ev-shieldThe Special Power of
Extended Validation
Web Site Certificates
(If you are not using Internet Explorer,
the "Green" REALLY means something!)

During our deep dive into web browser certificate technology for
our Fingerprints page, we discovered something wonderful
about Extended Validation (EV) certificates!

Here's what we discovered:
Even though GRC was already a web site with encrypted connections validated by extended validation (EV) security certificates (note the special green coloration shown in the address bar of your browser), we (wrongly) assumed that this only meant that:
  • We had been required to prove, to an extra degree of certainty, that we really
    were who we claimed to be. (We were and are.)
  • That we would need to pay more for the privilege of having and displaying the
    green address bar. (We did and will.)
  • That the maximum duration of the identity authenticating certificate was shorter,
    so we'd have to go through all that rigamarole more often. (It is, and we will.)
  • But that it wasn't, otherwise, in any other way, different from regular web site
    security certificates . . . and THAT'S where we were very, wonderfully, wrong!

The HTTPS Fingerprints page explains carefully how and why a regular web site's SSL/TLS security certificate CAN be readily (and too easily) spoofed. But it turns out that . . . 

Extended Validation certificates are
(Unless you're using Internet Explorer)

Here's what we discovered:
The CA/Browser Forum, an association of certificate authorities and browser vendors, deliberately established the extended validation certificate program as a rigorous means of verifying identity information and the authority of individuals at organizations requesting SSL certificates.

They SPECIFICALLY recognized the problem of certificate spoofing created when malware (or anyone wishing to intercept and monitor private encrypted communications) is able to plant, inject, or install their own fraudulent root authority certificates into an end-user's computer. This is, of course, exactly the problem and practice that we address, explain, and provide tools for defeating on our Fingerprints page.

The simple solution they arrived upon was: For the sole purpose of determining a site's EV status, they would completely ignore the system's collection of root authority certificates. Instead, each of the properly designed web browsers contains an embedded list of the comparatively few certificate authorities who are qualified to sign extended validation certificates.

Properly designed web browsers (Internet Explorer is not) contain a
private list of hashes (signatures) of the public keys of EV-authorized
root certificates. ONLY server certificates which have been signed by
one of the EV-authorized authorities will be shown as EV.

Theoretical purists will shout that doing such a thing inherently breaks “PKI” — the Internet's Public Key Infrastructure. And they would be right. And that's exactly the point. The public key infrastructure is a beautiful, cleverly designed and highly scalable system. It's one of the few things we got right as the Internet was being born. But by being as open as it is, being based upon a “local store” of trusted authority root certificates, it is also inherently vulnerable to corruption of that local authority root store. As we know, that is how remote server authentication can be faked, and how supposedly-secure SSL/TLS/HTTPS connections can be silently intercepted and secretly eavesdropped upon.

We know there are legitimate defenders of secure connection interception and monitoring. And we understand their position and their stated rationale and justification for monitoring all corporate communications. But not EVERYONE who might do so has benign intent. And the beauty of EV certificates is . . . while it may not be possible to block their interception, thanks to the use of a private embedded EV-certified authority list (in properly designed browsers) . . . 

Any EV site being intercepted will LOSE its green EV display status!
(It will show as “secure”, but it won't show as EV.)

In other words, this site — WWW.GRC.COM — uses extended validation certificates. If you are viewing this site through a properly designed web browser, you can only see the green EV indication if the connection is NOT being intercepted!

In that sense, for EV-enabled web sites, when viewed with properly designed web browsers, the simple indication of EV status is a much easier and more user-friendly interception test than certificate fingerprint matching.

The trouble, of course, is that the use of EV certificates is still comparatively limited, so it's not possible to test for the interception of every site simply by checking its EV status. And also, how do you know for sure that any given site SHOULD BE EV? That's where GRC's Fingerprinting and Custom Site Fingerprinting comes in handy:

You know that GRC is an EV site. So while you are using the Fingerprints pages, if you get EV status (and you're not using Internet Explorer) you absolutely know that the page has NOT been intercepted and tampered with. So you can trust and believe everything it shows.

Now that you can absolutely trust that GRC's pages are not being intercepted and modified, the Fingerprints pages shows the true EV status of the top popular sites, and of any other sites you may wish to check. This allows you to determine whether you should see EV status for any other site.

If a specific site is not EV, you can still fallback to verifying its certificate fingerprints, secure in the knowledge that the fingerprints you are being shown are authentic and have not been tampered with.
The Trouble With Internet Explorer

It's difficult to understand how they could have messed this up so badly. Especially when the correct behavior is so clear. And it's truly unfortunate, since so many people still rely upon Internet Explorer (IE) for their default web browsing. What's more, Microsoft has been putting a great deal of effort and resources into recent versions of IE in an attempt to rehabilitate its previously well-earned reputation as the worst, least secure, and most dangerous web browser for the Internet.

Somewhere within Microsoft, someone thought:

Ooooo! Wouldn't it be cool to be able to have corporate
Intranet servers also show up as highly trusted extended
validation servers . . . even though they are not!??
And in making that possible, by allowing NON-EV certificates to appear as EV in Internet Explorer, they instantly rendered ALL of Internet Explorer's display of extended validation web sites completely meaningless.

Here's a page, where Microsoft writes:

The Extended Validation tab is used by administrators to add an Extended Validation (EV) certificate policy to root certificates that are distributed by Group Policy. Adding the EV certificate policy to root certificates and certificates issued to intranet Web sites provides a visual indicator that a site is trustworthy. 


In tests, we were easily able to create our own server-spoofing certificates then, with a few mouse clicks, “bless them” with EV status and turn Internet Explorer's address bar a comforting, and worse than meaningless, green.

Here's a how-to page on Microsoft's Technet site, where Microsoft brags:

One feature that is new with Windows Server 2008R2 / Windows 7 is the ability to configure your internal certification authority hierarchy to issue certificates that can show as Extended Validation certificates. For those of you who do not know, this means that you will get a shaded green bar within Internet Explorer proving that a site is ‘extra trustworthy’.

[Note that the author used single-quotes around ‘extra trustworthy’. He must have read our mind because, of course, the green coloration now means nothing at all.]

What Browsers are Trustworthy?

Since both Mozilla's Firefox and Google's Chrome/Chromium browser projects are fully open source, we were able to inspect the way EV certificates are validated. They maintain their own private internal lists of trusted EV certificate authorities and will ONLY display the green EV coloration when the server's certificate has been signed by a chain of certificates terminating in one of those known root authorities. This means that they cannot fall prey to EV spoofing the way Internet Explorer was designed to.

The EV handling within Opera and Safari are unknown. They are closed source browsers, and they do not appear to publish any formal statements about their handling of EV certificates. (If anyone does have any definitive information about Opera or Safari, please drop us a line.)

So, until we learn more about Opera and Safari, we know that you can rely upon either Firefox or Chrome to tell you the absolutely unspoofable truth about the EV status of any web site you visit. (And you also know that you absolutely cannot rely upon Internet Explorer.)

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: May 09, 2013 at 13:05 (349.41 days ago)Viewed 97 times per day