Thoughts on Using SSL/TLS Certificates as the Solution to Phishing

Gerv has written a document called Staying Safe From Phishing With Firefox and a companion discussion document. Since he’s soliciting feedback, I’ll play devil’s advocate for a moment.

Gerv’s solution relies on conditioning the users to observe the SSL/TLS lock icon and, hence, to use the end point identity certifying aspect of SSL/TLS. There are some problems with this.

SSL/TLS certificates are supposed to help identify DNS spoofing. However, it happens that VeriSign is both a major DNS operator and a major CA. In theory, this situation is totally corrupt, because VeriSign could manipulate and DNS and issue fraudulent certificates to cover it up.

It turns out the situation with VeriSign is problematic in practice, too. As far as IDN spoofing goes, the TLD without proper human vetting against obviously misleading domains has been the .com TLD—the TLD managed by VeriSign. On the other hand, VeriSign’s certification business has reportedly issued certificates that human vetting would have shown were obviously intended for fraudulent purposes.

Why should anyone believe VeriSign won’t certify IDN spoofs? VeriSign has a serious conflict of interest here. CAs and domain registrars are not paid by society for keeping the Internet clean. Instead, they get money from issuing certificates and domain names. In fact, many .com registrars offer services that are obviously designed to capitalize on cybersquatting.

IANAL, but it seems to me the American legal system is in part to blame. The common carrier defense says that a common carrier cannot be held responsible for the content flowing through their systems as long as they let everything pass. If the carrier censored something (no matter how obviously illegal), they would be considered to exercise editorial control and could be held responsible for illegal content they do not happen to censor. By same token, if a domain registrar tried to screen out fraudulent domain names but did not succeed 100%, I suppose a lawyer representing a phishing victim might sue the registrar. I do not know if this is true, but I would not be surprised if the .com registrars were preparing an “oh we don’t screen anything” defense.

Gerv mentions the possibility of revoking certificates after the fact. However, in my copy of Firefox, the CRL view is empty. It seems to me Firefox is not checking any CRLs by default. And if it did, the CRL would be a single point of failure in the network.

Of course, even if VeriSign was deemed unworthy of trust, Mozilla couldn’t distrust VeriSign by default, because that would be a bad usability move. VeriSign, thanks to its first-mover advantage, has positioned itself above scrutiny. Anyone shipping SSL/TLS-enabled software has to trust VeriSign by default in order to avoid annoying dialogs.

Looking at the situation from another angle, it is unfair that anyone who does not want to look suspicious has to pay a third party company for protection. One could argue that the price of protection is peanuts for banks, but there are other considerations as well. Consider the Training Portal of The Finnish Defence Forces for instance. The certificate for that site is from the Finnish Population Register Centre—a government CA. A Finnish government site is certified by the Finnish government CA. Makes sense, right? Except no browser trusts the Finnish Population Register Centre by default and a warning dialog has to be explained away. Why should the Finnish Defence Forces have to pay an American company for protection in order to make the dialog go away?

This is not a matter of which CA is doing a better job vetting their clients. I argue that if a site has a certificate signed by the Finnish Population Register Centre, the probability of that site being what it appears to be is higher than for a site whose certificate is signed by VeriSign. So should Mozilla trust the Finnish Population Register Centre by default? I predict that some Americans who think that corporations are good and governments are evil would totally freak out if Mozilla was trusting a foreign government by default. (And that’s even a government that keeps a Big Brother Population Register so that a murky party-manipulated voter registration scheme is not needed and a list of eligible voters can be generated from a database at any time. Can you see the black helicopters already?)

There are also university CAs (eg. the CAs of University of Helsinki and Helsinki University of Technology) that seem to be doing a good job at screening who they give certificates to. Should Mozilla trust all the universities on the planet? If not, users will see annoying dialogs and be conditioned to accept certificates that cannot be verified using the default root certificates.

This introduces a real practical problem. It is relatively common that someone wants to use the encryption aspect and is willing to take a risk in the initial handshake in order to avoid dealing with a big money CA. I think I have dismissed four or five warning dialogs related to unverified certificates during the past week. If end users become accustomed to dismissing such dialogues without thinking, the identity-certifying aspect of SSL/TLS, which is important when avoiding phishing, is diluted. Still, I am not willing to blame those who refuse to pay big money CAs for protection. I have set up a snake oil CA myself, study at a university that has its own CA and am a member of two societies that run their own CAs.