I run infra for a payments company and switched our main website from EV to DV last month silently. This is the landing website, not the application (which had always been DV). There have been ZERO people who have noticed, including peers in my Infra or Security teams.
It's obvious that EV does nothing for end users these days, which is why I think these "EVs are useless" articles from Troy and others are kind of silly, like dunking over a person with two broken legs.
I think the far more interesting question is why EV certs do nothing for end users, and why browser makers have not introduced any new features to replace what EV certs were intended to do: help end users understand which websites they can trust on first visit.
The entire Internet industry has absolutely punted on this problem. It's a hard problem, but no one is trying to solve it!
And it is absolutely striking to compare against how well this problem has been solved in real life, at least in the U.S. You can walk into any retail establishment in the nation and reasonably expect to have a safe, productive interaction with a proprietor you don't know--even on the first visit.
It's the exact opposite on the Internet, and it's insane that everyone just accepts that.
I'm surprised no one has mentioned the main practical benefit of EV certs: the fact that a green cert in the browser ensures that there is no man-in-the-middle network proxy/appliance intercepting the traffic even if a trusted certificate for the proxy/appliance (or bad guy) has been placed in your machine's cert store. Browsers will only honor the EV setting in the cert if it was signed by a hardwired (and much shorter) list of CAs.
As long as you, the user, trust that the browser itself hasn't been modified (for example if you downloaded it yourself), then it's a nice reassurance when using a browser in a not totally trusted environment.
Browsers are moving away from showing differences between EV and DV certs nowadays though. And anyone can register a company name and get an EV cert - that doesn't make it trusted. https://stripe.ian.sh/ is a prime example of this.
HTTPS is a nice reassurance, sure, but an EV cert isn't.
The article is precisely about this: regardless of practical use, people don't follow the behaviour associated with supporting that practice, so it's worthless.
And people who would follow the correct behaviour...are probably capable of doing so without the EV anyway.
"PayPal really doesn't care that the world's most popular browser no longer displays the EV visual indicator."
OT but hopefully interesting: Paypal doesn't care about many things. Like keeping their callback JVMs up2date, or changing their UAs from defaults to disguise their enabling tech.
I'm really happy that Paypal ops is not upgrading anything just for the sake of upgrading it. At that scale, changes should be approached with extreme caution.
Firefox 66 does not show EV indicators, either, any more.
But I would also like to point out that PayPal is a known bad player when it comes to phishing, so no one really should give a damn what they do, and if you do the opposite of what PayPal does in security you are probably doing better than them.
> But I would also like to point out that PayPal is a known bad player when it comes to phishing, so no one really should give a damn what they do, and if you do the opposite of what PayPal does in security you are probably doing better than them.
I can't even imagine what you are referring to here. PayPal phishes people? Citation needed, please.
Tangential question: neither McDiarmid's "Kill Sticky Headers" [0] nor its improved version [1] work on this website. Does anyone know how the bookmarklet can be changed to work here?
It blocked the sticky header for me on this site no problem.
> Description: Web Annoyances Ultralist Sublist for CSS element modifications - Modify site elements that block screen real estate - Primarily used to "pin-in-place" sticky headers, dickbars, floating headers, floating videos, scrolling headers, scrolling videos, stickynavs and other distracting page elements.
On the HN thread on Troy's last post about this, I said [1]:
"Big sites can get by with DV because people trust big sites by fiat, just by mental associations they already have to a URL. There's no benefit to Facebook having an EV cert, because literally everyone who'd want to visit Facebook knows Facebook's URL. User error about entering credentials on the wrong site -- accidentally due to typosquatting, or through leading such as phishing -- is better mitigated in other ways: multi-factor authentication (especially unproxiable such as U2F); not by making the high-profile site pay thousands of dollars for a text string in green, when there's users who fall victim to phishing from bizarre domains too."
Ultimately, this is a bad example to show that EV is pointless. The biggest benefit of EV is as a flawed signal of legitimacy [1] for sites whose URLs aren't widely known and get a fair amount of first-time visitors: web presence for real-life service businesses, specialized payment portals accessed through redirects, and the like.
This is because people's mental model of the trust that EV confers is broken. People typically care about whether the site they arrived at was the one they were intending to visit, which the computer can't possibly know without additional input, but EV has attained a role of serving as a flawed signal of such, because the browser bar said something that doesn't look alarmingly different.
EV formalizes the vetting between legal entity and domain name, so it translates okay to entities that are firmly anchored in meatspace. But all of this chaining is trust in people's heads is done by names and strings, and experiments like stripe.ian.sh prove [2] why it's fallible. Nonetheless, EV effectively allows one extra indirection between (1) the name of the business as people refer and recognize it, and (2) the domain name that's likely correct, than DV does -- and some operators and some visitors benefit from this indirection, when the URL doesn't roll off the tongue.
