Schneier on Security
A blog covering security and security technology.
« Sneaking into Airports |
| Monkeys, Snowglobes, and the TSA »
December 21, 2006
Microsoft Anti-Phishing and Small Businesses
Microsoft has a new anti-phishing service in Internet Explorer 7 that will turn the address bar green and display the website owner's identity when surfers visit on-line merchants previously approved as legitimate. So far, so good. But the service is only available to corporations: not to sole proprietorships, partnerships, or individuals.
Of course, if a merchant's bar doesn't turn green it doesn't mean that they're bad. It'll be white, which indicates "no information." There are also yellow and red indications, corresponding to "suspicious" and "known fraudulent site." But small businesses are worried that customers will be afraid to buy from non-green sites.
That's possible, but it's more likely that users will learn that the marker isn't reliable and start to ignore it.
Any white-list system like this has two sources of error. False positives, where phishers get the marker. And false negatives, where legitimate honest merchants don't. Any system like this has to effectively deal with both.
EDITED TO ADD (12/21): Research paper: "Phinding Phish: An Evaulation of Anti-Phishing Toolbars," by L. Cranor, S. Egleman, J. Hong, and Y. Zhang.
Posted on December 21, 2006 at 6:58 AM
• 38 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
> users will learn that the market isn't reliable
The issue seems to be the fact that only corporations will be issued the improved certs by the CAs. Microsoft is only reporting on the data.
"Guidelines for obtaining the new certificates were established by the CA/Browser Forum, an industry group, after 18 months of debate. The Forum excluded sole proprietorships, general partnerships and individuals because its members couldn't agree on criteria for validating them effectively, something some members said can be difficult."
Other browsers like Opera are also likely to present some green security info for sites with an EV certificate - this is not some Microsoft ploy to screw the small guy. Note that all this is not yet fact, only planned.
The problem is that SSL certificates are both used to create a secure channel, *and* to identify the other side. Opera 8 started showing info from the SSL certificate (the company name and country code) in the address field. Which is useful, but not fully reliable when you can buy certificates without any background check being done on you - not surprising since the cheap certificate providers use automated processes.
With EV you get a serious check before the certificate is issued. The certificate issuers love this of course, because they can charge more money for it.
The small companies, the false companies, might have a problem with this system - but then, is there a really good way to get the bona fide ones inside the EV system? Isn't it actually correct to be honest and say "well, this guy bought a certificate, so the communication channel is secure, but apart from that there is no reason to put any trust in him"?
The EV system at least allows for serious protection from online banking phishing scams. I don't think any certificate scheme can scale enough to provide real trust rating for the entire internet...
Yellow means "suspicious" in IE?
Great, a yellow URL bar in Firefox means "SSL-secured"...
"Great, a yellow URL bar in Firefox means "SSL-secured"..."
Jeeze, that was stupid of the developers. Do they all hail from some dink little community that doesn't understand the standard and accepted use of red, yellow, and green in all such matters.
The problem is, there's no simple way to tell Mom & Pop's Corner Grocery Store from Mom & Pop's Corner Identity Store. Without a thorough background check, which would have to require a fair amount of manpower and thus be quite expensive, every small fish looks the same.
It sucks, but there just simply isn't a better way. It's this or nothing.
And if I'm color blind and choose to use a monochromatic display scheme?
Yeah, Bruce, better change it before pro-market commenters start railing on you and we'll have to suffer through long-winded comments on the best security measure for all of us is to remove the state and trust market forces and the reason why no one on this blog can see the inherent logic of this stance is because we're being tyrannized unconsciously by this insidious force.
@Red Ontop: I think there's a symbol too.
"we're being tyrannized unconsciously by this insidious force."
It's almost as if it were an invisible hand :^)
Wasn't this the point of having CAs in the first place? If you use a self-signed certificate (which is perfectly good for supplying a secure channel, just worthless for identifying yourself) , browsers pop up a warning. The point of the signed certificates is that the CA has validated your identity, so the certificate is good for both purposes. Of course, in practise, the CAs never did anything significant to validate your identity, making CA-signed certificates basically a scam --- a "mordida" you have to pay to an approved company in order to not frighten off customers.
I give the EV system six months to a year before it becomes the same thing --- all it does is what CA-signed certificates were supposed to do in the first place, and it's subject to the same market pressures that made CA-signed certificates a failure.
I'm not sure if this whole EV certificate scheme is a good idea or not. I can understand the desire to make the security aspect of online shopping simpler to keep those dollars flowing.
