extended validation ssl march 2007 tim moses (chair, ca / browser forum)
TRANSCRIPT
Extended validation SSLMarch 2007Tim Moses (chair, CA / Browser Forum)
© Copyright Entrust, Inc. 2005
Overview
• Browser security
• Site authentication
• The history of SSL
• Extended validation in the browser
• Extended validation certificates
• Not a silver bullet
© Copyright Entrust, Inc. 2005
There’s a problem with the WebGartner reports …
• From mid-2005 until mid-2006, about 15 million Americans were victims of fraud that stemmed from identity theft– an increase of more than 50 percent from the estimated 9.9 million in 2003
• The average loss of funds in a case of identity theft was $3,257 in 2006– up from $1,408 in 2005
• An average of 61 percent of funds were recovered, in 2006– Down from 87 percent in 2005
© Copyright Entrust, Inc. 2005
New Phishing Sites
Morgan Keegan/UBS Jul 2006
© Copyright Entrust, Inc. 2005
Web vulnerabilities
Malicious code
HTTP proxy caching
Cross-site scripting
Man-in-the-middle
Site impersonation
ISP eavesdro
pping
DNS caching
Local are
a eavesdropping
© Copyright Entrust, Inc. 2005
First-party accreditation
• Self-signed SSL certificate– Trust dialog– Help-desk calls
• Security toolbar
© Copyright Entrust, Inc. 2005
Browser toolbars
© Copyright Entrust, Inc. 2005
Third-party accreditation
• SSL certificates
© Copyright Entrust, Inc. 2005
The early years (mid 90s)
• Threats to the Web– Site defacement– ISP eavesdropping
• Netscape developed SSL
• Simple trust indicators– Look for the golden key or padlock to check that you are safe
• Computer-literate users
• URL that reflects the name of the organization
• Common issuing practices– VeriSign Class 3
• Although …– There were no strict criteria for the use and management of
roots in browsers
© Copyright Entrust, Inc. 2005
Mid-life (2000 – 2001)
• ABA1 developed PKI Assessment Guidelines
• Audit profession recognized a need for criteria
• AICPA2 & CICA3
• Audit criteria “WebTrust for CAs”
• Similar standard in Europe : ETSI4 TS 101 456
• Adopted by Microsoft as a requirement for including roots in Windows
– Other browser suppliers followed Microsoft’s lead
• But …– There were serious omissions– Do not specify what identifying information has to be included in a certificate– Or how to validate that that information is correct– Users supposed review CPS 1 American Bar Association
2 American Institute of Certified Public Accountants3Canadian Institute of Chartered Accountants4 European Telecommunication Standards Institute
© Copyright Entrust, Inc. 2005
The SSL certificate marketplace
Rigour (= cost, delay, inconvenience)
Price
GoDaddy
GeoTrust
VeriSign
Entrust
Other CAs: Comodo, CyberTrust, DigiCert, Ipsca, Notaris, QuoVadis, Trustis, XRamp
All certificatescause the lockto display
Domain-validatecertificates
Organizationally-validatedcertificates
© Copyright Entrust, Inc. 2005
Trust indicators
Yellow address bar
Golden padlock
© Copyright Entrust, Inc. 2005
Evidence of a problem
• Domain-validated SSL certificates have been issued to phishing sites
• User confusion– Does the golden
padlock mean I’m secure?
– Does SSL provide authentication or just confidentiality?
© Copyright Entrust, Inc. 2005
CA / Browser Forum (2005)
• Major CAs and browser suppliers got together
• Formed the CA / Browser Forum
• Objective – Improve trustworthiness of the Web
• Project to develop certificate issuance guidelines for new browser trust indicators
• Microsoft has adopted an interim draft of the CABForum guidelines as the criteria for inclusion in their root embedding program
© Copyright Entrust, Inc. 2005
IE7 Phishing filter and EV SSL
Phishing, Suspected phishing, HTTP, HTTPS, EV
© Copyright Entrust, Inc. 2005
IE7 UI details
Green address bar
Golden padlock
Assumed name, registered name and country
alternating withthe issuer’s name
© Copyright Entrust, Inc. 2005
Opera 9
© Copyright Entrust, Inc. 2005
The SSL Marketplace - after EV (two points of view)
Very high threshold Moderate threshold
Conventional SSL Conventional SSLEV SSL EV SSL
© Copyright Entrust, Inc. 2005
EV certificate
• Identified by …– Particular certificate policy identifier
• Verified contents …– Registered name
• e.g. ACE Aviation Holdings Inc– Assumed name
• e.g. Air Canada– Domain name
• e.g. www.aircanada.com– Place of business address– Jurisdiction of incorporation– Registration number
Note: The CA must also retain verified name and contact details for the applicant
© Copyright Entrust, Inc. 2005
Verification requirements
• Legal existence– Government registry
• Operational existence– Trade accounts– Bank letter– Legal opinion– Accountant’s letter
• Physical existence– Trade accounts– Site visits
• Domain name– WHOIS– Practical demonstration
© Copyright Entrust, Inc. 2005
Other requirements
• Revocation– Browsers will check for revocation by default, using OCSP, once “stapling”
becomes widely available
• Identification and authentication of requestor/approver
• Verification of authority of requestor/approver
• Warranty by CA to subscribers, users and browser suppliers
• Errors and omissions insurance
© Copyright Entrust, Inc. 2005
It’s no good if users don’t check!
• EV sites place this graphic on their publicity material, including the Web site
• The message isn’t ‘if you see green you are safe’• It just reminds the user to check the site identity in the
location bar
© Copyright Entrust, Inc. 2005
It’s not foolproof – picture-in-picture
© Copyright Entrust, Inc. 2005
Conclusion
• Browser security has significant shortcomings
• EV SSL represents a dramatic improvement
• It isn’t foolproof
• User awareness remains a critical issue
• Initial marketplace reaction appears positive
For more information:- http://www.cabforum.org/