Never forget when ReadWriteWeb posted a blog post entitled "Facebook Wants to Be Your One True Login", which ended up ranking very highly for the search query "facebook login". It was subsequently innundated with comments from angry people who hated the new redesign and couldn't figure out how to log in... believing that they were on facebook, because they googled "facebook login" and clicked the first result.
I'm not sure I'd agree with this. I don't think most people look at or really understand URLs or domain names. I think people assume they are a lot "fuzzier" than they are, so "facebookapp.com" or "facebook.foobar.com" or anything else would be assumed to be "Facebook" by most people.
As technical people it's easy for us to assume things that feel basic to us are at least understood but I don't think it's the case. My parents do most of their shopping online, and when I was growing up we always had computers around, but I don't think either one of them really understands URLs or things like file hierarchies, or windowing systems on desktops for example.
I found the linked page from ian.sh is extremely instructive. [1] Especially the part about how some browsers hide the domain name when the EV certificate is in use.
I'm with a company that uses EV certificate for our site, mostly just to "look even more trustworthy", even though it functionally servers very little purpose for us, and in an industry where I doubt very few clients know what it really is. For large companies the cost of an EV certificate is negligible. If someone wanted to impersonate us, they would only need to change a letter or two and get a similar `.com` domain, which would be easy to do since we have a somewhat unusual name.
The linked article also talks about the possibility of people getting a shortened domain name like `g.uk` for phishing. If a company has a wide portfolio of sites, that becomes even easier since it weakens peoples association between a canonical domain and the company.
I guess the main point is that the DNS records themselves are one of the most effective preventions of phishing since you need a mapping from a user intent to the site they arrived at. Domain names provide a memorable and easily "mentally verifiable" method of mapping from "facebook.com" -> Social Media, "gmail.com" -> Email, etc. for most people. But strings of characters are also vulnerable since they can be easily changed by a transposition, or other operation, to create a new domain name that looks _very_ similar. Since our minds are much better at recognizing words by the beginning and end, they are vulnerable to changes in letters in the middle.
It makes one wonder if there is a system that would allow much easier mental verifiability of that mapping, but which would still allow a large number of possibilities. Or whitelisting sites that you regularly visit and alerting an individual on sites not in the whitelist or which _resemble_ sites in the whitelist.
EDIT: just to make clear, I think strings and domain checking mentally is a terrible model for verifying trust. But at least it kinda works some of the time, even though there are tons of vulnerabilities and problems. But probably better than typing in raw IP addresses, most of the time.
I'm one of those who doesn't pay any attention to those EV cards at all. I know I probably should, just out of completeness, but I don't. In fact, with Firefox anyway, that spot where the EV indicator goes is used for enough weird little things that I've sorta developed a blindness to anything that appears there (I'm not saying that's a good thing!)
However, if I'm going to a site that really matters, I'm not clicking on some link on a web page or email somewhere. I'm using the link I've bookmarked. So, ignoring the EV cert is probably not putting me at too much risk.
The problem is that EVs never got really widespread - even well-known, important sites never used it. So you have to remember if that particular site used to have one, which is a much harder requirement.
"PayPal really doesn't care that the world's most popular browser no longer displays the EV visual indicator."
Funny story - I was about to rant that yeah, it probably wasn't by design because Paypal still as of 2019 didn't offer 2FA which, for a payment company, was quite disturbing...
well, turns out I was wrong, they now do. I just hadn't checked in a while, and of course received no email about it when they did turn it on... or maybe just missed it. Typically something you should advertise on each login if it's not activated, but hey, who cares, it's just money after all.
> Note: yes, I know there can be regulatory requirements for EV in some jurisdictions, but let's not confuse that with it actually doing anything useful
That exactly. Similarly confused about customers who think OV certificates are better than DV - as far as I can tell no end user knows how to tell those apart in their browser (no 'green' locks...)
The certificate fields for organisation, city, etc have existed and were expected to be verified since SSL was created in the nineties. Anyone who has ever made a CSR knows this.
Rolling back from checking the organisation to domain-only validation in 2003 was GeoTrust trying to increase profit margins. Again, Troy should already know this and it's surprising he doesn't seem to.
Oddly enough Troy also Tweets from a verified account, which seems somewhat unusual since a well known username should be enough according to his logic against verifying websites.
Heads up: I run CertSimple, a startup that does faster, simpler verification for EV.
