Mozilla's Announced Decision to Remove the Extended Validation UI Indicator Should Be Reconsidered
The week before last, very quickly and without advance warning, Mozilla announced that it would remove the Extended Validation SSL certificate indicator from its upcoming build 70. This announcement spawned a very lively debate that is still going on. Below is my response to the thread, explaining why I believe it to be ill- considered and detrimental to overall internet security. Jason Soroko and I also covered Mozilla's decision to remove the EV SSL indicator in our Root Causes PKI and security podcast series.
Apart from this changed opening paragraph, the essay below is what I posted on the thread.
By way of background, until recently almost all phishing and malware was on unencrypted http sites. They received a neutral UI, and the bad guys didn’t have to spend time and money getting a certificate, even a DV certificate, that might leave traces as to their identity. Users were told (and remembered the advice) to “look for the lock symbol” for greater security.
Then a few things happened in close proximity: (1) Google incentivized all websites to move to encryption through the use of its “Not secure” warning, (2) Mozilla instituted a similar “Not Secure” warning, and (3) Let’s Encrypt began offering anonymous, automated DV certificates to everyone, including known phishing sites, in part through Platinum-level financial support from Mozilla and Google.
As a result, virtually all phishing has now moved to DV encrypted websites which receive the lock symbol in Firefox, which was predictable. In fact, the FBI just issued a warning to consumers not to trust the https or lock symbol in browsers anymore, as half or more of phishing sites now display the lock symbol.
It’s unclear how Mozilla plans to ramp up protection for Firefox users. Browser phishing filters such as Google Safe Browsing are good, but not perfect. According to the most recent NSS labs report issued in October 2018, GSB offers only about 79% user protection at “zero hour”, gradually rising to 95% protection after 2 days. However, most phishing sites are shut down by then anyway. If a browser phishing filter is the main defense provided to users by Firefox, this means thousands of users can be harmed before a site is flagged for phishing. Clearly Mozilla should be looking for other ways to protect them.
That’s where EV certificates can help. Data shows that websites with EV certificates have a very low incidence of phishing. New research from RWTH Aachen University presented at Usenix measured the incidence of phishing sites using certificates of various validation levels. EV certificates made up 0.4% of the total population of phishing sites with certificates but 7% of the “benign” (non-phishing) sites. Compare that to OV, where 15% of phishing sites had that certificate type and 35% of benign sites had the same. And compare that again to Let’s Encrypt certificates, which made up 34% of certificates for phishing sites and only 17% for benign sites.
This research validates the results of an earlier study of 3,494 encrypted phishing sites in February 2019. In this study the distribution of encrypted phishing sites by certificate type was as follows:
- EV 0 phishing sites (0%)
- OV 145 phishing sites (4.15%)*
- DV 3,349 phishing sites (95.85%)
*(These phishing OV certs were mostly multi-SANs certs requested by CDNs such as Cloudflare containing multiple URLs for websites whose content the Subject of the OV cert did not control. Perhaps such certificates should be DV rather than OV.)
These studies show that the presence of an EV certificate has a strong negative correlation with criminal activity intent on victimizing the site visitor. In plain terms, users are safer when they visit sites with EV certs. Now, how do we use that?
This is where the argument that “users don’t see the absence of positive indicators” misses the mark for several reasons.
1. The internet is in possession of a clear signal of a site’s safety for the end user. The fact that popular end-user software fails to take advantage of this signal is a shortcoming of that software, not the signal.
2. Users are not a single homogenous group, and they don’t all behave the same. Proof positive of that fact is that most of the people participating in this thread do, in fact, notice whether or not an EV indicator is there. They are not the only ones in the world. In the absence of compelling reasons to remove the indicator, providing this evidence to some users is superior to providing it to none.
3. User behavior also changes based on context. The site visitor who suffers from interface blindness when everything is going well may become hyper aware when something suspicious occurs. If nothing else, the presence of an EV cert gives the likes of law enforcement a clear path forward when pursuing perpetrators of online crime.
4. Positive security indicators do work in many other contexts where expectations are predictable. Let’s take an offline example we’re all familiar with, the seat belt. Most people I know are expecting the feel of a seat belt across their laps and shoulders when in a moving car, and without it we feel uncomfortable. That is a positive security indicator. The reason we miss it when it’s absent is because it is consistent, ubiquitous, obvious, and important to us. There is no reason why an identity security indicator cannot meet these same criteria. Unfortunately, the EV security indicator has suffered from inconsistency across browsers and changing presentation over time, and the industry as a whole has done a poor job of educating relying parties on what this identity information means. These disadvantages are all addressable, if companies like major browser and OS vendors treat doing so as a priority.
Mozilla’s most pressing need right now is to work with other browsers to develop common UI features across laptops and mobile devices and to engage with CAs in common user training to help users make good security decisions based on available identity information. Common UI standards have been extraordinarily successful: The automotive stop sign used to vary country by country and state by state before it became standardized. If stop signs were always different and users didn’t know what they meant (no user training), then some might argue “Users don’t use stop signs to make security decisions (stopping their cars), so let’s just remove all stop signs.” But that would be exactly the wrong thing to do, leaving users even less secure.
In the absence of such an effort, instead of removing the EV UI entirely, maybe Mozilla should consider other options for presenting this information, including the approach taken by Apple a year ago: Show users the URL for the site they are on, but make the URL and lock symbol green for sites with proven identity (secured by an EV cert) and black for all other sites (including all DV sites). Users would at least have a signal that additional identity information was available. Combined with some amount of user training, users would be better off in the aggregate than they would with the flat removal of any identity indicator at all.
Without any other identity indicator in Mozilla, users have nothing to go on but the URL and, for some but not all phishing sites, an interstitial warning. But as Google security researchers have stated, “People have a really hard time understanding URLs. They’re hard to read, it’s hard to know which part of them is supposed to be trusted, and in general I don’t think URLs are working as a good way to convey site identity.”
I personally was among the group who put together the original EV specification. At that time we imagined that EV would be an ongoing, evolving standard that the community continued to make better. When I hear objections about EV being less than perfect, I cannot help but think of the adage about perfect being the enemy of good. EV is good. It’s really good, and the statistics indicate that. Let’s focus our energy on making it even better, not throwing it away and being left with nothing.