Difference between revisions of "EV Cert"

From MgmtWiki
Jump to: navigation, search
(Problems)
 
(21 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
==Full Title or Meme==
 
==Full Title or Meme==
Extended [[Validated|Valitions]] Certificates for SSL [[Web Site]]s with added [[Assurance]].
+
Extended [[Validated|Validation]] Certificates for SSL [[Web Site]]s with added [[Assurance]] as to the real-world identity of the [[Enterprise]] hosting the site.
  
 
==Context==
 
==Context==
Internet [[Relying Party|Relying Parties]] need to perform [[Knowledge]]-based functions to determine if the current request by a [[User]] should result in [[Authorization]] of access.
+
In response to concerns that TLS (HTTPS) encrypted interchanges could not be [[Validated]] by regular users, the CA|B forum created an audited from of certificate to satisfy users concerns. It has not lived up to expectations.
  
 
==Problems==
 
==Problems==
.
+
Ian Carroll summarized some of the issues [https://stripe.ian.sh/ on the CA|B Forum site] which includes this comment EV "certificates include information about the legal entity behind the certificate, but not much else. What a legal entity can be turns out to be quite flexible; James Burton, for example, recently obtained an EV certificate for his company "Identity Verified". Unfortunately, users are simply not equipped to deal with the nuances of these entities, and this creates a significant vector for [[Phishing.]]"
 +
===Links to other problems with EV===
 +
*[https://www.cyberscoop.com/easy-fake-extended-validation-certificates-research-shows/ It's easy to fake Extended Validation certificates, research shows] (2017-12-12)
 +
*[https://www.bleepingcomputer.com/news/security/extended-validation-ev-certificates-abused-to-create-insanely-believable-phishing-sites/ Extended Validation (EV) Certificates Abused to Create Insanely Believable Phishing Sites]
 +
*[https://www.typewritten.net/writer/ev-phishing/ First part of Phising with EV]
 +
*[https://stripe.ian.sh/ Extended Validation is Broken] (2018-04-29)
 +
*Deciper [https://duo.com/decipher/new-ca-focus-ev-certs-wont-stop-phishing new CA focus on EV certs wont stop Phishing]. (2018-07-03)
  
 
==Solutions==
 
==Solutions==
The
+
There appears to be little reason to expect that the CA|B (Certificate Authority | Browser) forum will come up with a user-centric solution, so some other forum may be required. See the following sites for alternatives:
 
+
#[[Trusted Identifier]]
 +
#[[Trusted Location]]
 +
*[https://groups.google.com/a/chromium.org/forum/#!msg/security-dev/h1bTcoTpfeI/jUTk1z7VAAAJ Upcoming Change to Chrome's Identity Indicators] will alter the Chrome UI and force user to look for security information. This comes because the users empirically do not alter their behavior based on the existing UI. (2019-08-09)
  
 
==References==
 
==References==
Line 18: Line 26:
  
 
[[Category:Glossary]]
 
[[Category:Glossary]]
[[Category:Authorization]]
+
[[Category:Authentication]]

Latest revision as of 11:24, 20 June 2022

Full Title or Meme

Extended Validation Certificates for SSL Web Sites with added Assurance as to the real-world identity of the Enterprise hosting the site.

Context

In response to concerns that TLS (HTTPS) encrypted interchanges could not be Validated by regular users, the CA|B forum created an audited from of certificate to satisfy users concerns. It has not lived up to expectations.

Problems

Ian Carroll summarized some of the issues on the CA|B Forum site which includes this comment EV "certificates include information about the legal entity behind the certificate, but not much else. What a legal entity can be turns out to be quite flexible; James Burton, for example, recently obtained an EV certificate for his company "Identity Verified". Unfortunately, users are simply not equipped to deal with the nuances of these entities, and this creates a significant vector for Phishing."

Links to other problems with EV

Solutions

There appears to be little reason to expect that the CA|B (Certificate Authority | Browser) forum will come up with a user-centric solution, so some other forum may be required. See the following sites for alternatives:

  1. Trusted Identifier
  2. Trusted Location

References

https://cabforum.org/extended-validation/