I don't want this to end badly for you (via CertSimple), but as you perhaps come to anticipate my primary concern is always preventing Future Harm. EV hasn't been effective for that purpose.
The article I've just read never uses the phrase "the true meaning of SSL certificates" that I can see, if that was removed I apologise but otherwise I think I have to assume you're putting words in Troy's mouth.
"The certificate fields for organisation, city, etc have existed and were expected to be verified since SSL was created in the nineties. Anyone who has ever made a CSR knows this."
Anyone who understands what's actually going on here knows that these are part of the X.500 directory system and are present in Netscape's SSL because it leverages that systems's X.509 certificate format. In 1999 PKIX (RFC 2459) proposes how to use this system sensibly with the Internet and the modern Web PKI largely falls out of that and its successor documents.
Prior to the CA/B Forum (and the creation of Extended Validation) the only promises you had about what, if anything, in certificates you relied on had been "verified" and to what extent, was written in the legal documents of the issuing CA. In most cases they disclaimed all or almost all responsibility to the extent possible. Their methods were... unsound.
Even today, when if you run Firefox (or more or less, Android) you can actually trust that someone cares whether the validation was done properly, it's more slip-shod than any of us should want. What has Certinomis been up to for the past few years? What are all these certificates doing with ST=Some-State (yes, literally the words "Some-State", because that's the default in OpenSSL)? or L=Default City (again, the default in OpenSSL)?
I think we can reasonably conclude that the reason nobody engaged with my questions about those is that the answers would be embarrassing and they're hoping that if they stay quiet nobody will follow up by asking why they're filling this crap out (to make money) if they can't validate it properly...
How long ago was it that users didn't notice or care if the URL was http:// rather than https://? Yet no-one was declaring HTTPS dead on those grounds.
[+] [-] captn3m0|6 years ago|reply
[+] [-] snowwrestler|6 years ago|reply
I think the far more interesting question is why EV certs do nothing for end users, and why browser makers have not introduced any new features to replace what EV certs were intended to do: help end users understand which websites they can trust on first visit.
The entire Internet industry has absolutely punted on this problem. It's a hard problem, but no one is trying to solve it!
And it is absolutely striking to compare against how well this problem has been solved in real life, at least in the U.S. You can walk into any retail establishment in the nation and reasonably expect to have a safe, productive interaction with a proprietor you don't know--even on the first visit.
It's the exact opposite on the Internet, and it's insane that everyone just accepts that.
[+] [-] judge2020|6 years ago|reply
[+] [-] jiveturkey|6 years ago|reply
Please name the site! (so I can avoid them at all costs)
[+] [-] jzl|6 years ago|reply
As long as you, the user, trust that the browser itself hasn't been modified (for example if you downloaded it yourself), then it's a nice reassurance when using a browser in a not totally trusted environment.
[+] [-] CherryJimbo|6 years ago|reply
HTTPS is a nice reassurance, sure, but an EV cert isn't.
[+] [-] headsoup|6 years ago|reply
And people who would follow the correct behaviour...are probably capable of doing so without the EV anyway.
[+] [-] geekpowa|6 years ago|reply
OT but hopefully interesting: Paypal doesn't care about many things. Like keeping their callback JVMs up2date, or changing their UAs from defaults to disguise their enabling tech.
2019.05.20 xxxx|173.0.81.33|xxxx|POST xxxx/paypal/callback HTTP/1.1|200|954|-|Java/1.8.0_60|xxx|xxxxxxx 2
[+] [-] pp_rglastra|6 years ago|reply
Can you let me know if this is Webhooks or IPN and if you saw this in production or sandbox?
Thanks!
[+] [-] draw_down|6 years ago|reply
[deleted]
[+] [-] nikanj|6 years ago|reply
[+] [-] blattimwind|6 years ago|reply
But I would also like to point out that PayPal is a known bad player when it comes to phishing, so no one really should give a damn what they do, and if you do the opposite of what PayPal does in security you are probably doing better than them.
[+] [-] Leace|6 years ago|reply
[+] [-] LeoPanthera|6 years ago|reply
I can't even imagine what you are referring to here. PayPal phishes people? Citation needed, please.
[+] [-] dhimes|6 years ago|reply
[+] [-] Semaphor|6 years ago|reply
[+] [-] smnrchrds|6 years ago|reply
[0] https://alisdair.mcdiarmid.org/kill-sticky-headers
[1] https://news.ycombinator.com/item?id=19962875
[+] [-] fiddlerwoaroof|6 years ago|reply
[+] [-] darkpuma|6 years ago|reply
[+] [-] illnewsthat|6 years ago|reply
It blocked the sticky header for me on this site no problem.
