Commentary by Mark Wahl
Organizing principles for identity systems:
Browsers Leveraging PKI for Anti-Phishing (2005/11/23)
Rob Franco in the Microsoft Internet Explorer Weblog discusses Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers
If the browsers and the Certification Authority industry can generate better guidelines to identify web sites, we [Microsoft] want to take the experience in the address bar a step further to help create a positive experience for rigorously identified HTTPS sites. We have implemented a green-filled address bar in IE7 for sites that meet future guidelines for better identity validation. Along with the green fill, our current design for the address bar includes the name of the business alternating with the name of the third party Certification Authority who identified the business. We think this alternating presentation of business name with Certification Authority name is the right balance of user notification and simplicity.
I know that Frank and Gerv from Mozilla, George from Konqueror and Yngve and Carsten from Opera have their own thoughts for an improved certificate standard and how they would handle that in the user experience.
I wish we could promise you that you will see this experience in IE7 and its equivalent in other browsers but there are a lot of details to work out before browsers can differentiate SSL sites based on how well vetted they are. For this to work, Microsoft, Mozilla, Opera and Konqueror, amongst others, think there should be some common validation guidelines for rigorous website identification. There is a lot of preliminary agreement but also a lot of work to do. The American Bar Association Information Security Committee is providing a forum to pursue this.
The ABA Information Security Committee plans to discuss guidelines for SSL/Organizational Certificate Issuance, presumably extending the Guidelines to help assess and facilitate interoperable trustworthy public key infrastructures it produced in 2001.
Section D.3.1.4 of the 2001 guidelines discusses the requirements for uniqueness of names, although this discussion focuses on certificates for individuals with the same name and on the possibility of repudiation of a certificate by an individual claiming that the certificate is intended for another individual with the same name.
Section D.3.2.1, on the recognition, authentication, and role of Trademarks, does not assume that CAs will scan certificate requests and automatically reject those whose subject names may contain potentially-infringing trademarks, only that they have a dispute resolution procedure in place.
Today, many phishing sites are second-level domains which have no relation to the target site's domain name, e.g. some of the Paypal phishing attacks I've seen this month come from
andreeea.com unknown (dynamic dns) medicallab.com.tw Taiwan down.ktfevent.com S. Korea login-user9427.info unknown (dynamic dns) ns.nagano-it.com Japan 195.5.25.218 Ukraine
Should in the future there be a 'green bar' or other indication of a known good site, then it is likely that phishers will eventually attempt to gain this indicator for their phishing sites in order to convince more victims to interact with these sites.
Supposing that the criteria for having a green bar is that the public key certificate for the site indicates that the Certification Authority (CA) which issued the certificate had first determined (e.g. through WHOIS) the organization requesting that domain name, and then had determined that the organization had registered themselves with their government business registry.
Thus the phishing attacker would
- create an organizational entity and register with their local government (this could be almost anywhere in the world);
- obtain a domain name for that organization (many domain name registrars will provide domain names to any organization), and
- obtain a public key certificate which includes their domain name, from a CA which has validated the government registration for that organization.
or alternatively
- obtain a domain name
- obtain a public key certificate which includes their domain name, from a CA which has accepted a forged government registration: the phishing attacker has faxed the CA a false Doing-Business-As or business registration
If the end user has been trained to accept a web site with a plausible name and a green bar as being valid, e.g.
| http://www.paypal.com/ | Paypal, Inc. | VeriSign Trust Network |
The end user might then also accept
| http://www.paypal.sm/ | Paypal Inc., SpA. | Another Trust Network |