VERIFYING THE IDENTITY OF A WEBSITE
If you are viewing a website, say citi.com, for example, and believe it to actually be Citibank, then you should read the rest of this page. Suffice it to say, that unless you are a computer nerd, and a good one, you can not verify the identity of a website. The game is rigged.
There are multiple aspects to the allowed (encouraged?) identity scams for websites.
The simplest is the domain name itself and that is explained in detail on the Domain Name Rules page. As an example, is the website trust-us-we-are-citi.com really Citibank? I encourage you to read the Domain Name Rules topic.
The other issues involve the lock icon that is displayed next to the HTTPS protocol indicator. What does it really mean?
The lock icon does not mean what the public is told that it means. Techies are lying.
A lock icon means that the web page you are viewing was sent to you in an encrypted format. Period. Nothing more.
The public is told that it also means data entered in the page is sent back to the website in an encrypted format. It does not imply this. HTTPS is a command to send you a web page. Somewhere inside the page is the command for sending back any data that was entered. That command is hidden. For many years browsers would send data you entered (think password) in clear text (not encrypted) even when a web page was sent to you in an encrypted format using HTTPS. I blogged about this back in 2020. For the most part, this is no longer the case, but serves as an appetizer into the meal of lies.
THE DEATH OF IDENTITY VERIFICATION
Most importantly, the lock icon does not tell you anything about the identity of the website. In the old days, it sometimes did, but the identity verification has been removed. Without identification, there is no security. Even assuming that data entered into an HTTPS web page is sent to the website in an encrypted format, this means nothing if that data is being sent to criminals or scammers.
The lock icon comes from a file, called a certificate, that is issued by one of thousands of companies in the business of issuing certificate files. These companies are called Certificate Authorities and you know nothing about 99% of them.
There are two popular types of certificate files, those with identity verification and those without. The ones without are called DV for Domain Verified or Domain Validated. This means, no verification at all. The ones with identity verification are called EV for Extended Validation. Identity verification takes time and effort, so EV certificates cost much more than DV certificates. How much more? Infinity more. DV certificates used to cost money but now they are available for free.
In the old days, a web browser would make the difference between these two types of certificates visually obvious. Now, web browsers display the exact same lock icon for both types of certificate files. This has led to fewer and fewer organizations paying for Extended Validation (EV) certificates. And, it makes it much easier to scam/fool people. I have to assume that was the whole point.
- A web browser may display the correct something.citi.com, and yet, the website could still be a fake. To prevent this, companies that take this stuff seriously pay extra to have their identities verified. It used to be easy and obvious to tell the difference between websites with a verified identity and those site, like this one, without one. For example, citi.com used to say "Citigroup Inc. (US)" just to left of online.citi.com in the address bar. Bank of America does the same thing as you would expect any financial company to do (see example). Different browsers handle this differently but the one constant is that a verified identity is no longer any of your business. It still exists, but only for those who know where to look for it in the particular browser they are using. If the website of your financial institution has this extra identity protection, get in the habit of looking for it. If this information is not provided, take that as a bad sign about the company and its website. In techie terms, this website is Domain Validated (DV), the Citigroup and Bank of America websites have Extended Validation (EV). The home office of incompetence, Equifax, does not offer identity verification. Not a surprise. What is surprising is that neither does Amazon.com (shown in the screen shots).
- Web browsers have always been inconsistent in how they indicate that a site has had its identity verified. Worse still, each browser constantly fiddled with their padlock display. As an illustration, this Aug. 2019 image, from Twitter user Cryptoki, shows eight different browsers indicating this in eight different ways. Internet Explorer was, by far, the best. It turned the entire address bar green, a visual clue that no one could miss. Most browsers displayed the verified company name in green, somewhere on the address bar.
- An inconsistent User Interface is the good old days. As of September 2019 (give or take) there will be no user interface, at least, not one that is visible by default. The two major web browsers, Chrome and Firefox have decided to hide this. Already, many web browsers fail to indicate a verified identity in any way. Why have Google and Mozilla decided to remove the indicators of a verified identity? Because you are stupid. They won't say that directly, but that is clearly what they are thinking. They point out that non-techies do not understand what it means for a website to have a verified identity. Never mind that, in no small part, this is their own fault for not having a standard indicator. Given this lack of understanding, rather than try to educate the public, they are taking their ball home so we can't play the game. Nerds at their worst.
- Browsers will always be changing. As of January 2021, on Windows, you can tell the difference between a site with a verified identity and one without by clicking on the lock on the address bar (just left of the website name). In Chrome, Brave, Edge and Opera, if it just says "Certificate (Valid)" then there is no verified identity. However, if underneath this, it also says "Issued to: companyname" then the identity of the site has been verified. See a Chrome 87 screen shot showing it both ways. With Firefox, if it just says "Connection Secure" that is bad. However, if underneath this it also says "Certificate issued to: companyname" that is good. With Vivaldi (version 3.5.2115.87) there is no need to click, it displays a verified company identity in green on the address bar. The Vivaldi lock is also black without a verified identity and green with one. Whew.
- As with email messages, the content of a fake website can look exactly like the real thing. Anyone can copy images and text and fonts from the real site and use them to make a fake site.
SCAM CERTIFICATES
The worst aspect of not having identify verification is that even citi.com itself can be a scam. No typo needed.
The current system allows any Certificate Authority to issue a certificate to any website. Bad CAs can abuse this, resulting in a secure citi.com website that is not citi.com. A scam citi.com would look exactly like the real thing, except its certificate would be issued by a company that Citibank has no relationship with. In the old days, we could visually see the difference between an EV certificate and a DV certificate, but without this, scam DV certificates now look perfectly legit.
There are thousands of CAs. No doubt some are fronts for spy agencies.
Thousands? Web browsers use a list of roughly 170-200 root Certificate Authorities that they trust. So, we have outsourced our trust to the companies that make web browsers, Google, Mozilla and Apple. But, they too have, at times, outsourced their trust. While Firefox has its own list of trusted root CAs, other browsers don't bother, they use a list built into the operating system.
Regardless of where the 170-200 trusted root CAs comes from, it is only the starting point. Each root CA can franchise out their business. That is, a root CA can give/sell/loan their ability to make certificate files to other companies. If a root CA trusts company X, then the browser will also trust company X, even though it is not a root Certificate Authority.
How can Citibank customers defend themselves?
The first thing is to check who issued the certificate for the citi.com website in your browser. The click-stream for this is different in each browser. In some Operating Systems this may not even be possible. If you can find this information, what do you do with it? That is, suppose you see that your copy of citi.com is using a certificate file issued by TrustCor Systems? Is that the Certificate Authority that Citibank actually uses? There is no way to know.
To be clear, Citibank is just an example, I am not picking on them at all. In fact, they continue to use EV certificates (as of November 2022), so good for them.
This issue of scam certificates got some publicity in November 2022 with this article in the Washington Post: Mysterious company with government ties plays key internet role by Joseph Menn.
- The article focuses on TrustCor Systems, a company that is a trusted root CA by Google, Apple and Mozilla (for Firefox). Long story short, the company should never have been trusted. To me, the most damning part of the article is that the researchers who looked into TrustCor told Google, Apple and Mozilla their findings months ago. And, they were ignored. The whole concept of a trusted root Certificate Authority is a scam.
- In response to the Washington Post article, Cory Doctorow wrote an excellent article: Delegating trust is really, really, really hard (infosec edition) (Nov 9, 2022)