Everything we're told about website identity assurance is wrong

I built Sitetruth.com to try to solve that problem. I&#x27;m going to shut it down soon.<p>The goal of SiteTruth was to try to find the real-world business behind a web site, and look up information about the business, such as how long it has been in business and its annual revenue. That&#x27;s become harder and harder over the last decade.<p>First, it&#x27;s now acceptable to have an online business with no real-world address and no visible legal existence. This is illegal in the European Union and illegal in California if the business accepts payments, but enforcement is nonexistent.<p>Second, more sites have become inaccessible to scraping by servers. I have a system which looks for a human-readable business address on a site. It looks in the obvious places (front page, &quot;about&quot;, &quot;legal&quot;, &quot;terms&quot;, &quot;contact&quot;, etc.) and quits after trying the 20 most likely pages. It uses a honest agent ID (&quot;Sitetruth.com site verification system&quot;, registered with the now meaningless &quot;bots vs browsers&quot; list) and obeys robots.txt. A sizeable fraction of the time, it can&#x27;t read the site at all.<p>Third, the data sources for company information have been becoming less accessible. There used to be two reliable data sources: Hoovers, and Dun and Bradstreet. They merged. Dun and Bradstreet for a while became rather corrupt. They licensed a company in Santa Monica, CA to use their name, and sent the small-business part of the business to them. This unit&#x27;s marketing approach was &quot;Nice credit rating. Be a shame if it something happened to it&quot;. After much litigation, DnB HQ bought the Santa Monica company, but the reputational damage was done and DnB is no longer the gold standard of company information. There are lower tier data sources (look up &quot;US Business List&quot;), but the data quality is poor. Anything based on user recommendations, like Yelp, gets spammed, so that&#x27;s out. Yahoo Directory, which was reasonably spam free, is gone.<p>Fourth, the SSL cert industry became corrupt. OV standards were never very high, and EV standards started slipping. Then there was the Cloudflare problem. Cloudflare is a certificate authority, and they issue certs to themself for domains which run through Cloudflare. So looking up a cert just gets Cloudflare&#x27;s info.<p>Fifth, Google is making it harder and harder to have Chrome plug-ins that critique their ads. I dropped Chrome support recently, and only have a Firefox add-on at this point.<p>So, after fifteen years, Sitetruth is coming to an end.

OV certificates are even worse. The verification is a hassle and it&#x27;s <i>extremely</i> difficult to distinguish OV from DV. Try to figure it out. The only way I&#x27;m aware of is to make sure the `Policy Identifier` [1] of the certificate is `2.23.140.1.2.2`.<p>I&#x27;ve also never had a good experience with the validation process from any of the CAs. They often push anything that&#x27;s not immediately discoverable back to the applicant and expect them to do the leg work. I&#x27;ve had both Comodo and DigiCert do this to me in the past. Here&#x27;s an example from DigiCert. This happened this year (2022).<p>&gt; First, As part of the verification process, we are required to confirm the registration of your organization with the local registering authority.<p>&gt; We have attempted to locate the registration records using online resources, however we have not been able to locate such a document. If you are aware of any government based search tools for your jurisdiction that can be used to locate proof of the organization&#x27;s registration, please reply to this email with a link and instructions for locating that record. Once received, our validation team will confirm the record and proceed with the validation process.<p>Really? To me that seems like someone who isn&#x27;t familiar with my jurisdiction because they don&#x27;t know the process. What&#x27;s stopping me from sending them a link to a fake, official looking site? It seems like an invitation for social engineering. Code signing certificates are the same. It&#x27;s infuriating.<p>In my experience, they look for your company on Google Local (or whatever it&#x27;s called now) or similar and if they can&#x27;t find it they punt it back to you. I think the whole process is worse than nothing because it&#x27;s selling a false sense of security for anyone who believes the marketing.<p>From a customer value standpoint, I&#x27;d rather pay for a DV certificate where the value comes from helping me to set up proper CAA records to prevent mis-issuance as well as certificate monitoring for any potential lookalike domains. Of course, the margins on that probably wouldn&#x27;t be as good.<p>Thankfully I only deal with one place that insists on buying expensive certificates because &quot;they&#x27;re better&quot;. Just for fun sometime go look at the TLS certificates used by all of your local government websites and try to figure out what they cost. Then factor in the labor for multiple people to coordinate annual renewals and manual installation. It&#x27;s frustrating.<p>1. PDF Warning: <a href="https:&#x2F;&#x2F;cabforum.org&#x2F;wp-content&#x2F;uploads&#x2F;CA-Browser-Forum-BR-1.8.1.pdf" rel="nofollow">https:&#x2F;&#x2F;cabforum.org&#x2F;wp-content&#x2F;uploads&#x2F;CA-Browser-Forum-BR-...</a>

