Extended Validation (EV) SSL certificates are the first significant advance in digital certification since the adoption of the X.509 standard certificates for SSL. The creation of EV SSL certificates came about in response to a pressing business need. It is likely that additional needs will emerge and the EV SSL standard will evolve in response. Of course, we cannot predict the future, but we can use our understanding of past experiences and current challenges in business to venture possible paths of EV SSL certificate evolution.
This chapter frames the discussion of the future of EV SSL certificates around:
It is often best to start with a look to the past to understand what might lie ahead.
Information security, at least as we know it, has a relatively short history. We do not have the advantage of historians who study the rise and fall of empires or evolutionary paleontologist who study the fossil records for insight into past ages. They can examine facts and artifacts across generations and see recurring patterns that are not limited to a particular time and a particular place. Instead, we have a short and rapidly changing history.
Changes in the information security landscape occur in spans of months, weeks, days, and even hours. Take the recent Storm worm. This malware has changed to avoid detection, respond to threats, and find the right balance of spreading to as many devices as possible without becoming so exposed that it is likely to be taken down. The worm began spreading in January 2007 and quickly spread to account for up to 8% of all Windows-based malware. One of the reasons the malware is so resilient is that servers that distribute the code modify the application twice an hour to make detection more difficult.
The Storm worm and botnets have managed to automate a common pattern in the history of information security: the cat and mouse game. Attackers find a way to compromise a system, systems administrators and security professionals close the vulnerability or create a countermeasure, and the attackers search for, and eventually find, another way to compromise the system. Needless to say, the systems administrators and security professionals respond as expected to mitigate the new threat and the process repeats.
Figure 5.1: The evolution of information security has been a pattern of attacks begetting countermeasures which beget attacks and so on.
As a prelude to examining emerging threats, it is useful to examine a few examples of how threats have changed; in particular, the changes in
Each of these present distinct types of threats to information security, but their development paths exhibit common patterns.
The first malware appeared in the 1970s on the Arpanet, the precursor to the Internet. A program known as Creeper that infected the Tenex operating system (OS) would display the message 'I'M THE CREEPER : CATCH ME IF YOU CAN.' on infected systems. A clean up program, called Reaper, was deployed to eliminate Creeper, and so began the first iteration in the many cycles of malware attack and counterattack. For our purposes, the evolution of malware can be divided into three stages with subsequent stages representing more complex malicious code.
Early viruses and worms were relatively simple by today's standards, but as with their contemporary counterparts, early viruses and worms took advantage of vulnerabilities in OSs and applications to spread. Throughout the 1980s, viruses spread on Apple and IBM PC platforms taking advantage of the fact that OSs were stored on floppy disks with no logical access controls. Viruses spread when floppy disks were shared. Malicious code could copy itself to memory and then to other floppies, thus spreading the infection.
The first Internet worm also appeared in the 1980s. Known as the Morris Worm, it took advantage of vulnerabilities in email and network utility programs to spread. Unfortunately, the rapid spread of the worm created an unintended Denial of Service (DoS) attack on compromised servers.
Both early viruses and worms could be detected and eliminated relatively easily with basic pattern recognition techniques. As the motivation to create viruses and worms moved beyond pranks and experiments, malware writers, like bacteria in antibiotic-rich environments, had to adapt to survive. And just as some pathogens use a kind of chemical camouflage to disguise their presence in host organisms, programmers turned to obfuscation to avoid detection.
Attempts to mask viruses using encryption were a start at reducing the chance of detection, but they did not go far enough. It is true that a virus that replicated itself and then encrypted itself with a random key could not be detected using the signature-based antivirus programs. The problem for virus writers, though, is that they need to decrypt their program before it could be used. This meant that viruses would have to carry around a decryption module along with their payload and that was their Achilles Heal. Antivirus programs could use signatures to identify the unencrypted decryption module. Encrypting the payload was not enough; any data that spread by malware must be obscured and the patterns must change frequently and randomly enough to make signature-based detection impossible.
