The Special Power of Extended Validation Web Site Certificates | |
(If you are not using Internet Explorer, the "Green" REALLY means something!) |
During our deep dive into web browser certificate technology for
our Fingerprints page, we discovered something wonderful
about Extended Validation (EV) certificates!
|
The HTTPS Fingerprints page explains carefully how and why a regular web site's SSL/TLS security certificate CAN be readily (and too easily) spoofed. But it turns out that . . .
Extended Validation certificates are COMPLETELY SPOOF PROOF! (Unless you're using Internet Explorer) |
They SPECIFICALLY recognized the problem of certificate spoofing created when malware (or anyone wishing to intercept and monitor private encrypted communications) is able to plant, inject, or install their own fraudulent root authority certificates into an end-user's computer. This is, of course, exactly the problem and practice that we address, explain, and provide tools for defeating on our Fingerprints page.
The simple solution they arrived upon was: For the sole purpose of determining a site's EV status, they would completely ignore the system's collection of root authority certificates. Instead, each of the properly designed web browsers contains an embedded list of the comparatively few certificate authorities who are qualified to sign extended validation certificates.
Properly designed web browsers (Internet Explorer is not) contain a private list of hashes (signatures) of the public keys of EV-authorized root certificates. ONLY server certificates which have been signed by one of the EV-authorized authorities will be shown as EV. |
Theoretical purists will shout that doing such a thing inherently breaks “PKI” — the Internet's Public Key Infrastructure. And they would be right. And that's exactly the point. The public key infrastructure is a beautiful, cleverly designed and highly scalable system. It's one of the few things we got right as the Internet was being born. But by being as open as it is, being based upon a “local store” of trusted authority root certificates, it is also inherently vulnerable to corruption of that local authority root store. As we know, that is how remote server authentication can be faked, and how supposedly-secure SSL/TLS/HTTPS connections can be silently intercepted and secretly eavesdropped upon.
We know there are legitimate defenders of secure connection interception and monitoring. And we understand their position and their stated rationale and justification for monitoring all corporate communications. But not EVERYONE who might do so has benign intent. And the beauty of EV certificates is . . . while it may not be possible to block their interception, thanks to the use of a private embedded EV-certified authority list (in properly designed browsers) . . .
In other words, this site — WWW.GRC.COM — uses extended validation certificates. If you are viewing this site through a properly designed web browser, you can only see the green EV indication if the connection is NOT being intercepted!
In that sense, for EV-enabled web sites, when viewed with properly designed web browsers, the simple indication of EV status is a much easier and more user-friendly interception test than certificate fingerprint matching.
The trouble, of course, is that the use of EV certificates is still comparatively limited, so it's not possible to test for the interception of every site simply by checking its EV status. And also, how do you know for sure that any given site SHOULD BE EV? That's where GRC's Fingerprinting and Custom Site Fingerprinting comes in handy:
It's difficult to understand how they could have messed this up so badly. Especially when the correct behavior is so clear. And it's truly unfortunate, since so many people still rely upon Internet Explorer (IE) for their default web browsing. What's more, Microsoft has been putting a great deal of effort and resources into recent versions of IE in an attempt to rehabilitate its previously well-earned reputation as the worst, least secure, and most dangerous web browser for the Internet.
Somewhere within Microsoft, someone thought:
“Ooooo! Wouldn't it be cool to be able to have corporate Intranet servers also show up as highly trusted extended validation servers . . . even though they are not!??” |
Here's a page, where Microsoft writes:
In tests, we were easily able to create our own server-spoofing certificates then, with a few mouse clicks, “bless them” with EV status and turn Internet Explorer's address bar a comforting, and worse than meaningless, green.
Here's a how-to page on Microsoft's Technet site, where Microsoft brags:
[Note that the author used single-quotes around ‘extra trustworthy’. He must have read our mind because, of course, the green coloration now means nothing at all.]
Since both Mozilla's Firefox and Google's Chrome/Chromium browser projects are fully open source, we were able to inspect the way EV certificates are validated. They maintain their own private internal lists of trusted EV certificate authorities and will ONLY display the green EV coloration when the server's certificate has been signed by a chain of certificates terminating in one of those known root authorities. This means that they cannot fall prey to EV spoofing the way Internet Explorer was designed to.
The EV handling within Opera and Safari are unknown. They are closed source browsers, and they do not appear to publish any formal statements about their handling of EV certificates. (If anyone does have any definitive information about Opera or Safari, please drop us a line.)
So, until we learn more about Opera and Safari, we know that you can rely upon either Firefox or Chrome to tell you the absolutely unspoofable truth about the EV status of any web site you visit. (And you also know that you absolutely cannot rely upon Internet Explorer.)
Gibson Research Corporation is owned and operated by Steve Gibson. The contents of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP, NanoProbe, and any other indicated trademarks are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy. |
Last Edit: May 09, 2013 at 12:05 (4,230.21 days ago) | Viewed 25 times per day |