My problem with this is that like many security decisions, the question is more complex and requires you to make some sort of judgment. With certificate trust, the advice that people have been given has been spectacularly bad. I saw a news program just the other day on online Christmas shopping that said that it was OK to use your credit card as long as the lock icon is displayed.
Rather than coming up with some new kind of certificate, it is not possible to come up with a browser feature than helps the average online shopper understand the site’s certificate chain and make an informed decision?
"market" --> "marker" typo corrected. Thanks.
Marking sites as safe is not a good solution. It is not scalable (this has to be done from now until god knows when). Nor is it very fair to anyone but the privileged. This tactic will be struck down soon enough.
MS is better off playing the role of a blacklister (which itself is only slightly more scalable) where known bad sites are blacklisted and marked red.
Is that a solution? No, but then again, I don't think a real solution exists for this problem without cutting deeply at the ability for any individual to start his or her own company with the same rights and opportunities as other businesses.
And don't forget, malicious companies are around all over and are sometimes very hard to determine as malicious. Look at how often "marketing" or "aggressive new technology marketing" companies are really just adware/spyware/spam shops. They will game this system and make it even less reliable.
Microsoft is dreaming about owning the world and being the sole judge of what is good or bad! Just like in the old days, it is not wise to rely on one source for deciding who to deal with. Check the phone book, company register, homepage, google and give them a ring asking them to send a brochure and a letter on company stationery before doing serious business with someone. If it is big money at stake, you won't be able to avoid a handshake and a look in the eye.
Doesn't it make sense ?
Either with or without SSL. SSL means private/sensitive info will likely be transmitted, so yellow makes total sense, it warns you of this.
You just have to look at it in context. Try to see that context, then try to think in that context, and you'll see how it makes sense.
[ Unless it really was a troll, in which case sorry for the feed. ]
I am only forced to use IE7 when I use windows update. Otherwise it is Opera or Firefox 2 for me please.
This makes sense for companies like PayPal. Companies that are frequent targets for phishing attacks.
There is no "magic bullet" to prevent phishing so by eliminating what you can by providing an additional check against well established corporations which are frequent targets or have a good potential for phishing attacks.
Preventing smaller companies or companies who have little risk of being victimized by phishing helps prevent criminal organizations from 'gaming" the system.
I think the rate of false positives & false negatives will be low, considering what I've heard from Verisign.
I was curious about how much it would really cost someone running a small online business to become a corporation and get an EV certificate. Guesstimes based on some quick web searches:
Initial cost of incorporation: $2000
Yearly filing fees: $200
Yearly cost for EV cert: $300-$1000 (lots of price variation between vendors, not sure why...)
Of course, there are other options for small businesses. They could set up a store front on eBay, for instance.
If you use a self-signed certificate (which is perfectly good for supplying a secure channel, just worthless for identifying yourself)
Uhm, no they're not. What is a secure channel if not one where you know to whom you're talking to? Read up on Man-in-the-middle attacks.
There is a good chance the a-posteriori likelihood of a site's being phishy will be greater if the toolbar is *green*, as phishers will make sure they get the label.
The Firefox URL bar isn't yellow, it's gold - to match the background colour the lock always used to have in earlier browsers. Microsoft then came along and defined yellow to be something else. [sigh]
What I'd really like to see from Bruce is an assessment of whether the evaluation criteria posted on http://www.cabforum.org/ will actually do a good job at confirming that the business in question is who they say they are. They are EV's barrier against the "race to the bottom" we see with current certificates, and could do with some 3rd party evaluation.
I don't think the cert or the process to get the cert in this case is going to be the weakness of this system. The likely failpoints are going to be in IE itself as phishers look for ways to produce false positive results in lieu of having a valid EV cert.
Yellow means "suspicious" in IE? Great, a yellow URL bar in Firefox means "SSL-secured"...
Posted by: Paeniteo at December 21, 2006 08:47 AM
Jeeze, that was stupid of the developers. Do they all hail from some dink little community that doesn't understand the standard and accepted use of red, yellow, and green in all such matters.
Posted by: Timothy at December 21, 2006 09:01 AM
As a strategic marketing guy myself, who aspires to conduct my work in ethical and trustworthy ways with my family’s small business, I wouldn't chalk this up as an accident.
Firefox had capabilities that IE was lacking for some time now, that is until IE 7 for the most part.
Will Firefox have to redesign it's "Yellow = SSL-secured" system, and aggressively promote it (redesigned or not) in the face of the giant IE? Maybe for redesign, probably for promotion. Will this perpetuate the hesitancy of web browser users to even try Firefox? Probably. Will all of this strengthen IE and Microsoft's position in the web browser market? Probably.
