Root Causes 27: Pending Safe Browser Guidelines from Germany
The German government has published a draft of its latest guidelines for safe browsers, which include requirements for how SSL certificates are supported and treated. Join our hosts as they discuss the German safer browser requirements and their potential impact on Germany, other governments, and industry worldwide.
- Original Broadcast Date: July 18, 2019
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
Germany has published a draft of its “secure browser requirements.” Germany had a 2017 guideline that is currently in effect for what the government considers an acceptable secure browser, and that guideline now has an updated draft in 2019. It covers a lot of stuff that is not really certificate-related, but it has some certificate related content as well. Let’s go down and explain what they are. I will stick with stuff that has to do with certificates.
Must support TLS. I don’t think that’s new. I think that’s pretty important.
Must have a list of trusted certificates. I think they mean trusted certificate roots. So once again, not new.
Now this third one is new. Must support Extended Validation (EV) SSL certificates. So EV SSL support is a requirement, and I actually looked up that requirement in the original document. My German’s a little rusty but that’s essentially what it says.
Certificates must be checked against a CRL or OCSP. Which again, I don’t think is new, but I think that’s important.
Here is an interesting one. The browser must use icons or color highlights to show when communications to a remote server are encrypted or in plain text. So basically, there’s got to be a visual indicator that you can see as the user to know whether or not this is encrypted communication. That’s what the lock icon used to be.
Connections to remote websites riding on expired certificates must be allowed only after specific user approval.
Then there are a few things that get a little more weedsy. Must support HSTS. Must support same origin policy. Must support content security policy. Then it gets into a bunch of stuff that isn’t really certificate-related.
-
Jason Soroko
There is some cool stuff in there such as sandboxing. They don’t get into enormous amounts of detail, but it is part of the spec.
-
Tim Callan
So what do think, do you agree with those requirements?
-
Jason Soroko
Yes. I think I do. And, in fact, seeing that the support of Extended Validation is listed as number three is obviously close to my heart and probably yours too, Tim.
-
Tim Callan
Oh Yeah.
-
Jason Soroko
They are absolutely stating explicitly that the user experience of SSL needs to be part of what a secure browser is.
-
Tim Callan
That’s one of the real interesting things about it, right? It’s not just backend stuff. We’re not talking about OCSP and HSTS. We’re also talking about the interface. So, there is a sense among the people who are creating this regulation that social engineering attacks are important and that a browser can and must defend, to the degree that it’s able, against social engineering attacks.
-
Jason Soroko
Social engineering attacks that might include links to spoofs of major websites that you know and love and that probably do have an Extended Validation certificate and have for years, that visual indicator that allows you to know just sort of at a glance that you are at a site that you trust. That’s an important part of the browser experience. Because it obviously, it’s a human-based user interface and not just a machine interface.
It’s there to interact with a human being therefore it requires something. An icon, a color, something to show you this is a trusted site.
-
Tim Callan
I don’t think they use the word phishing ever in the paper. I didn’t spot it. But this is really what it’s about, right? They’re saying that browsers need to do what they can to defend against phishing and its ilk.
It’s interesting. Phishing is a practice that goes back to the 1990’s. It is such an old attack, and yet it’s still very prevalent. It’s still effective. It’s still is a cornerstone of online criminal activity. I ask myself, “How is this possible?” And part of the reason is I don’t think that browser interfaces have worked hard enough or effectively enough to solve that problem.
-
Jason Soroko
The browser itself is the mechanism with which the human being is at either the legitimate site or the not-legitimate site. It’s not like there aren’t any mechanisms at all available to them to be able to tell whether or not you’re on your banking site or on whatever site you might be making payments to or something that’s differing from the quickly created phishing site that is meant to emulate it. Those kinds of things visually tell you the difference between the two can be incredibly effective.
-
Tim Callan
One of the objections that is raised is people say, “Well you know, if you take away an EV indicator, if you take away the company-branded green address bar, people will often go and interact with the site anyway.” I get that. However, why is that?
Part of that is because they get an inconsistent experience across different browsers. Part is because the browsers have made those indicators small and weak and obscure. It’s like they want to make the indicators as poor as they can and still be able to check the mark to say that they have the indicator.
And some of it is that because of these weak indicators, companies haven’t been able to get behind EV with real bold messages like, “If you don’t see my company name at the top of your browser, stop interacting with that website.”
I remember back in the late 2000’s when we introduced EV, we talked to large companies that were big phishing targets, and that’s exactly what they did. They were marketing to their consumers at the time and they were saying, “If you’re in this browser and you don’t see my name at the top, you’re not at the right place.” Because back then they could do it. It was big and bold.
As the browsers watered down their ability or their willingness to say this is the company that you’re talking to, then the consequence of that was that companies had to back off of those messages. And that’s what got us to the situation we’re in now.
-
Jason Soroko
The consistency of the user interface amongst all the different browsers is so incredibly important. You know the browser you might be forced to work with at work, the one you work with at home, the one you work with on your mobile device, and the one where you work with on your laptop might all have different experiences. Even mobile applications themselves that you might be clicking on links, working through the internet, buying something, making payments, whatever it is you’re doing, that might not even just be a traditional browser. It might be a browser embedded within another application.