&quot;Nobody Looks Beyond the Lock&quot;<p>I did. A high-value (to me) service used a cert with the green banner and I&#x27;d look to it to be reassured I was in the right place. Then one day, it disappeared.<p>Alarm bells started ringing and I tried to find out what was going on. I called their help desk and asked if they had changed their TLS certificate but the helper I spoke to had no idea what I was talking about and couldn&#x27;t be persuaded to escalate my query.<p>Just in case my connection was being hacked by someone who managed to register a lesser TLS certificate, I left it a day until I could try again from my home broadband.<p>In the end, I did go ahead and use the site without the green banner, which makes me my own worse enemy.

Troy and others have made great hay out of explaining how badly browsers work with EV certs.<p>They spend considerably less time talking about <i>why</i> browsers do such a terrible job of surfacing cert information for website visitors. Yes, cert UI sucks; not sure we needed an enormous article to belabor that. The real question is, why does cert UI suck so bad? (UI design is a choice.)<p>The answer is that everyone who runs a major browser has a vested interest in making sure decentralized site verification sucks. Because they are supported by highly centralized private site verification schemes.<p>Decentralized verification is the norm offline. Do you carefully Google and research every store you walk into? No, because to open a store, the store owner has to establish a paper trail. And if you have a problem at that store, your advocate (a credit card company, insurance company, lawyer, law enforcement, etc) can follow that paper trail to find a party they can negotiate with, or investigate.<p>Over time, the effectiveness of this system—in which all parties have invested—creates a barrier to in-person scams. The result is a society where you can walk into a new store, a restaurant, a bar, etc. with confidence.<p>And note that name collisions don’t matter in this system. There are tons of restaurants called “McDonalds,” all owned by different people. But each one has an address and a unique paper trail that leads to a specific person or business. If you can remember which one you visited, your advocate can follow the paper trail for that one in particular.<p>The idea of EV and OV certs was to use the power of encryption to hook your browser to this same set of offline paper trails. You wouldn’t even need to remember anything; the browser would maintain a log of the sites you visited for you. If you got scammed, you just look back in your history and forward the business info to your advocate or law enforcement.<p>The decentralized nature was a feature; businesses had the choice of which cert to get, who to buy it from, and users had the choice of browser. Competition and mutual distrust would create incentives for parties to hold each other honest.<p>To be clear, an EV or OV cert would not magically prevent scams. But they would provide cryptographic guarantees that an advocate or law enforcement could trace back to an entity, to prosecute or make you whole. Just like in a real life store.<p>Instead, browsers became dominated by companies who run for-profit search engines, app stores, and identity platforms. So today what is the advice for verifying a website’s legitimacy? Google it. Or get their app from the curated App Store.<p>The result is a web dominated by a few huge gatekeepers. SEO is life or death because Google is the only way for a website to be “real” for people.<p>And most techies went along with it because they shared the vested interest, or did not appreciate the existing system that creates the real life shopping experience we see every day.<p>And so where are we today? A new generation of techies trying to use the power of encryption to create a decentralized web. Web3.

