,
19 tweets,
6 min read
Read on Twitter
As entertaining as the whole EV thing is in some respects, I do sit back and question my own knowledge and views in the background too. A very common thing that keeps coming up in defence of EV, is phishing. I did some reading and here are a few interesting things.
Every piece of data I've looked at so far, including PhishLabs and the APWG, show that phishing is on the rise and it's a massive problem. I believe and hope that everyone will agree with that, but there are interesting stats around phishing on HTTPS.
Look at this Netcraft data on certificate issuance to phishing sites, that's quite a remarkable trend and indicates a shift of phishing sites moving from HTTP to HTTPS.
source: news.netcraft.com/archives/2017/…
source: news.netcraft.com/archives/2017/…
Data from PhishLabs almost mirrors this exact trend when they're looking at the % of phishing sites on HTTPS.
source: info.phishlabs.com/hubfs/2019%20P…
source: info.phishlabs.com/hubfs/2019%20P…
We then have to ask ourselves, why? Well, if we look at the % of general web traffic moving to HTTPS as a whole, perhaps we can piggy back on that. Here's the stats provided by Let's Encrypt on page loads using HTTPS in Firefox browser.
source: letsencrypt.org/stats/
source: letsencrypt.org/stats/
Whilst there's some relation there, the trends certainly don't line up enough to put the recent growth in phishing on HTTPS down to growth of HTTPS in general. I also don't believe that phishers are conscientious enough to look after our traffic!
Instead, we can put this down to phishers abusing the lack of understanding around browser security indicators, specifically the connection security indicator, and using that confusion to their advantage. Take a look at this PhishLabs survery.
source:
source:
Only 18% of those responding knew the meaning of the 'green lock', everyone else got it wrong. We're not even diving into the nuances of DV vs. OV vs. EV here, this is a plan and simple question asked by a *phishing specialist* on Twitter.
This is why we've seen browsers start to deprecate and remove their positive UI elements for connection security. Users don't truly understand them and that lack of understanding leads to wrong decisions which cause harm.
Here's some links to info on these changes in Chrome Browser.
security.googleblog.com/2016/09/moving…
security.googleblog.com/2018/02/a-secu…
security.googleblog.com/2016/09/moving…
security.googleblog.com/2018/02/a-secu…
Now that we've established that understanding browser UI is a problem, and that users often don't understand it, how can we make a distinction between DV UI and EV UI. The simple truth is, we can't.
We can't sit here and argue that phishing is a problem, phishing on HTTPS with a DV cert is an even bigger problem but that if we used an EV cert then phishing is solved! It's crazy, and, if you think about it, the argument doesn't stack up.
Phishers are using DV certs *because* users don't understand them, *because* users place faith and trust in them. To suggest that 'more certificate stuff' is the answer to our problems with certificates is crazy. Positive UI is dead.
Going off-piste a little from the EV thing, but browser UI needs to be simplified even further to help the user. Take the following URL on my site, perfect for hosting a phishing site! Could a user reliably parse this?...
Let's break it down into scheme, subdomains, domain, path, query params and fragment. Also note I'm being fair and there's no username, password or port which could also be there!
If you could give the user just one piece of information about this site, which would it be? The domain, right?.. Honestly, I feel like that's all we need. People know google dot com, amazon dot com, netflix dot come, not all this other crap in the address bar.
I suggest this though and people on the Internet go crazy. I want the URL, stop hiding information, etc... No problem, just click into the address bar and display the full URL for copy/paste purposes. There is another valid concern that often comes up though.
Hosting sites like GitHub Pages are a problem. Nobody wants a phishing subdomain to look like the real domain here! That's what the Public Suffix List is for. Read the second bullet point on their site here: publicsuffix.org
Anyway, this thread was an opportunity for me to challenge my own thoughts, share some of them and share some interesting data! /thread
