A Defensive Computing Checklist    by Michael Horowitz
NOTE: I gave a presentation on Defensive Computing at the HOPE conference in July 2022
HOME | Full Site Index | Domain Names | VPNs | iOS | Android | About | Rules of the Road | DC Presentation |

VERIFYING THE IDENTITY OF A WEBSITE

If you are viewing a website, say citi.com, for example, and believe it to actually be Citibank, then you should read the rest of this page.

There are multiple aspects to the allowed (encouraged?) identity scams for websites.

The simplest is the domain name itself and that is explained in detail on the Domain Name Rules page. As an example, is the website trust-us-we-are-citi.com really Citibank? I encourage you to read the Domain Name Rules topic.

The other issues involve the lock icon that is displayed next to the HTTPS protocol indicator. What does it really mean?

The lock icon does not mean what the public is told that it means. Techies are lying.

A lock icon means that the web page you are viewing was sent to you in an encrypted format. Period. Nothing more.

The public is told that it also means data entered in the page is sent back to the website in an encrypted format. It does not imply this. HTTPS is a command to send you a web page. Somewhere inside the page is the command for sending back any data that was entered. That command is hidden. For many years browsers would send data you entered (think password) in clear text (not encrypted) even when a web page was sent to you in an encrypted format using HTTPS. I blogged about this back in 2020. For the most part, this is no longer the case, but serves as an appetizer into the meal of lies.

THE DEATH OF IDENTITY VERIFICATION

Most importantly, the lock icon does not tell you anything about the identity of the website. In the old days, it sometimes did, but the identity verification has been removed. Without identification, there is no security. Even assuming that data entered into an HTTPS web page is sent to the website in an encrypted format, this means nothing if that data is being sent to criminals or scammers.

The lock icon comes from a file, called a certificate, that is issued by one of thousands of companies in the business of issuing certificate files. These companies are called Certificate Authorities and you know nothing about 99% of them.

There are two popular types of certificate files, those with identity protection and those without. The ones without are called DV for Domain Verified or Domain Validated. This means, no verification at all. The ones with identity verification are called EV for Extended Validation. Identity verification takes time and effort, so EV certificates cost much more than DV certificates. How much more? Infinity more. DV certificates used to cost money but now they are available for free.

In the old days, a web browser would make the difference between these two types of certificates visually obvious. Now, web browsers display the exact same lock icon for both types of certificate files. This has led to fewer and fewer organizations paying for Extended Validation (EV) certificates. And, it makes it much easier to scam/fool people. I have to assume that was the whole point.

SCAM CERTIFICATES

The worst aspect of not having identify verification is that even citi.com itself can be a scam. No typo needed.

The current system allows any Certificate Authority to issue a certificate to any website. Bad CAs can abuse this, resulting in a secure citi.com website that is not citi.com. A scam citi.com would look exactly like the real thing, except its certificate would be issued by a company that Citibank has no relationship with. In the old days, we could visually see the difference between an EV certificate and a DV certificate, but without this, scam DV certificates now look perfectly legit.

There are thousands of CAs. No doubt some are fronts for spy agencies.

Thousands? Web browsers use a list of roughly 170-200 root Certificate Authorities that they trust. So, we have outsourced our trust to the companies that make web browsers, Google, Mozilla and Apple. But, they too have, at times, outsourced their trust. While Firefox has its own list of trusted root CAs, other browsers don't bother, they use a list built into the operating system.

Regardless of where the 170-200 trusted root CAs comes from, it is only the starting point. Each root CA can franchise out their business. That is, a root CA can give/sell/loan their ability to make certificate files to other companies. If a root CA trusts company X, then the browser will also trust company X, even though it is not a root Certificate Authority.

How can Citibank customers defend themselves?

The first thing is to check who issued the certificate for the citi.com website in your browser. The click-stream for this is different in each browser. In some Operating Systems this may not even be possible. If you can find this information, what do you do with it? That is, suppose you see that your copy of citi.com is using a certificate file issued by TrustCor Systems? Is that the Certificate Authority that Citibank actually uses? There is no way to know.

To be clear, Citibank is just an example, I am not picking on them at all. In fact, they continue to use EV certificates (as of November 2022), so good for them.

This issue of scam certificates got some publicity in November 2022 with this article in the Washington Post: Mysterious company with government ties plays key internet role by Joseph Menn.

 This page: 27 views per day (over 20 days)   Total views: 534   Created: November 19, 2022
This Page
Last Updated

November 19, 2022
Total Site
Page Views

 481,086
Site Page
Views Today

  467
Previous
Website View

1.8 minutes ago
Website by
Michael Horowitz
@defensivecomput
top
Copyright 2019 - 2022