Polymorphic viruses change patterns in executable code without changing the function of the code. When replicating a piece of malware, a polymorphic module injects nonsense instructions, for example A = A + 0, into the code. These extra instructions do not change the behavior of the program, so they can be injected anywhere, including into decryption modules and the polymorphic module itself. Signature-based detection was no longer sufficient.
Rather than examining the structure of viruses, which could now change, antivirus researchers turned to examining the one thing that did not change: the program's behavior. With behaviorbased detection, suspected malware was run inside a sandbox environment and monitored for tell-tale signs of virus or worm activity.
The evolution of malware gives us our first indications of the efficiency of the cat-and-mouse game so often seen in information security. Antivirus researchers used signature-based detection, a low complexity solution, to combat malware as long as possible. Malware developers then tried a simple approach to avoiding detection, but encryption turned out to be too simple. Then, only when malware writers devised the means to circumvent structural detection, did antivirus researchers move on to the more complex behavior-based detection. A similar pattern of minimal changes to remain effective can be seen in phishing as well.
Phishing has always been about tricking users into disclosing information. At first, well-known and popular companies and brands were targeted. This made sense and followed the pattern of minimal effort and maximum efficiency seen before.
Phishers may spam hundreds of thousands or more email addresses with lures. How can they be sure the lures will look sufficiently legitimate to maximize the number of people who are tricked? Initially, the answer was to use the names of large institutions such as Citibank, eBay, Paypal, and other businesses with large customer bases. Chances are many of the recipients will have an account with one of these organizations.
The problem for phishers, though, is that as the public learned of phishing schemes, it was more difficult to convince users that lures were legitimate. Phishers honed their lures and in some cases changed their methods. We can expect to see more adaptations, such as:
Spear phishing is a smaller, more targeted form of phishing. Spear phishing schemes often use smaller, regional businesses and target fewer victims than early, blanket-phishing schemes. Spear phishing has a number of advantages for phishers:
Many of the same anti-phishing techniques that are effective against blanket phishing, such as Web site reputation checks and EV SSL certificates, work with spear phishing schemes as well.
Phishing has traditionally depended on email to deliver a lure. As spam and phishing filters improve, phishers are looking for new ways to deliver lures. One such method is through ecommerce sites. A basic scheme is as follows: A phisher sets up a fraudulent e-commerce site and purports to sell products. The site uses application programming interfaces or other techniques to get product and pricing information from legitimate sites. When the site is queried for prices on a product, it returns a lower price than its competitors. Unsuspecting buyers attempt to purchase the item and in the process provide phishers with names, addresses, and credit card information. Again, EV SSL certificates can reduce the effectiveness of this kind of phishing scheme.
The rise of social network phishing demonstrates another characteristic of information security— attackers follow the herd. As more potential victims adopt a technology, such as email, instant messaging, smartphones and social networking, the more attackers will be lured to try to exploit the platform.
The wealth of personal information is an obvious reason for phishers to harvest data from social networking sites. Attackers have also used social networking sites to lure victims. A MySpace worm appeared in 2006 that exploited vulnerabilities in the social networking platform to change links in a victim's page that would lead visitors to a phishing site instead of the original site linked to by the victim.
Phishers are making small changes in their methods (for example, by targeting smaller pools of potential victims and using regional rather than national business) as well as adapting more varied distribution techniques (such as e-commerce and social network phishing). Similar to the pattern seen with the history of malware, phishing is a dynamic and adaptive phenomenon.
Botnets are networks of compromised computers that can be controlled by unauthorized users. Botnets are blamed for generating most of the spam that floods email systems, for launching distributed DoS (DDoS) attacks, and for providing compute resources for other malicious activities, such as password cracking.
The architectures and functions of botnets have changed, as those that create and control theses networks strive to grow and maintain their ill-gotten resources. Early botnets used a hierarchical command and control structure (see Figure 5.2). This architecture had the advantage of being easy to implement yet effectively delivered needed functionality. A serious drawback, however, is that once the command and control node was identified and isolated, the botnet no longer functioned.
Figure 5.2: Early botnets used a hierarchical command and control structure.
A move to peer-to-peer architectures (see Figure 5.3) introduced more resilient botnets. No single command and control node managed the entire network, so it was no longer possible to disable the botnet by removing one node. If a management node was removed, another node could assume its role. Variations on the design, such as distributing partial lists of other bots in the network to nodes, are used to balance efficiency with resiliency.
