The Root Causes podcast explores the important issues behind today’s world of PKI, online trust, and digital certificates. In this episode hosts Jason Soroko (CTO of IoT, Sectigo) and Tim Callan (Senior Fellow, Sectigo) explain one of the common misperceptions of identity models, why this misperception can lead to suboptimal decision making, and why authenticated identity matters to both parties in any sensitive interaction.
(Lightly edited for flow and brevity, this podcast originally appeared April 8, 2019.)
Tim: I'm excited because we’re talking about a topic that’s dear to my heart, which is that the concept that authentication is not for the authenticated.
Jason: That’s a great way of putting it.
Tim: I’ve been talking about this a long time with a lot of people. In the world of public certificates and public trust, one of the things that I notice that comes up over and over again is that IT decision makers and people who operate websites and digital systems at companies are used to thinking about the direct benefit to their businesses of the solutions they purchase. And certificates are a little unusual in that regard in that authentication, as I said, is not actually for the authenticated.
Jason: Yeah. Yeah.
Tim: And what I mean by that is, you know who you are, right Jay?
Jason: I think so most of the time.
Tim: Yes, and I know who I am. And oftentimes when you talk to people at companies their attitude is, “Well, we know who we are. We know we’re our company. I don’t need anybody to tell me that I'm this company.” And that’s true, you don’t, but how often do you or I deal with other people in the world who don’t necessarily know us by sight, and how do those people trust that we are the individuals that we claim to be?
Jason: I don’t think Alice always has met Bob beforehand.
Tim: Right. If you and I happen to be in the same place, I look up and I say, “Oh, there’s Jay.” It’s easy. But if I don’t know you there needs to be some mechanism to know who you are, and this is where in the offline world, we wind up using things like passports.
Jason: If you and I wanted to do business together, right, we want to have a transaction, back in the old day it was, “Meet me at this house and knock three times, and I’ll know it’s you.” We have a term for that in our world which is a shared secret. But that necessarily means that there had to be a pre-existing relationship.
Jason: Now in a digital world we’re seeing so many use cases where that just doesn’t exist.
Tim: Even if we stay in the old world but not quite that old, it used to be when I was young if you wanted to pay with a check at a store, back when people used to do that, you would show them your driver’s license. That was the same thing. It’s like I don’t know that you are, Bob, but if you show me your driver’s license and it matches what’s on your checkbook, now I have authentication in place. In the offline world we do this a lot. My great example, again, is the passport. Jay, do you have a passport?
Jason: I do.
Tim: Does your passport have your name on it?
Jason: It does.
Tim: Does it have your picture on it?
Jason: It does.
Tim: Is that because you don’t know who you are?
Jason: No, I know exactly who I am, and in fact sometimes when I look at that picture, I can’t believe that’s me.
Tim: So why do you have a passport?
Jason: I have a passport in order to assert who I am to other people.
Tim: Correct. And if you did not have a passport what are some of the things that would be problematic?
Jason: I probably couldn’t cross an international border. A number of other issues that I'm sure would come up.
Tim: Right. I use my passport routinely. I have a passport card and it’s the thing I use every time I get on an airplane, even if I'm flying domestic. When I’ve prepaid for my hotel because I got a good rate online, I have to show them my ID before they give me my key. When I go to pick up a package. There are all kinds of occasions where I need to prove who I am, and in my case it’s always my passport card because I just have it. And without that all those opportunities would be lost to me.
Jason: It’s globally trusted. Even though we’ve seen the Jason Bourne movies where he’s carrying a bunch of passports, generally people trust it when you hand one over.
Tim: Good point. The Jason Bourne movies illustrate another principal that we might return to, which is that a perfect is not necessary for good to be worthwhile. In his case maybe someone can make a fake passport, but almost all the passports you see are going to be real, and the level of trust is high enough that you can go with that. So in the digital world what’s our equivalent of a passport? It’s a certificate.
Jason: Yes sir.
Tim: In fact, that’s built right in to the word. Why do we call them certificates? Because they certify. And what do they certify? Every certificate without exception in one way or another certifies identity.
Jason: And it’s a certificate authority that is etc., etc.
Tim: Is the one that’s trusted to certify. Now if you own your own world, if you have a walled garden, you can be the Certificate Authority. So if I have a bunch of devices that are going to live inside my firewall and I want to be the Certificate Authority, I sit at the top and I say, “I'm the CISO, and I'm going to say which devices are real and which devices are not because I'm the source of truth.” That’s perfectly great. But when we get out into the world, when we’re out in the DMZ, you can’t do that anymore. There needs to be an independent authority, and that’s what the public CAs wind up being.
Jason: That’s right.
Tim: Now what’s all this about authentication not being for the authenticated? We go back to the idea of saying, “Ok if I'm out in the DMZ, if I'm using, let’s say, SSL certificates because I want to stand up websites and anybody anywhere in the world can come to my website and initiate a sensitive transaction. They can open account, pay with a credit card, access PII or PHI or things along those lines. How do I assert that I am really who I claim to be?” And that’s where those public Certificate Authorities come in.