> Description: Web Annoyances Ultralist Sublist for CSS element modifications - Modify site elements that block screen real estate - Primarily used to "pin-in-place" sticky headers, dickbars, floating headers, floating videos, scrolling headers, scrolling videos, stickynavs and other distracting page elements.
[+] [-] draw_down|6 years ago|reply
[deleted]
[+] [-] niftich|6 years ago|reply
"Big sites can get by with DV because people trust big sites by fiat, just by mental associations they already have to a URL. There's no benefit to Facebook having an EV cert, because literally everyone who'd want to visit Facebook knows Facebook's URL. User error about entering credentials on the wrong site -- accidentally due to typosquatting, or through leading such as phishing -- is better mitigated in other ways: multi-factor authentication (especially unproxiable such as U2F); not by making the high-profile site pay thousands of dollars for a text string in green, when there's users who fall victim to phishing from bizarre domains too."
Ultimately, this is a bad example to show that EV is pointless. The biggest benefit of EV is as a flawed signal of legitimacy [1] for sites whose URLs aren't widely known and get a fair amount of first-time visitors: web presence for real-life service businesses, specialized payment portals accessed through redirects, and the like.
This is because people's mental model of the trust that EV confers is broken. People typically care about whether the site they arrived at was the one they were intending to visit, which the computer can't possibly know without additional input, but EV has attained a role of serving as a flawed signal of such, because the browser bar said something that doesn't look alarmingly different.
EV formalizes the vetting between legal entity and domain name, so it translates okay to entities that are firmly anchored in meatspace. But all of this chaining is trust in people's heads is done by names and strings, and experiments like stripe.ian.sh prove [2] why it's fallible. Nonetheless, EV effectively allows one extra indirection between (1) the name of the business as people refer and recognize it, and (2) the domain name that's likely correct, than DV does -- and some operators and some visitors benefit from this indirection, when the URL doesn't roll off the tongue.
[1] https://news.ycombinator.com/item?id=18010961#18011914 [2] https://news.ycombinator.com/item?id=15904513#15909273
[+] [-] chias|6 years ago|reply
Never forget when ReadWriteWeb posted a blog post entitled "Facebook Wants to Be Your One True Login", which ended up ranking very highly for the search query "facebook login". It was subsequently innundated with comments from angry people who hated the new redesign and couldn't figure out how to log in... believing that they were on facebook, because they googled "facebook login" and clicked the first result.
https://web.archive.org/web/20100213061037/https://www.readw...
Scroll down for the comments. It's pages and pages of people frothing at the bit looking for anywhere to enter their facebook password.
[+] [-] danpalmer|6 years ago|reply
I'm not sure I'd agree with this. I don't think most people look at or really understand URLs or domain names. I think people assume they are a lot "fuzzier" than they are, so "facebookapp.com" or "facebook.foobar.com" or anything else would be assumed to be "Facebook" by most people.
As technical people it's easy for us to assume things that feel basic to us are at least understood but I don't think it's the case. My parents do most of their shopping online, and when I was growing up we always had computers around, but I don't think either one of them really understands URLs or things like file hierarchies, or windowing systems on desktops for example.
[+] [-] brobdingnagians|6 years ago|reply
I'm with a company that uses EV certificate for our site, mostly just to "look even more trustworthy", even though it functionally servers very little purpose for us, and in an industry where I doubt very few clients know what it really is. For large companies the cost of an EV certificate is negligible. If someone wanted to impersonate us, they would only need to change a letter or two and get a similar `.com` domain, which would be easy to do since we have a somewhat unusual name.
The linked article also talks about the possibility of people getting a shortened domain name like `g.uk` for phishing. If a company has a wide portfolio of sites, that becomes even easier since it weakens peoples association between a canonical domain and the company.
I guess the main point is that the DNS records themselves are one of the most effective preventions of phishing since you need a mapping from a user intent to the site they arrived at. Domain names provide a memorable and easily "mentally verifiable" method of mapping from "facebook.com" -> Social Media, "gmail.com" -> Email, etc. for most people. But strings of characters are also vulnerable since they can be easily changed by a transposition, or other operation, to create a new domain name that looks _very_ similar. Since our minds are much better at recognizing words by the beginning and end, they are vulnerable to changes in letters in the middle.
It makes one wonder if there is a system that would allow much easier mental verifiability of that mapping, but which would still allow a large number of possibilities. Or whitelisting sites that you regularly visit and alerting an individual on sites not in the whitelist or which _resemble_ sites in the whitelist.
