|
This is a good article about the weaknesses of the trust models of navigation on the web. The author uses a password manager that also fulfills the role of a personal 'have I seen this site before?' database, which helps them associate a URL to its conceptual entity, in their quest to determine if the site they visited was the site they intended to visit. In this exact form, this is a feature that's absent from mainstream browsers today. Because browsers do not have this, people instead turn to all sorts of other signals to judge the site's identity, but each one of those signals is designed for another purpose, and ought to not to be used directly by the user to make such determination. But no other signals are available, so they get used nonetheless. Some people look at the URL before clicking it, or the URL bar in the browser after they've already navigated to the site, and try to judge from the URL whether the site belongs to the entity they intended to visit. This is fallible for a bunch of reasons, including: (1) people often read visually instead of comparing codepoint-by-codepoint, so reading errors or homoglyph attacks are possible, and browsers can only meaningfully mitigate against the latter; (2) very few people keep a computerized allow-list, so they check against expectations in their head; and (3) some organizations will make use of domain names that greatly differ from their own name, which works contrary to the instinct of a URL-judging user who consider themselves 'cautious', and it's difficult to stay aware of all this. Some people look at the TLS certificate, and try to judge from the information displayed by the browser about the cert whether the site belongs to the entity they intended to visit. This is fallible for a bunch of reasons, including (1) DV certs only prove that someone (i.e. anyone) had control of the domain at the time near the cert's issuance, so its value as a trust signal to the user ought to be zero and immediately reduce to the prior case of mentally validating the URL by its character content; (2) EV certs validate against a legal entity in some jurisdiction, but as the 'stripe.ian.sh' stunt has demonstrated, jurisdiction-by-juristiction registries of legal entities are a tool for a different use-case and were never intended to collectively ensure globally unique Organization names; and (3) in their rush to ensure widespread TLS deployment on all sites, and their involvement with efforts to bring short-lived cost-free DV certs to everyone, browser-makers began de-emphasizing the UI distinctions between DV certs and EV certs some time before the true shortcomings of EV as a user-facing trust signal were widely demonstrated. Some people look for the visual design of the website. This is trivial to fake. Some people will rely on browser-resident bookmarks, browser history, or 'top sites' tiles to navigate to common sites they've visited before (or to sites the browser-maker pre-loaded into the listing). This is a great way to preserve the trust chain and reduce the likelihood that the user arrives at an unintended site by mistake. But these features do not directly address the case of a person navigating to a URL they were linked or provided from an arbitrary source, such as the example raised in the article. Building blocks exist today that could be used by publishers and browser-makers to aid users in judging URLs. Some of these will require past UX decisions to be undone. For example, top sites could become their own Root Certificate Authorities [1] and be listed in browser trust stores; these companies would be expected to issue certs for sites associated to themselves. This would eventually reshape the cert landscape so that a parent-child relationship between issuer and subject could be meaningfully distinguished from a 'provider and customer' relationship. Companies that provide services to others, such as payment processors, could also become root CAs and sign for their customers. These changes, and a browser UX that once again shows the cert issuer, would go a long way towards reducing the likelihood that users are fooled by sites trying to impersonate top sites. If this were to come to pass, other CAs would be expected to pivot to minting certs that play the role of a trustmark, by conferring a degree of ongoing assurance that's useful to the user (which, in fairness, was the original point behind EV certs). They would do this by establishing strong brands around their trustmark, issue certs for a short lifetime, and monitor the site on an ongoing basis to see if it's still deserving of their trustmark. This would result in a business model similar to those of EV certs, but a trust model that's based on the user's trust in the CA's exercise of good judgment befitting their brand. [1] https://news.ycombinator.com/item?id=13495262 |