-
Tim Callan
This is an area where the browsers have really underperformed and we’re seeing the results of that.
-
Jason Soroko
One of the techniques that I’ve heard proposed to help to protect people is about flagging sites that are considered phishing sites. Which is, that’s an incredibly bold adventure I would say.
So, if you think about the act, the antivirus industry over the past X number of years—and they still exist and they still have their purpose—but let’s be honest, blacklisting of bad things in the most generic terminology possible, is incredibly difficult.
And that’s back when there was just a handful of viruses or variants. Back then that might’ve been viable, but malware became thousands and hundreds of thousands and millions, just unthinkable numbers of variations where it really became every single attack was unique based on the way the nature of the attack was. Then antivirus really started to have a hard time.
And so, the analogy of this plays well also into phishing websites. Which is, the bad guys have figured out ways to create on the order of tens of thousands of phishing websites in very short order, and therefore for a phishing website, its length of existence being operational for the bad guy might be very, very short. Which is sufficient for the purpose.
-
Tim Callan
A day.
-
Jason Soroko
Exactly. A day, an hour. It’s incredible some of the statistics that I’ve heard.
So therefore, if you as a browser are trying to tell me that you’re going to protect me by blacklisting this, I’ve been in the industry long enough, Tim, I'm going to laugh at you. Because I know you’re going to fail.
-
Tim Callan
I think a layered security approach here is fine. Which is to say, yes, by all means, blacklist the known bad offenders. And while you’re at it, run antivirus that’s going to knock out the stuff that’s doing bad. Because that stuff is still out there, and if you don’t knock it out it still will hurt you. It’s just not sufficient. We need more than that.
-
Jason Soroko
So therefore a whitelisting of websites through validating not just the ownership of a domain but the real actual commercial ownership of a website. Which is part of what the CA/Browser Forum Extended Validation protocol really is all about.
We’ve seen an example of where it perhaps is technically possible to have a site of the same name created and have it issued an Extended Validation certificate. But if you take a look at the reality of it, that exact concept of thousands of phishing sites created is not possible for Extended Validation certificates. You’re not going to be able to have tens of thousands of EV certificates issued within a day for a phishing campaign. It won’t work.
-
Tim Callan
It’s not your script kiddy style attack. It’s not your automated style attack. Absolutely correct.
You and I used the example of passports in earlier podcast. The analogy that you said, Jay, was, “Well ok, Jason Bourne might have a shoebox under the floorboards with ten different passports in it, but that doesn’t mean your average small-time criminal has a false passport.” And I think that’s exactly right. It might be that someone somewhere can come up with a trick to make it look like they have the same name as someone they’re trying to attack, but that is light years away from the kind of widespread, trivially easy website counterfeiting we see today.
-
Jason Soroko
Yeah Tim, over the years, one of the things that I’ve learned is, learn from what the bad guys are teaching us rather than just guessing at what a solution could be for some kind of nefarious action. If one of the modern activities of phishing is to mass create websites then a way to solve that is to whitelist websites on a very costly basis. I mean cost in terms of time, which is paramount for this kind of attack. It actually makes the tens of thousands of phishing domains, especially off a subdomain, untenable for a bad guy.
Therefore it’s an incredibly effective solution, and all we’re saying here on this podcast is, take a look at the German specification for what makes a safe browser. They’re actually agreeing with us where support of Extended Validation certificates as well as human user interface indicators such as icons and colors can be very important for the user.
-
Tim Callan
So what do we imagine the consequences of this? The German safe browsing specification comes out, and it’s got these updates. Do we think it is going to matter?
-
Jason Soroko
I think it definitely is going to matter because a lot of things that happen in Germany affect a lot of the E.U.
If you’re doing business with German government and that could include… Goodness, take a look at all the things in Germany that are centralized, from their pharmacy system up to all kinds of things that are centralized. You know any time you hear the word, Bundes anything, essentially it could, we might call this the Bundesbrowser, right?
-
Tim Callan
And there you go.
The other thing is, Germany in terms of individual privacy is really the leader in the world. And so, a lot of people view - if you’re a European multinational andyou want to make sure you’re not running afoul of regulations, you usually say, “Well can I pass Germany?” If I can pass Germany, there’s a good chance I can pass everybody.
It’s the same as you and I talked about how in the energy world Texas is considered to be a leader and people take place from it. Similar thing happens in Germany with regard to individual privacy. And so, in that regard it’s very likely to have an effect on corporations throughout Europe who just say, “I don’t want someday to learn that I'm in trouble in Germany. So, I'm going to make sure that my people are using browsers that are compliant.”
-
Jason Soroko
I think this came out of what in English we would call the BSI (Bundesamt für Sicherheit in der Informationstechnik). But if you were to draw a map of all the initiatives that came out of BSI that are now part of European Union standard practices, it actually is quite high and that goes to your point, Tim, that Germany is a leader when it comes to security and privacy.
-
Tim Callan
So if you’re working with German government, if you’re in the German government, or if you’re just a large multinational corporate and you don’t know exactly what all of your people might be doing at any given time, it’s easy to imagine all of those groups following these standards and saying that they’re only going to use browsers that are compliant.
-
Jason Soroko
Yep.