[1] https://www.typewritten.net/writer/ev-phishing/
EDIT: just to make clear, I think strings and domain checking mentally is a terrible model for verifying trust. But at least it kinda works some of the time, even though there are tons of vulnerabilities and problems. But probably better than typing in raw IP addresses, most of the time.
[+] [-] linsomniac|6 years ago|reply
www.xudongz.com/blog/2017/idn-phishing/
[+] [-] nailer|6 years ago|reply
Who is https://withgoogle.com?
Who is https://www.microsoftedgeinsider.com?
[+] [-] JohnFen|6 years ago|reply
However, if I'm going to a site that really matters, I'm not clicking on some link on a web page or email somewhere. I'm using the link I've bookmarked. So, ignoring the EV cert is probably not putting me at too much risk.
[+] [-] syn0byte|6 years ago|reply
Step One: Create Doofenshmirtz Evil LLC.
Step Two: Register HugsAndTrustBanking.com to LLC
Step Three: Get the legal services of Dewy Cheetum & Howe to issue a letter stating Evil LLC is your legitimate business.
Step Three: Show CA "proof" of ownership for Doofenshmirtz Evil LLC and HugsAndTrustBanking.com.
Step Four: Get genuine EV cert for your shady scam operation.
Step Five: Profit.
EV certs are dumb, you can trust me on that[0].
[0]https://i.imgur.com/1dbJUQ9.jpg
[+] [-] GordonS|6 years ago|reply
The point is, you'd be an outlier if you did!
[+] [-] icebraining|6 years ago|reply
[+] [-] Mbaqanga|6 years ago|reply
Funny story - I was about to rant that yeah, it probably wasn't by design because Paypal still as of 2019 didn't offer 2FA which, for a payment company, was quite disturbing...
well, turns out I was wrong, they now do. I just hadn't checked in a while, and of course received no email about it when they did turn it on... or maybe just missed it. Typically something you should advertise on each login if it's not activated, but hey, who cares, it's just money after all.
[+] [-] jtdowney|6 years ago|reply
I was prompted to change to TOTP when I logged in.
[+] [-] unilynx|6 years ago|reply
That exactly. Similarly confused about customers who think OV certificates are better than DV - as far as I can tell no end user knows how to tell those apart in their browser (no 'green' locks...)
[+] [-] good_guy|6 years ago|reply
[deleted]
[+] [-] nailer|6 years ago|reply
> "the true meaning of SSL certificates"
The certificate fields for organisation, city, etc have existed and were expected to be verified since SSL was created in the nineties. Anyone who has ever made a CSR knows this.
Rolling back from checking the organisation to domain-only validation in 2003 was GeoTrust trying to increase profit margins. Again, Troy should already know this and it's surprising he doesn't seem to.
Oddly enough Troy also Tweets from a verified account, which seems somewhat unusual since a well known username should be enough according to his logic against verifying websites.
Heads up: I run CertSimple, a startup that does faster, simpler verification for EV.
[+] [-] tialaramex|6 years ago|reply
The article I've just read never uses the phrase "the true meaning of SSL certificates" that I can see, if that was removed I apologise but otherwise I think I have to assume you're putting words in Troy's mouth.
"The certificate fields for organisation, city, etc have existed and were expected to be verified since SSL was created in the nineties. Anyone who has ever made a CSR knows this."
Anyone who understands what's actually going on here knows that these are part of the X.500 directory system and are present in Netscape's SSL because it leverages that systems's X.509 certificate format. In 1999 PKIX (RFC 2459) proposes how to use this system sensibly with the Internet and the modern Web PKI largely falls out of that and its successor documents.
Prior to the CA/B Forum (and the creation of Extended Validation) the only promises you had about what, if anything, in certificates you relied on had been "verified" and to what extent, was written in the legal documents of the issuing CA. In most cases they disclaimed all or almost all responsibility to the extent possible. Their methods were... unsound.
Even today, when if you run Firefox (or more or less, Android) you can actually trust that someone cares whether the validation was done properly, it's more slip-shod than any of us should want. What has Certinomis been up to for the past few years? What are all these certificates doing with ST=Some-State (yes, literally the words "Some-State", because that's the default in OpenSSL)? or L=Default City (again, the default in OpenSSL)?
I think we can reasonably conclude that the reason nobody engaged with my questions about those is that the answers would be embarrassing and they're hoping that if they stay quiet nobody will follow up by asking why they're filling this crap out (to make money) if they can't validate it properly...
[+] [-] lmm|6 years ago|reply
[+] [-] scrollaway|6 years ago|reply
Why does my comment have to be spelled out anyway? I'm having a hard time believing you don't know that or haven't realized it.
[+] [-] failrate|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]