There’s a thread developing in several blogs about web browser security, and I think it is dangerously mis-framed, and may involve lots of effort going down some wrong paths. At the IE Blog, Franco writes about “Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers.” It’s a long, well-thought out post, which starts from the wrong place:
Today I want to tell you about both our established plan to highlight secure sites in IE7 but also to tell you about some early thinking in the industry about creating stronger standards for identity on the internet.
I think that defining the issue as stronger identity standards is likely to worsen the problems of phishing and pharming. A higher bar to jump over will simply mean that when phishers jump that bar, they’ll be more successful, because more indicators will act to re-assure users. That higher bar will be operated by ‘Certification Authorities,’ (CAs), whose focus will be keeping costs down. This is not helpful to the consumer whose identity is being stolen. The value of that identity (and the credit granted) is more than any business would like to spend on a digital certificate. So we need to move security, in a usable way, to the control of the consumer who is at risk. To do that, we need better persistence of identity information.
That is, we want the bank we visit tomorrow to be the same bank we visited yesterday. More validation by the CA doesn’t achieve that. It achieves a tighter bond between the name on the certificate, and the name on the server. Frank Hecker has a long post, “CAs, certificates, and the SSL/TLS UI” in which he outlines what the extended validation system might be. He also refers to Tyler Close’s “Petname,” which I wasn’t aware of. The idea is that you nickname a site. I think that’s awesome, and a better direction than more reliance on CA processes.
Persistence of identity can be hard, because the identity of a website is often made complex. But that doesn’t mean it’s the wrong solution, only that businesses will have to put effort into helping customers make it work. The import of this effort is less open to question when your customers are threatening to go back to the more reliable brick store fronts. As Tyler Close demonstrates, its possible to build something that works in the consumer’s model of the world. “That’s right, I’ve been to this site.”
This is a user-centered, rather than a CA-centered approach. The user-centric approach means that the security target is distributed. Further, local names means that the user is drawn into making security persistence decisions. (Whether that’s a good idea is open to question.) But the user could be encouraged to name sites, and then bookmark them. (I discuss the value of bookmarks as a persistence tool in “Preserving the Internet Channel Against Phishers.”) Will this work better than the CA model? It’s hard to say without actually observing users in testing.
The “trusted certificate authority” model has had a decade or so to demonstrate its value. It’s time we tried something else.