28 Feb 2022
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.
A planned EU regulation about so-called Qualified Website Authentication Certificates (QWACs) is causing concerns among security researchers and browser vendors. The QWACs concept has existed for several years, but has not gained much traction.
Today most certificates are so-called Domain Validation (DV) certificates and bind the identity of a host name—like www.google.com—to a cryptographic key. The idea of QWACs is to have further information—most notably, a company name—in a certificate.
QWACs share a very similar concept with Extended Validation (EV) certificates. As most of our readers probably know, in the past, browser vendors used to display a green bar containing a company name in front of a URL for a site using an EV certificate.
But in 2019, the major browser vendors decided to no longer show the green bar and thus no longer give EV certificates any special treatment in the user interface. This was the result of intense discussions around the value of EVs. Most notably, the notion of EV certificates providing any higher security assurance relies on the expectation that users will notice the green bar and will not, for example, enter their credentials on a web page that does not show it. But it has been shown that users usually don’t notice that difference. A research paper published at the 2019 USENIX conference based on user experiments came to the following conclusion: “We find that most metrics of user behavior are unaffected by its removal, providing evidence that the EV indicator adds little value in its current form.”
Further evidence of the limited usefulness of EV indicators came from natural experiments; that is, major sites like Facebook and Twitter have sometimes used EV certificates, and then stopped using them. The change was not widely noted by users, indicating that the idea that EV certificates can prevent phishing does not seem plausible. Some security professionals went as far as arguing that EV certificates provide less security, as their issuance cannot be automated.
Another point of criticism was that people often don’t know the company names of the services they interact with and that company names are not unique. The latter was demonstrated by Ian Carroll, who was able to register an EV certificate for Stripe—but not for the well-known payment provider. It was simply for another company by the same name that he registered himself.
Despite all this controversy around EV certificates, the planned EU regulation, which is an update of the European Identity Framework, could impose requirements on browsers to give QWACs special treatment very similar to EV certificates. Thus the first major point of criticism is that QWACs are simply trying to revive a concept that was widely considered flawed and obsolete by the TLS community. Scott Helme discusses that point in detail in a blog post.
But there is an even more concerning aspect of the QWACs proposal: the certificate authorities that would issue these certificates would be decided by the EU member states, and browsers would be forced to accept those, even if they don’t comply with existing security rules. The EU keeps a list of Trust Service Providers (TSPs) that are eligible for QWACs.
Mozilla writes in a position paper that “the security practices for TSPs that issue QWACs are tangibly weaker than Mozilla’s own Root Program policies.” In 2019, Mozilla had already provided a list of concerns and incidents tied to the security vetting of these Trust Service Providers.
Thus, if implemented, these plans could mean that browsers would be forced to give special treatment to TLS certificates that have been issued by entities held to a lower standard than the other certificate authorities.
We asked the European Commission’s press office for a comment about these concerns, but the office hasn’t replied as of the publication of this newsletter.
Update (28 Feb 2022)
We originally mentioned Camerfirma as an example of a CA still trusted for QWACs that was distrusted by browsers. In fact, while Camerfirma is still listed in the Trusted Service Providers list, its status for issuing QWACs has been withdrawn. We apologize for this mistake and have removed the misleading paragraph.
Update (3 Mar 2022):
On 3 March 2022 a group of well-known cryptography and TLS researchers addressed the issue in an open letter organized by Mozilla. They warn that the proposal would have the effect of “dramatically weakening web security”.
This subscription is just for the newsletter; we won't send you anything else.
Here are some interesting jobs we've come across in the last month:
If you know of similar jobs that our readers might be interested in, for example cryptography, TLS, or PKI, let us know and we may add them to future newsletters.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 2,000 students who have benefited from more than a decade of deep TLS and PKI expertise.