So, do I think it was an accident? Not likely.
You know, it really bothers me how some marketing people can twist what I consider is a great field of study into a manipulative and abusive activity. Just read Bruce’s blog entry “Auditory Eavesdropping��? from December 19 for an example.
What I learned about marketing from 7 years of business school is easily comparable to battlefield tactics. Where are you in the field (market)? What is the competition’s capabilities? What are their likely responses to our strategies? Do we do a frontal assault (an example of this is IE 7 now having tabbed browsing like Firefox, attacking Firefox’s product differentiation tactic) or do we do flank attacks (the buzz word for this is guerilla marketing)? You get the picture.
The problem is, there are rules of engagement on the battlefield and in war. There are supposed to be rules in business. But this is totally getting out of hand! Which tells me the rules aren’t good enough. And it will continue to get worse, in my humble opinion, if people do not take on the responsibility to educate themselves – the “Buyer Beware��? condition corporations tend to hide behind and abuse.
When you are offered a phone like the one in “Auditory Eavesdropping��?, read about it, consider it and your rights and the rights of everyone around you – get educated about it. These kinds of manipulative and abusive activities will be discovered and made public, hurting their sales (hopefully) and therefore constraining part of their run-away train like use of marketing.
Complacency and technological apprehension are not to be accepted as reasons why these kinds of things continue to get more out of hand.
Obviously it isn’t just the consumer’s responsibility. But what are the corporations doing in terms of ethical responsibility? And how are they being held accountable to follow the rules? Consumer education is our first line of defense – it’s Buyer Beware for a reason.
Thanks for the soap box! Sorry for the length. I really enjoy the blog and the Cryptogram!
How convoluted can this be?
And it provides NOTHING more than the notification that the site has paid the money for a green listing. Really. That is all that it does.
Now, this MIGHT reduce phishing or fraud simply because the phishers/fraudsters are not very likely to have put that much money into their site ... yet.
But the focus is completely WRONG. The CA's have no means of tracking, in real time or even near time, the amount of fraud perpetrated by a site. So a green site CAN be committing fraud AFTER they've paid for their green listing.
And who will accept responsibility for that when it happens? Will it be the people who marketed the browser or the CA?
The antiphishing filter used by MS is based on a service from Digital Resolve - you get the red address bar if you hit a phishing site on their list.
The EV SSL certs are different, but related. In IE7, if you have the antiphish tool turned on AND the website has an EV cert, then you get the green chrome plus an extended "security report" which shows the name and address of the site operator as vetted by the CA under the EV Guidelines. Additional information on the site operator's incorporation are in the SSL cert but not displayed. All other types of SSL certificate will act as before, displaying the yellow padlock.
EV came about as a response to the "downward" pressures in the SSL market, where there is no consistency across CAs in the measures used to vet SSL applicants. Some certs are intended for encryption only (and have little or no vetting on the website owner's identity), where as others provide varying levels of reliance that identity has been confirmed. To make matters worse, browsers showed the same padlock for a no-validation cert as for a more reliable org-vetted cert.
With EV, only CAs who are audited for compliance to the EV Guidelines may issue EV certs. The EV Guidelines lay out a standardized vetting process that attempts to firmly establish the identity and authority of the site operator by looking at their physical, legal, and operational existence; their right to use the domain; and the identity and authority of their personnel involved in the cert procurement. The Guidelines also specify minimum standards for subscriber agreements, expand upon the WebTrust requirements for the secure and reliable operation of the CA, and require enhanced capabilities to respond to revocation requests as well as reports from the public that a cert is being misused.
Due to the complexity of the vetting and their approaching deadlines for IE7/Vista, Microsoft decided to constrain the initial rollout to private organisations (ie registered companies) and government entities. However, the CA/B Forum is committed to expanding the regime to include sole proprietors and other business structures as soon as possible, taking into account international data protection laws when dealing with individuals' personal data.
Some more details are here: www.cabforum.org/ and at http://blogs.msdn.com/ie/archive/2006/11/07/...
At this time EV is only supported in IE7. Opera has announced support "when ready" and the hope is that Mozilla will also pick it up.
There are many factors being overlooked here. First off, it's worth noting that the "Green bar" is only activated if certificate revocation checks were passed, which means that even if a phisher were able to get an EV certificate (leaving the CA with plenty of info for law enforcement), the CA can immediately revoke it if misused.
Also, note that EV is separate from the real-time antiphishing service available in IE7.