&gt; nobody is actually going to look beyond the lock anyway. (Yes, I know there&#x27;ll be someone somewhere who eventually does, let&#x27;s just agree that &quot;nobody&quot; is a number that rounds to 0%.) I mean seriously, do you ever do this?<p>Yes, yes I do... did. I&#x27;m in the US and get a vast array of bills coming from all kinds of different sources (utilities, doctors, etc.) that manage their payments via some random portal. Some of the &quot;payment portals&quot; they send me to are sketchy as hell and it brings me great anxiety to use them even though it&#x27;s guarantees my payment arrives on time and I don&#x27;t have to fuss with snail mail (and its associated thefts). I <i>always</i> make sure they are https and I used to look &quot;beyond the lock&quot; to make sure they a well-known CA was being used. Well as Troy mentions, it&#x27;s effectively a worthless endeavor. I&#x27;m glad he&#x27;s bringing this topic up to gain more visibility and awareness towards the issue.

I need to dig it up, but PayPal once did a security presentation on “trust indicators” like EV certs related to user behavior.<p>The conclusion was essentially that trust indicators offer no benefit at all and can even go as far as creating harm since it could encourage a user to trust an entity that they don’t know if the system is abused. The psychology of it boils down to this: people trust lots of sites, services and other people who haven’t paid extra for these trust indicators and because of that it’s not going to change their behavior at all.<p>On the flip side, inline and accurate warning indicators go a long way towards making users more cautious. Big red warnings from Google about users outside your domain for example.

I feel like a lot of commenters may not have watched the video of Emily Schecter&#x27;s that was linked in the article. IMO it actually did a better job of explaining the problem with EV&#x27;s than the author&#x27;s post did. Or at least it was very complementary.<p>There are a lot of flaws in EV. I think the biggest one I saw was that it is effectively no more useful than TLD&#x27;s&#x2F;subdomains. In fact, it&#x27;s worse, because unlike domains, there can be multiple owners of the same corporate name!<p>To the people saying there is a paper trail... What good is that? There are &quot;paper trails&quot; for domain registration too. But that isn&#x27;t very reliable and the same would happen with corporate registration. We know this all too well from how wealthy people use shell corporations to hide. And I&#x27;m sure there will be plenty of places around the world where it will be easy to incorporate for bad actors, even if some places do a good job of creating a paper trail.<p>Fundamentally, this is a hard problem to solve and I really don&#x27;t see EV solving this any better than domains.

&gt; Remember, EV only works if people change their behavior in its absence and clearly, that just doesn&#x27;t happen.<p>Web browsers told me they&#x27;d try better verification markers for years. They never did. So we don&#x27;t know, except to say:<p>a. the &#x27;green bar&#x27; verification marker isn&#x27;t very effective.<p>b. the &#x27;blue tick&#x27; logo as used for UIs like <a href="https:&#x2F;&#x2F;twitter.com&#x2F;troyhunt" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;troyhunt</a> hasn&#x27;t been tried so browser makers have no data here.<p>It&#x27;s a moot point: the realpolitik is browsers don&#x27;t care about identity as it&#x27;s not in their financial interest to do so.<p>Disclaimer: I spent 5 years of my life trying to verify the web.

I don&#x27;t see what&#x27;s fundamentally wrong with EV certificates, as long as the certificate authorities do the proper verification. The certificates contain more than just the business name, so I think the criticism should be directed towards browsers that hide the relevant information behind 5 clicks.

Sure, ev certs might not be all that great, but I do find Troys long-running crusade against them weird. I mean, it feels pretty disproportionate, like does anyone care that some corpos end up paying few hundred bucks extra for their certs or whatever? Isn&#x27;t there almost endless amount of more important issues in the security landscape?

Bluntly put, SSL Certificates exist (or at least are widely promoted and used in their current form) to protect the business models of a few very large corporations. Especially against parties like sleazy ISP&#x27;s, who might love to (say) replace all the Google Ads on web pages which their customers view with new ads sold by the ISP.<p>Beyond that, it&#x27;s all FUD, marketing, and hype. And at least 90% of any actual benefits to normal users of the web fall under &quot;convenient side-effect of what the large corporations would have done anyway, for their own benefit&quot;.<p>[&#x2F;cynic]

Genuine question: suppose you get a link from a known, nontechnical friend for some interesting product on Amazon. The link goes to:<p><a href="https:&#x2F;&#x2F;amazon.shopping&#x2F;" rel="nofollow">https:&#x2F;&#x2F;amazon.shopping&#x2F;</a>...<p>How do you determine whether this is actually Amazon or a scammer?

