1

Was mulling over the issue of protecting users from password-stealing phishing sites when an interesting question that hadn't occurred to me before popped into my head:

Let's say that I decide to take Chromium, Firefox, or another open-source browser and make a slight modification to its capabilities: I alter it so that it will only load sites that bear valid Extended Validation certificates, to verify that the page/site is really from the organization/entity it purports to be from. This special EV-sites-only browser would definitely not be intended for use for most "normal", day-to-day browsing, but instead only to visit & login to very sensitive sites that one really, really wants to protect against phishing/impersonation-based credential theft. (Banking & other financial, email, etc.)

Second, let's say that I then create a usage policy (for users in an organization I work for, or even just for myself) that says that those sensitive sites can only be accessed in my special EV-only browser. Maybe I even make my EV-sites-only browser the default one that loads any links a user might unthinkingly click in email & messaging apps, just to provide the most comprehensive protection against fake-login phishing tactics I can.

So, from a practical standpoint*, would a user be effectively safe from site-impersonation phishing if he/she only visited sensitive sites in my EV-only browser?

Or, put another way, if a user ensures that he/she uses only sensitive sites that have Extended Validation certificates is he/she safe from phishing attacks that use impostor sites to steal the user's credentials?

*Note my use of the phrase "from a practical standpoint". Obviously, from a theoretical standpoint a Bad Guy might be able to get a cert authority to issue an EV certificate to him that could be used for an impostor site. But is that something that actually occurs in the wild today?

Community
  • 1
mostlyinformed
  • 2,715
  • 16
  • 38
  • using Chromium may not be the suitable here http://news.netcraft.com/archives/2015/08/24/thousands-short-changed-by-ev-certificates-that-dont-display-correctly-in-chrome.html – JOW Oct 23 '15 at 11:19

1 Answers1

2

let's say that I then create a usage policy (for users in an organization I work for, or even just for myself) that says that those sensitive sites can only be accessed in my special EV-only browser.

I don't think that's worth the effort.

Maintenance of a browser is very hard.

Also: I think teaching users to "use that browser for that site!" might be just as hard as teaching them: "look for the green lock!" -- Although this might be fixed if you just place bookmarks on their desktops that open a site either with one or the other browser.

Still: If you actually have such a list of known-sensitive sites, then you might also do something like set up Nagios to alert you on certificate changes. This would have the additional advantage of alerting admins that know how to handle such a change.

Bad Guy might be able to get a cert authority to issue an EV certificate to him

The EV promise only holds if you trust the promise-giver. If the promise-giver is suddenly untrustworthy (for whatever reason, hacking, bribery, mistake) then the promise is not worth much anymore either.

After all the EV part of a certificate is just adding another flag to the certificate. And the CA can do that at will. If their internal accountability fails, if the okay, we add this flag if and only if we've actually done the proper identity verification policy fails, then this usually will be non-obvious to any outsider.

This is where Certificate Transparency might help. This would at least make (mis-)issuance publicly detectable.

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86