Jason: Their stamp of approval, essentially. You get your stamp approval from theirs.
Tim: They’re vouching for you.
Tim: Then it comes to the question, what are they vouching for? And in the world of SSL there are actually tiers of authenticated identity that are available. At the lowest level you can get what you call Domain Validation, or DV. And what does Domain Validation tell us?
Jason: It basically means that you’ve proven to a Certificate Authority that you are in possession of the domain.
Tim: Right. It says that I am really on ABCD.com. I am not on ABCDE.com. It doesn’t say anything, though, about who the heck it is.
Jason: Not at all.
Tim: Who is running ABCD.com.
Tim: Now, there’s a different kind of certificate that we call an Extended Validation certificate, and what’s the capsule summary of the difference between that and a Domain Validated certificate?
Jason: You have to go through a fairly lengthy process typically in order to prove the fact that you are a legal entity. Essentially the validation of the business that is in possession of that domain.
Tim: Exactly correct. There are codified rules that are known to be highly effective that the public CAs must follow, and what they do at the end of that is they assert that this is a certain company. Not only do you control this domain, that still needs to be there, but that this is a specific company. This is the name and location of the company, and the person who got the certificate got it on behalf of that company.
Jason: That’s exactly right.
Tim: And that means when I go to a website that has an Extended Validation certificate as a consumer, I now know that this actually is E*TRADE because there’s an Extended Validation certificate, let’s say, sitting on the E*TRADE site. And therefore, I know that it’s not somebody who’s pretending to be E*TRADE who is trying to steal my login credentials so they can go into my account and somehow steal my personal wealth.
Jason: If I get an email that claims to be PayPal. Click on the link. My browser opens up. My browser does not show green and all of a sudden, I am on PayPal.AndresBackyard.com. I pretty much know I'm not at PayPal.
Tim: So right. So that becomes the benefit for the end consumer, right? It’s this strange situation that’s very unusual in the world of IT purchasing where the purchaser is purchasing for the benefit of an outside party.
Tim: I am obtaining certificates and the choices I make make a difference to how secure the person who comes to my website is.
Jason: It’s a very important concept. Especially if I think about myself as a financial institution, I'm doing very serious business with people on the internet. I want people to know when they knock on my door, they’re knocking on my door and not somebody else.
Tim: You’re perfectly segueing into a good point which is, ok so why would I do this? If this certificate is to my benefit then I know why I would get it. But if this superior certificate is to someone else’s benefit in a world of pure capitalism and purely pragmatic, self-serving behavior, why would I get this at all?
Jason: Well if my customers were routinely being drawn off to fraudsters, my customers are going to be upset.
Tim: Absolutely. First and foremost, it’s just plain brand reputation. You do not want your brand name associated with bad things. Someone going to a website and getting their stuff stolen is a bad thing, and you don’t want your brand associated with it. Very closely related to that is the idea that you want to project that you are doing the right thing for your customer and so showing your customer “Look, I'm here and it’s really me” is a way to communicate that.
That’s a good thing as well, but there’s also a concrete benefit which is research has indicated that when people see these company names that are usually in green sitting there in the browser, what we shorthand we call the green address bar, that they’re actually more likely to engage with the website. They’re more likely to complete a transaction or open a new account or use an online account they already have. They’re more likely to stay on the site, less likely to bounce. All those benefits are directly going back to the business who stands up the site.
If you think about it, it makes sense. If people can trust that they’re not being defrauded and they’re not being duped, then people will be more likely to engage in what they consider to be sensitive interactions than if they can’t trust that.
Jason: And it’s not just about pure fraud. It’s about credential harvesting. You know I'm not going to enter anything into a form about my personal information or definitely not my username and password for something unless I have a really good idea of what site I'm on.
Tim: Absolutely. All kinds of data get mined. Social media data get mined and used in spearfishing and other kinds of social engineering attacks, and even things like your address can be gathered and then that can be matched up with other information, and so the level of sensitivity people have to engage in anything that seems even remotely online is high. So the connection there is valid, because now we can come back and see the benefit. Even though I know what business I am there are direct benefits, bottom-line benefits to my business if I ensure that other people know what business I am as well.
Jason: If I'm on a site where I'm just casually browsing and something catches my eye on the site, the chance of me impulse buying could be a heck of a lot higher if I see that green bar.
Tim: When running your average day as an IT decision maker, people aren’t necessarily connecting the dots on that, but it’s very important for them to remember that this is an unusual technology purchasing decision and the decisions they make are going to affect their companies in ways beyond just what’s in front of them on their screen right now.
Jason: If you really want to think about it as a business, if you really want to extend the olive branch to a prospective customer, showing them the respect of proving who you are digitally on the modern internet is one way of doing it.