Right now, if what Troy is saying is true, then self-signed certificates are basically every bit as good as a LE cert - because no one actually verifies the chain of authority. But oh no, self-signing is a bad practice, and effectively useless because browsers will throw up warnings. So you go to LetsEncrypt and get a certificate that has a pretty green padlock.. because their `certbot` made it with 0 review of who you are or what the site does? How is this different at all?<p>I&#x27;m not an expert, but at high level it seems to me that the only way to get trust is to tie every digital property to a real person, do some sort of KYC on them and allow for dispute resolution. The usual bureaucratic pains of doing anything in the real world would extend to the digital world, and the usual arguments about increase in regulation entrenching existing power structures and slowing innovation apply.

The problem is real and it&#x27;s not the only one in this space. I was surprised to see so many words and so little substance. If feels like Troy didn&#x27;t really try about this one.

The funniest thing to me was always how any non-EV cert can be used in place of an EV cert if you want to MITM. Just find a way to generate a non-EV cert for a domain (from any of the hundreds of CAs) and go ahead and intercept traffic. Nobody will notice that the domain no longer uses an EV cert. The browser won&#x27;t care. So it&#x27;s not actually providing any security at all.<p>I blame the browsers. They could have made it perform <i>some</i> kind of check, give some kind of warning. We&#x27;ve had to drag them kicking and screaming to adopt every ridiculous security extension to the web. They still use half-ass measures like HSTS that are trivial to work around. Nobody look at the big pink elephant.

The arguement that &#x27;Nobody Looks &quot;Beyond the Lock&quot;&#x27; is not really valid in my opinion. If even 0.001% look, there&#x27;s a chance someone will blow the whistle on a sketchy operation. Not to mention that I might only look closely on some responses.<p>The other issues with EVs are more damning to me.

I&#x27;ve been coming around to the idea that the threat models that are often used for website identity are not the ones we want. The ssh threat model related to changes in host keys seems to me to be a better one.<p>The first time you connect to a website you get whatever identity it wants to show you. Whether it is a real site or not doesn&#x27;t particularly matter, it only matters when the identity changes. If my first access was MITMed and then I connect to the &quot;real&quot; site, I should go and check to see what information changed, and if I sent any sensitive information I should probably do something to mitigate that (the exact action would depend on the exact type of info you sent). In the reverse case where you trust the original identity more than a changed identity you would ignore the event and might possibly want to inform the original entity that someone is trying to impersonate them.<p>Still fairly complicated for the original user, but certificate expiration would no longer be the insanity that it is now, and you can at least get transport security without the big scary self signed warnings that show up now.

I guess the same idea also applies to QWAC.<p><a href="https:&#x2F;&#x2F;www.eff.org&#x2F;deeplinks&#x2F;2022&#x2F;02&#x2F;what-duck-why-eu-proposal-require-qwacs-will-hurt-internet-security" rel="nofollow">https:&#x2F;&#x2F;www.eff.org&#x2F;deeplinks&#x2F;2022&#x2F;02&#x2F;what-duck-why-eu-propo...</a>

EV have their place in the ecosystem, they are just useless for websites.<p>You still need them to properly sign binaries for Windows or get your logo showing in Gmail (BIMI), which are legit usecases where you want to verify the identity of the company.<p>The alternative to that is each business setup their own verification mechanism similar to what Apple does and you have to pay each one a good chunk of money. (Arguably the EV certs are not cheap either).

Says the site being MITM by cloudflare. Not that he&#x27;s wrong, but glass houses...

Ha the example site at the end has already been taken down.

Snake Oil is a long standing business practice.

I am soooo grateful for LetsEncrypt -- before them, getting certificates was such a hassle. Even if you didn&#x27;t fall for the EV or OV or whatever certs, just getting a DV cert was annoying. Every vendor had a slightly different web interface that was really annoying to use, and to get the cheapest price you usually had to go through a reseller, and they had even worse web forms.<p>LetsEncrypt is such a breath of fresh air. And the short 90 day validity period more or less forces you to set up an auto-renew script, so you can typically set it and forget it.<p>And if you mess something up, they even email you to warn that your cert is about to expire!