Figure 5.3: Peer-to-peer botnets use a distributed command and control model that is more likely to withstand the loss of some nodes.
Recently, investigators have discovered that the Storm botnet is using defensive measures, including DoS attacks to prevent researchers from learning too much about the network.
As the history of malware, phishing, and botnets shows, there are common patterns discernable in the development of security threats:
It is not unreasonable to assume that similar patterns will continue to appear. It is also safe to assume that EV SSL certificates will be used in new ways and the EV SSL standard itself will change to adapt to new threats.
At this point, it is time to shift our attention from the past and begin to examine ways in which the still-young EV SSL standard might adapt to meet needs just on the horizon.
The CA/Browser Consortium developed EV SSL certificates to address the compelling need for better protections against phishing. By establishing a standard that is widely backed by certifying authorities (CAs) and browser developers, the group not only solved an immediate need but created a framework that can be used for additional needs as well.
There is no way to know for certain the next set of applications for EV SSL certificates, but some possibilities include:
In each case, the ability to rely on a trusted third party to enforce well-defined standards of business practice enables these potential services.
For many years, malware largely targeted desktop OSs and applications. The popularity of Windows and other Microsoft products, such as Word and Outlook, made them prime targets for attackers. Recently, malware targets and delivery mechanisms have shifted toward the browser.
Many kinds of browser- and Web server-based attacks are occurring:
EV SSL certificates are immediately useful today in the case of the victims being redirected from legitimate Web sites to malware delivery sites. Had a victim been to a financial site displaying a green bar and then automatically redirected to a non-green bar site, the victim would have an obvious visual cue that something was wrong.
As for attacks that lure people to other sites but do not make significant attempts to hide obvious clues, the lack of a green bar in the address line might help, but that is debatable. It could help because users would not have to read an actual URL to notice that a patch for a product from Company A is coming from a site named something completely different. There is also the fact that some consolidated download sites offer drivers and patches for many products. Users could easily confuse a rogue site for one of these legitimate service sites. Today's EV SSL certification is not a guarantee that a site is free from malware, however, certifying a site or a business that follows security management best practices is a possible future extension of EV SSL certificates.
For more information about security certifications and other potential applications for EV SSL certificates and related certificates, see the section Possible Extensions for EV SSL Certificates later in this chapter.
Privacy concerns are a long-standing issue in information management. State, national, and transnational governments have enacted legislation to protect the privacy of individuals in a range of circumstances:
The Federal Trade Commission (FTC) in the United States has also undertaken a number of privacy initiatives; see http://www.ftc.gov/privacy/index.html for details.
In addition to the privacy protections established in legislation, individuals may enter into agreements with businesses. For example, companies often define privacy policies related to data they collect on Web sites. Today, users would have to read through sometimes legalistic policies to know what their rights and responsibilities are. They would also have to understand the implication of clauses indicating the rights of the site owners to change the policy at any time. Following the EV SSL certificate model, companies might want to distinguish themselves by the level of privacy they guarantee to protect.
Consider the case of the emerging business of personalized genome sequencing. Companies are now offering customers the chance to sequence their own DNA and search for indications of genetic predispositions to diseases or to better understand one's ancestry. Although there may be many individuals who would like to have this kind of information, there are privacy concerns:
Right now, customers can ask these questions but have no guarantees other than the claims of the business providing those services. Potential customers might be more willing to engage in such a service if the policy statements were not only clear and agreeable but also recognized as enforced by a trusted third party.
A possible extension to EV SSL certificates is a certified privacy practice. In such a model, CAs would follow an established standard to review companies' privacy policies, audit the companies' data management practices, and verify that privacy policies are adhered to. This kind of new service would require a new standard or standards, but much of the service infrastructure in place for EV SSL, such as registering authorities (RAs), CAs, and browser developers, could be reused for privacy protections.
We have seen examples in this chapter of malware threats from compromised Web sites. News stories bring to the public's attention the problem of information lost due to a range of causes:
Customers may begin to wonder, if they don't already, how secure are the companies they do business with? We expect governments and large financial institutions to have the resources to maintain sound security practices, but what about other businesses? How are consumers to decide which businesses to trust with their information?
