Ah! It's the weekend, which means the time has come for yet another post. My first topic deals with EV SSL Certs. A short definition about EV SSL Certs can be found on everyone's favorite site, WikiPedia:
"Extended Validation Certificates (EV) are a special type of X.509 certificate which require more extensive investigation of the requesting entity by the Certificate Authority before being issued."
At first glance, you may think that these very costly little do-dads are the greatest thing since sliced bread. After all, per the definition the purpose of "EV" is to increase the level of assurance associated with these certificates by preventing evil doers from getting them. To do this, an entity attempting to get an EV Cert must be a legal identity that owns the domain it is requesting the certificate for.
But, here is the problem. Anyone can become a legal entity, get a domain name, and then "purchase" an EV certificate. In the end, the process is pretty much the same as purchasing an SSL Cert, just with more hoops. Thus, you are just paying more money for an SSL Cert, which may or may not provide more assurance for your users. Errr...
Yes, that's right... that extra money is pretty much just an assurance statement. Kinda like a look at me, your browser's bar is now green, thus my SSL protected site is trustworthy. Actually, that statement actually is the issue that I have with EV. After all, I can't really see how it lives up to the lofty goal of protecting users from phishing attacks. And, here is why:
So, in the end, I hold on to my opinion that the extra cost for EV is just not justified. Instead, CAs should have been performing the organizational checks to begin with. Oh well...
BTW - KC Lemson had a really good post about the circler interaction that I had with her, me, and the Exchange Product Team leading to a trip down memory lane and thus her posting about the "Evolution of customer feedback inputs". It's a good read... The only sad part is my grammar in the follow up post that she references. I really shouldn't post late at night!
With more than nine years of experience in IT, Tyson Kopczynski has become a specialist in Active Directory, Group Policy, Windows scripting, Windows Rights Management Services, PKI, and IT security practices. Tyson is the author of the new book Windows PowerShell Unleashed (read a sample chapter and learn about the drawing for a free copy here). Tyson has been a contributing author for such books as Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed and Microsoft Windows Server 2003 Unleashed (R2 Edition). He has also written detailed technical papers and guides covering various technologies. As a consultant at Convergent Computing, Tyson has worked with next generation Microsoft technologies since their inception and played a key role in expanding scripting and development practices. Tyson also holds the SANS Security Essentials Certification, Microsoft Certified Systems Engineer Security certification, CompTIA Security+ certification and SANS Certified Incident Handler certification.
Subscrib to Tyson Kopczynski's Hidden Microsoft feed.
Blog archive. Microsoft news RSS feed
|
|
Overlooking the point
How much research did you do for this article? You've pretty much completely overlooked the point of EV.
A badguy can't buy an EV certificate for Paypal.com, because the vetting requirements will lead to his rejection. More importantly, he can't buy one for his phishing domain PayPal-Payments.com, unless he starts a legal company by that name, with the associated record-keeping and registration requirements. The cost is much higher, meaning that he can't buy zillions of throwaway domains/certificates. The money he's paying is spent by the CA on validating his identity and recording that info for future use by law-enforcement, if needed. All of these factors are where the EV value comes into play.
Now, on to your other concerns:
"Users may not see that really cool green bar (proven fact per Stanford and Microsoft)."
It's true that Stanford/MSR did a study where they found that most users didn't notice the green bar. Of course, that was very early in the IE7 lifecycle, before anyone had come to expect EV or know what it meant. Obviously, there's a long learning curve ahead here, but as PayPal and other major companies adopt EV, customers will slowly come to look for it.
<
It depends on what you consider "spoofed content." EV identifies the owners of domains, in an unambiguous, non-spoofable way. It's not a panacea (obviously) as a XSS vulnerability or other bug in an EV website isn't going to take the green bar away. But EV does effectively attack the problem it aims at-- namely misleading domain names.
<
Sure, bad guys can easily give hundreds of dollars to CAs to pay the CAs to gather information about the bad guys for future use by law-enforcement, and to spend on ensuring that the certificate requested is not a spoofing attack against another (legitimate company). To me, this sounds like a "pro", not a "con".
The point wasn't overlooked...
Matt,
Thanks for the response. No, I'm not overlooking the point and as far as research... I do this a living. My beef with EV was summed up in my last statement:
"So, in the end, I hold on to my opinion that the extra cost for EV is just not justified. Instead, CAs should have been performing the organizational checks to begin with. Oh well..."
EV is just a band-aid for something that shouldn't have occurred to begin with. While it's great that browsers are adapting their interfaces in an effort to help users determine trust. This is something that in the long run will help. I think you summed up the root of the problem here:
"The cost is much higher, meaning that he can't buy zillions of throwaway domains/certificates." - and - "A badguy can't buy an EV certificate for Paypal.com, because the vetting requirements will lead to his rejection."
I'm sorry... publicly trusted CAs should have never gotten us to this point. If they haven't taken their jobs seriously from the start... then EV will be no different.
- T