The fact that the CABForum didn't bow to pressure and permit a weaker system of validation for sole proprietorships to get the certificate is proof that they're keeping the standard solid. They will eventually come up with a good standard for evaluating such sites and at that time, the vetting process will be added to the standard.
Firefox is indicating SSL secured. It is not indicating "safe". You have no idea what is on the other end. Yellow is a better colour for that than green.
Since at least once in the past MS let one of its domain registrations expire and it was renewed by someone else, it'll be interesting to see what happens when their certs expire.
I still have to wonder if this just isn't going to further confuse users about what exactly is being affirmed when they see green. I worry that a lot of users are going to actually think it makes a merchant more trustworthy (that they store sensitive info safely, that they won't screw them over) and not simply that the information is protected in transit, and the name they see on the cert is who they are communicating with ... not that the data is safe when it gets there, or that the entity is actually trustworthy. Fine that the cert can be revoked, but the entity actually has to be found out to be committing some kind of fraud, and Alice or Bob aren't going to feel so great about the revocation AFTER they've already been screwed over because they thought green implied trust.
For a more firsthand account of the meeting that kicked this off, see http://blogs.msdn.com/ie/archive/2005/11/21/...
The IEBlog also links to postings from Mozilla, Opera, and KDE (though Opera is a broken link now).
@george: "Otherwise it is Opera or Firefox 2 for me please."
@Gerv: "Microsoft then came along and defined yellow to be something else. [sigh]"
@Jonesy: "So, do I think it was an accident? Not likely."
What a coloured address bar won't tell you is how safely the site will handle your information. Do they save your CC#? Do they encrypt it? Do they scrub it? From logs? Do they have adequate security on their CC# database?
That is all handled by PCI compliance. It's not possible for things like your government assigned identity and DOB, but it would be nice if you could check a sites level of PCI compliance based on the cert they present to you.
As an aside, although anything is possible, I think it would harder for a phisher to get PCI compliance than an EV cert.
I've managed to bypass both Opera's new phishing filter as well the new FireFox phishing filter last year, it's very easy and done with IP obfuscation. Another proof that blacklisting just don't work.
see results and proof: http://www.jungsonnstudios.com/blog/
1. Shop online, find what you want, then call the toll free number.
2. Get off your lazy but and go to the store.
3. DO NOT GIVE PERSONAL INFORMATION ONLINE!!! (I thought that was a gimmee)
4. Do not give information if it is solicited. That is a SURE sign that it's a phishing expedition.
5. Any technology that Microsoft has a hand in creating is a GUARANTEE phishing expedition.
6. Any technology that leaves out mom and pop is a coorporate scam to make more money.
To deny the truth of any of these solutions is just asking for trouble.
This is a thinly veiled protection racket. You're a sole proprietorship, general partnership or individual? You will be labeled as a possible phishing site, and lose potential customers. You are a small (or large) business? Pay up the $1300.00 per year, or you will be labeled a possible criminal and lose business too.
These certificates offer the business nothing of value. Pure racketeering, and even slanderous in nature.
This does little to actively protect the consumer, and once this gets hacked (my guess is sooner than later) it will do nothing to protect consumers. This only works in favor of large corporations by decreasing competition.
It has been claimed that the issue with small businesses & EV certs is moot, because Google checkout is getting more popular, paypal and ebay will surely get EV certs, and within a few years from now many online merchants will be providing paypal and Google checkout options.
Some small business prefer not to use third party 'shopping cart' services. This increases their overhead, and once again funnels money from the little guy into the pockets of corporations. Many small business owners are loathe to relinquish any control over their business. Also, some people find writing and maintaining their own (or FOSS) shopping cart to be just plain fun! Not to mention educational.
So, the solution for small business is to either PAY Entrust, or PAY Google et al? Not a solution, afaic. It's a scam.
I can't believe this doesn't violate anti-trust laws or racketeering laws. It's hostile to small businesses and completely excludes sole proprietorships, general partnerships and individuals, as they aren't even eligible for the green bar 'status.'
This causes far larger problems than it solves. This only marginally protects the stupid (who fall for phishing scams) and deals out serious punishment to the honest business owner. I predict we will see many small web-based business go under because of this. Another anti-entrepreneur blow from the capitalist elite.
To summarize: This punishes honest businesses for criminal activity they don't condone or participate in. This doesn't punish phishers. This doesn't protect consumers. 'Protection racket' is an accurate assessment. This stinks of greed, plain and simple.
Another way to look at this is 'Presumed guilty until innocence is bought.'
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.