Ideally, businesses would have a security equivalent to the electrical device industry's Underwriters Laboratory (UL). Such a trusted third party would test and verify that the security practices of an organization meet an established standard. If this could be done, and it is not at all clear that it could be, here are some possible criteria for evaluation:
Perhaps security management standards, such as ISO 27002, could be used as a foundation for such an evaluation. Security management is, however, a complex area. Even relatively narrow standards, such as the Payment Card Industry (PCI) Data Security Standard (DSS), have met with mixed reactions. Some businesses find the standards leave too much room for interoperation and others find the implementation cost prohibitive.
Assuming for the moment that the difficulties with establishing a standard could be overcome, the EV SSL certification infrastructure could be readily applied here. Digital certificates could be issued to companies that meet established standards. Those certificates could then trigger a visual cue in a browser when a customer visits the company's site and people would know that a trusted third party is vouching for the security practices of the business.
EV SSL certification was developed to have a trustworthy way of demonstrating businesses are legitimate operations and are actually who they claim to be. This is only possible with the combined resources and commitment of CAs and browser developers. As we have seen with privacy and security considerations, the business and technical infrastructure in place for EV SSL certificates is amenable for use for other certification services.
Expanding the types of certifications will likely be driven by market need but could include diverse interests such as:
Basically, when a business wants to make a claim about it operations, practices, and products and wants a trusted third-party verification that cannot be forged by frauds, it could use the same business and technology resources created for EV SSL certificates. In the future, we will likely see emergence of business certifications that go beyond the scope of the current EV SSL certificates. We will also likely see additional uses of EV SSL certificates to improve browsing.
The browser plays a central role in the use of EV SSL certificates. Through the browser, users are made aware of the EV status of a business. There is no need to find certificate options in browser menus or try to make sense of public key cryptography details stored there. Instead, users have a pronounced visual cue with the green bar. They also have simple access to additional data about the business by clicking on the vendor name at the end of the green bar. There may be additional visual cues embedded in browsers in the future; it is also likely that independent developers may extend browser functionality with add-ons that make use of EV SSL certificates.
One possible improvement to browser interfaces is the use of EV SSL certificates to filter search results. Currently, when a user searches for a particular item, say "camping equipment," search engines return results based on how well the search terms match with the content of the site. This process is site-centric in that the sites control, to some degree, how well they match particular terms. The well-established industry of search engine optimization (SEO) is a testament to how much effort goes into designing sites to improve the chance of high ranking in search results.
EV SSL certificates offer a chance to turn more control over to users. If, that is, a browser plugin could be designed to allow users to filter results based on the existence of EV SSL certificates. The plug-in could work like this:
The speed of this process could be improved if the search engine cached EV SSL certificate data; if that were the case, there would be no need to visit the Web site before listing the entry. This would require the search engine to check the status of the EV SSL certificate fairly frequently and a reasonable balance would have to be struck between frequently checking the status and maintaining adequate search performance.
Advertisements are commonplace on the Internet. We see them in search results, in online email services, on social networking sits, on blogs, and on many of our favorite Web sites. Today, we depend on a variety of methods to ensure that we shop with reputable businesses. For example, uses might:
These solutions are a start but they have serious limitations. Advertising services are largely automated. As long as one can pay the bills, one can generate key word-based ads and have them served up in related contexts. Online advertising companies sell ads; they are not necessarily security screeners.
Add-on integrity checkers are an improvement over blind faith in advertising firms, but their data is limited to what can be determined by crawling the site or registering as users and tracing spam back to those sites. These services are definitely useful and worth employing, but they are not as comprehensive as an EV SSL certificate-based approach.
Web sites can subscribe to the advertising services that provide ads tied to the content of the site. The site designers in such cases do not screen advertisers; thus, assuming that vendors advertising at a favorite Web site are as trustworthy as the site creators is a mistake. A better solution is to use ad filtering software that allows advertisements only from EV SSL certificate sites. Such an add-on could work like the search result filtering process described in the previous section.
