0\u00a0=\u00a0Domain\u00a0Control\u00a0Validated<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>None of that helps a user discern a fake website from a legitimate one, especially when the browser is telling you it&#8217;s secure.<\/p>\n<p>Fortunately, the US Senate website has an Extended Validation SSL certificate. Extended Validation SSL certificates have one major advantage over their Organization Validation and Domain Validation counterparts: they carry a unique visual indicator that places your organization\u2019s name in the address bar beside the URL.<\/p>\n<p>Here\u2019s a look at the Senate\u2019s EV indicator:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-7186\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/Seante-EV.jpg\" alt=\"public-facing government websites need EV\" width=\"1055\" height=\"350\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/Seante-EV.jpg 1055w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/Seante-EV-300x100.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/Seante-EV-768x255.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/Seante-EV-1024x340.jpg 1024w\" sizes=\"auto, (max-width: 1055px) 100vw, 1055px\" \/><\/p>\n<p>And here\u2019s the identity information that can be found by clicking the EV indicator (Firefox does this better than any other browser):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-7185\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/Senate-ID-Information.jpg\" alt=\"public-facing government websites need EV\" width=\"1050\" height=\"448\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/Senate-ID-Information.jpg 1050w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/Senate-ID-Information-300x128.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/Senate-ID-Information-768x328.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/Senate-ID-Information-1024x437.jpg 1024w\" sizes=\"auto, (max-width: 1050px) 100vw, 1050px\" \/><\/p>\n<p>And of course, if you click and ask for more information, you can see the full certificate details:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-7184\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/Senate-SSL-Certificate-Details.jpg\" alt=\"public-facing government websites need EV\" width=\"603\" height=\"651\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/Senate-SSL-Certificate-Details.jpg 603w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/Senate-SSL-Certificate-Details-278x300.jpg 278w\" sizes=\"auto, (max-width: 603px) 100vw, 603px\" \/><\/p>\n<p>Again, nobody does this better than Mozilla, who makes information easily accessible to its users.<\/p>\n<p>So where are we going with this?<\/p>\n<h2>All public-facing government websites should have an Extended Validation SSL certificate<\/h2>\n<p>The APT in APT28 stands for \u201cAdvanced Persistent Threat,\u201d and that is painfully apropos of our current national cybersecurity landscape. There are highly sophisticated, state-backed cyber terrorists (let\u2019s call them what they really are) actively waging digital campaigns to subvert our national institutions and influence our elections and general discourse.<\/p>\n<p>That\u2019s why every public-facing government website, from the smallest municipalities all the way up to the largest federal institutions, needs to have an EV nameplate beside their URL in browsers\u2019 address bars. This is one of the most direct ways for websites to assert their identity to their visitors. It\u2019s unmistakable, it&#8217;s unfakeable and it reflects that the organization has been thoroughly vetted by a trusted Certificate Authority.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-7187 alignright\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-173598920-300x200.jpg\" alt=\"public-facing government websites need EV\" width=\"300\" height=\"200\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-173598920-300x200.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-173598920-768x512.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-173598920-1024x683.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-173598920.jpg 1600w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/>Now, I already know there are some objections percolating in the minds of EV critics. And that\u2019s fine. EV isn\u2019t perfect. Everyone agrees we can do more to strengthen the validation aspect of EV and we need to do something about EV collisions.<\/p>\n<p>But in this context, when talking about public-facing government websites, and even some think tanks and institutes, those objections really don\u2019t apply. There shouldn\u2019t be any name collisions and verifying that a government entity is indeed a government entity is a pretty straightforward process.<\/p>\n<p>More to the point, people need that identity information to be there more than ever. And while you might be tempted to point out that not everyone knows to look for it\u2014that can be corrected with education.<\/p>\n<p>Also, when is removing someone\u2019s access to information ever the right call? How is that in the public interest?<\/p>\n<p>Extended Validation SSL certificates give people across the world the ability to confirm the authenticity of a government website with just a single glance. That\u2019s why all public-facing government websites need EV SSL. Not just in the US, but all around the globe.<\/p>\n<p>Identity has never been more important than it is right now.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There may not be a better use-case for Extended Validation SSL certificates than government websites One story that got lost in the torrent of national news last week was Microsoft&#8230;<\/p>\n","protected":false},"author":6,"featured_media":7189,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[130],"tags":[3556],"class_list":["post-7183","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-everything-encryption","tag-extended-validation","post-with-tags"],"views":13917,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-176356399.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/7183","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=7183"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/7183\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/7189"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=7183"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=7183"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=7183"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}