Ryan Hurst of Google, who I agree with in majority of the cases, have put this post where he rightfully argued about the work that needs to be done to make EV certificates more relevant.
I couldn’t agree more! He is spot on when it comes to problems with EV and he has my 100% support in the industry to make all these happen. I will proactively be pushing for these changes.
Remember I said “agree with him in majority of the cases”…….here is a minority issue I feel we should expand on…Its not a “Yes but” its a “Yes and”.
Here is one of Ryan’s statement that got me thinking:
“This is relevant in this case because if all pages are encrypted what value does a positive trust indicator have? None. This means that when all HTTP pages get marked “Not secure” we will probably see the lock icon disappear.”
We are talking about a “Value”….Value is the direct result of a resolution to a problem. Something only has a value if it does solve something for you or give you a positive utility.
So, before we can talk about the value we must understand what the problems are! But problems for whom? Before we can identify the problems we must first identify the actors involved..
We are talking about the internet eco system…..I will try to summarize….
1)End users
2)Site Operators
3)Browsers
4)CAs
5)Email (client) providers
6)Cloud providers
I am sure this is not an exhaustive list, but good summary for the purposes of this blog. When a user is using his/her browser the interaction is happening with Site Operators, Cloud providers facilitated by the browser.
So lets start from the most important actor in the internet ecosystem…the “end user”….what problems do they perceive that they want a solution for?
I am sure i will miss many, but here are few I know end users need that I hear from our user base all the time.
1) Users want Transit Operator Protection – for example, ISPs etc..
2) User’s knowing they are where they intended to be..I clicked on that link and wanted to go to PayPal….am I at Paypal site?
3) User’s want to know if its “safe” to interact with the website….just went to this budding new ecommerce site..is it safe to do business with them?
4) User’s want to be able trust the content they see (eg: having ability to validate VISA, Paypal logo etc)…in this “fake news” era, how do end user know know the content/logo they see is authentic (in that the site is authorized to display it)?
Now I would like to “map” these problems to “solutions” that are available today to see what solves which problem.
Lets dig deeper into what the map means and definition of the fields…First of all the threat model differs based on the user “typing the domain” on keyboard vs “clicking on a link” to visit the domain name. Also threat model must consider if there is “Pre-established trust” with the site operator or not. For example, I trust Amazon and Amazon.com, its a pre-established trust relationship. Therefore we have to consider the method of navigation as well as if there is a pre-established trust or not, with available solutions to see if we are delivering value or not.
Because we have “identified” ISPs etc, we can say DV offers value against these “Identified” targets. I say “identified” purposely, because its not a carte blanche to claim it stops all eavesdroppers..it does not. One can only confidently claim it stops identified eavesdroppers like ISPs etc. I have written extensively on the subject.
So for
1)Protection from Identified Transit Providers.….current solutions will all provide the necessary protection hence value. In order to provide this value, “encipherment” would be enough (please note “encipherment” vs “encryption” are two distinct processes).
Ok great…we made sure ISPs can no longer block and replace the ads, we made sure they can’t inject their affiliate IDs for ecommerce…we could argue over a beer who would benefit more from this end users vs big ad companies like google…but fair to assume both will benefit…..but end users want more ….
2)Validating that end user is where they thought they were: Again depending if the user types the domain and if the user has a pre-established trust with the domain or not, a DV certificate will provide this assurance in this narrow use case of user “typing the domain” to go to a domain the user a “pre-established” trust. For example going to Amazon.com where I trust Amazon (pre-established) by typing the domain in my browser. If I receive a link on an email asking me to click to go to Amazon, because these links cannot be trusted, one cannot say DV will provide that validation to the user. In today’s environment majority of phishing happens via “asking users to click on a link”. Other solutions like OV, EV because they have the identity of the end entity are capable of providing this validation. Of course although the validation information exist for the end user, its upto the browser providers to display it in a manner that is understandable for the end user. Sometimes people conflate the capabilities of the certificates where validation information exist with the browsers choice of how they should be displayed. The key is how browsers display this information.
3)User’s want to know if its “safe” to interact with the website: All well and good that end user now knows who the site operator is, but the ultimate question is can the end user trust this site operator to interact with? How will the end user to know? Do end users have to go through trial and error to figure out what is trustworthy what is not? Imagine you had to do that in the physical world… you had to try out all the restaurants to find out the one that doesn’t poison you. Not sure how many people would survive. This very problem has caused Internet to be a money machine for the rich and famous..That is why we only shop with the “brands we trust”….that is why internet hasn’t happened for the small to medium ecommerce yet. Because there is no capability to tell end users…Hey its ok, these guys are trustworthy to do business with! There are millions of 100% trustworthy legitimate businesses out there that are not big brands. They have no way of telling their site visitors they are trustworthy….this is why end users go back to big brand websites to conduct their ecommerce….I don’t think this is right. We have to empower these small to medium businesses with capability so that they can tell their site visitors they are trustworthy. This will not only benefit these small businesses but immensely benefit end users by opening up ecommerce and level the playing ground. None of the certificate types provide this capability. I believe CAs MUST bring this capability to end users and businesses as soon as possible.
4)Trust the content they see (validate VISA, Paypal logo etc): Internet is one big Content serving engine. It serves content and it allows us to interact with them. Is content valuable? Of course some are. Anything of value must be verifiable, otherwise it cannot be valuable. In old days, content was delivered to us via the channels we trusted. Whether CNN or FOX News delivering content, we trusted the channel, hence all the content they delivered. Newspapers, we all had one that we trusted… The world changed. Instead of having channels we trusted, content started pouring from peer to peer. We no longer have channels, internet burst that open. Lets give one simple example, you go to a site you see a VISA/MasterCard logo. How can a user validate that Visa/MasterCard have authorized them to display that logo on that particular site? They can’t! So a piece of content like VISA/MasterCard logo that is hugely valuable 
Has ZERO value to end user because they were not able to validate its legitimacy. Did Visa/Mastercard really authorize this website to display this logo? Unless we empower end user to answer this very question, it will continue to have ZERO value for end users.
In reality, not only did this not offer any value to end user, because of this very fact of “Inability to validate” these logos are used where they are not supposed to be, causing harm to end users. This is a stark example of how an immensely valuable content like Visa/MasterCard logo has ZERO value to end user because user cannot validate its legitimacy. That is exactly why end users want the ability to validate content. That is exactly why the industry must work together to bring this value to end users.
Here is a thought experiment
:
Imagine we removed all the means and technology to validate dollar bills…now you are living in a world simply cannot tell if a piece of paper you just got handed is a dollar bill or just piece of paper.
If you can’t validate, then both pieces of paper have no value. Imagine the chaos that would ensue if we had no way of validating value in the physical world! It would be sheer chaos! Well in digital world, we are starting from that very basic state of chaos. We have to move away from that state of chaos by validating and protecting what is of value! Just like we validate and protect what is of value in the physical world!
-With a little help from friends