[fc-discuss] Financial Cryptography Update: Major Browsers and CAs announce Balkanisation of Internet Security

iang@iang.org iang@iang.org
Wed, 22 Feb 2006 00:06:48 +0000 (GMT)

 Financial Cryptography Update: Major Browsers and CAs announce Balkanisation of Internet Security 

                           February 21, 2006




GeoTrust, recently in trouble for being phished over SSL, has rushed to
press a defensive PR that announces their support for high assurance
SSL certificates.  As it reveals a few details on this programme, it's
worth a look (sorry, no URL).

The new High Assurance SSL certificate standard, which is being defined
by leading browser companies including Microsoft, Mozilla and Opera, in
partnership with Certificate Authorities including GeoTrust and
VeriSign, as well as the American Bar Association Information Security
Committee, will entail a higher level of business verification than any
Certificate Authority's current vetting methods. Additionally, High
Assurance SSL certificate identity information will be clearly
displayed in the new-generation browsers, so that consumers will easily
be able to discern that they are indeed at the site they think they
are, and not a fraudulent version of a popular website.
The new specification for verifying identities for the new High
Assurance SSL certificate is expected to be finalized in the coming
months. The vetting process will be much more comprehensive than any
Certification Authority's current vetting standards, which primarily
rely on email and faxed information, database lookups and phone calls
before issuing an SSL certificate. Today, these processes vary from
Certificate Authority to Certificate Authority, and encompass an array
of manual and automated processes. Key to the new High Assurance
certificates is a standardized process across Certificate Authorities
for verifying information that will include: verifying the
organization's identity; verifying that the would-be purchaser has the
legal authority to make the SSL certificate request for that
organizational entity; and confirming that the entity is a legitimate
business, not a shell or false front entity.

OK, what can we learn from that?  The browser manufacturers and the CAs
have teamed up.  Mozilla and Opera are being teased out of the closet. 
The specification has not been completed, but the "speed" of the
phishing onslaught is overtaking the measured response of the ones that
know better.

My own view of this is that it won't work out as well as the champions
are yelling it will.  Primarily, it will simply shift the traffic to
other areas, until a new balance is reached.  In some sense this could
be ludicrous, as salesmen run around following phishing victims to sell
them HA certs.	In other senses, the sense of strategic gameplay for
those who know is just too amusing for words.  In yet other senses, it
proves the branding model, and proves the liability model.  Unforeseen
consequences in spades.

When the new balance is reached, the High Assurance will be Highly
Breached, just like the GeoTrust cert of last week.  That doesn't mean
that this won't do some good - it surely will.	But with that good
comes a huge price tag, and frankly, it looks like it is not worth the
price that user sites will have to pay.  Especially in comparison to
the better and cheaper solutions that have been designed and developed
over the 2-3 years since this was first proposed.

A Microsoft Internet Explorer developer's weblog has published
extensively on the new security features in IE 7, the work of the
browser and Certificate Authority initiatives, and includes examples of
how the new High Assurance SSL certificate information would display
within the new Internet Explorer browser. This information can be found

Chris Bailey, GeoTrust's chief technical officer stated: "For over a
year, a dozen companies have been meeting to find new ways to address
the issue of phishing and restore consumer confidence in online
transactions. The result is that we will have one standard, with a
thoroughly defined vetting process, for the issuance of High Assurance
SSL certificates. While not every site will require them, it is our
view that financial institutions and large e-tailers will want to
convey this added assurance to their customers.

Yet more concerning is the introduction of a standardised process
across CAs that will dramatically increase the cost of these certs.  A
dozen of them have been meeting for a year!  So all this spells bad
news for smaller browsers and smaller CAs, who have been excluded from
the meetings and are presumably going to be pushed to implement a
standard they have no control over, after everyone else has done so. 
Or not as the case may be.

Powered by Movable Type
Version 2.64