It should be noted that some Web site creators who earn revenue through ads frown upon blanket ad blocking. A Firefox add-on called AdBlock Plus prompted a wholesale effort to keep all Firefox users from accessing ad supported sites, regardless of whether the user had installed an ad blocking component. The Why Firefox Is Blocked campaign provides arguments why ad blocking is unfair. Similar arguments could probably be made for ad filtering.
The green bar is an effective way to quickly convey information with a visual cue, but there may be additional ways to leverage EV SSL certificates to provide an improved and more secure browsing experience for users.
As noted earlier, EV SSL certificates and the business processes that support their creation and distribution, are well suited to other areas in which a trusted third party can vouch for the integrity of a business or system. We will consider three such potential applications:
As the efficiencies of delivering software as a service grows, there will be a growing need to certify aspects of Web applications. This is especially true of services that will either store sensitive data or have access to intellectual property and trade secrets. These include:
There are probably many other examples one can think of that involve trusting an application or service that runs in a browser.
Today's EV SSL can address some of these needs. For example, an accountant logging into an online ERP service would notice the EV SSL-specific green bar. Other systems, such as code analysis programs, may be used as part of an automated workflow process.
For example, at the end of the day programmers may check in code to a repository. An automated process then collects modules, compiles them and builds an application that is run through a series of regression tests and code analysis applications. Before sending proprietary code to an outsourced service, one had better be sure it is going to the right place. An automated method for verifying the information contained in an EV SSL certificate used by a code analysis service would meet that need. In some cases, it is not just a particular service that must be verified, but the quality of business processes as well.
Professional organizations and standards bodies have established best practices and sometimes have ways to recognize adherence to these best practices. Compliance with stringent standards is one way to distinguish oneself in a crowded market. For example, a company that earns ISO 9000 quality certification would understandably want to make their achievements known to customers. The ISO 9000 family of standards addresses a wide array of quality controls including:
How can a business that achieves and maintains the quality business processes required to earn ISO 9000 and similar certifications convey this to customers? Displaying logos from certifying organizations is one option, but visitors can reasonably question whether such displays are legitimate. Bogus sites used in phishing scams routinely steal the entire look and feel of a legitimate business' Web sites. A digitally signed EV SSL certificate from a trusted third party used along with a certification logo can provides assurances that a company has legitimately earned recognition.
Let us consider a hypothetical business situation: An entrepreneur has an idea for a new business that provides services online. The entrepreneur is an expert in a particular business domain but not information technology (IT). She already outsources accounting and legal services, so she decides to outsource some IT services as well. She would like to:
There are companies offering these services, but how is the entrepreneur to know which businesses are sound and follow IT management best practices? How is she to know—if some of the providers in the market are resellers—that their providers follow sound practices? Online businesses depend on the quality of their providers just as brick and mortar businesses do. Can small and midsized businesses send inspectors into providers' sites to inspect the quality of the way services are delivered? Would they know what to look for?
Following the model of EV SSL certificates to use trusted CAs, one can easily envision a model for certifying online services. It would be especially useful, for example, when visiting a service provider to be able to access the full chain of service providers that are used to deliver a service. For example, when visiting a service, it would be useful to know whether that provider uses other services and, if so, whether the additional services have also been certified as following industry best practices.
Figure 5.4: A hypothetical example of the type of information that could be displayed to describe a chain of certifications indicating the quality of services provided.
EV certificates are a major step forward in helping establish the trustworthiness of Web-based services. Phishing has been, and almost certainly will continue to be, a problem that plagues businesses and their customers for the foreseeable future. EV SSL certificates provide the best method yet for distinguishing legitimate business from fraudulent sites. Earlier chapters have examined the business case for EV SSL certificates and provided some details on the new certificate's standards. In this chapter, we have turned our attention to the future.
IT and security is as dynamic as the free market itself. New opportunities and demands are cropping up constantly. The EV SSL certificate has established a model for using a combination of trusted third parties and secure digital certificates to attest to the integrity of a Web site. If the conjectures of this chapter withstand the test of time, we will see a wide array of extensions to EV SSLs that address the needs of as-yet-unmet requirements of business.