I was working on a posting on the way the budget and the parallel announcement of the Digital Communications Infrastructure strategy should help transform the climate for investment when Jim Prideaux , one of whose concerns is the hollowing out of the security skills of Government, pointed out a splendid ambiguity in the budget statement announcement on plans to save money from rationalising IT spend: “Budget 2015 announces that, following a successful trial, the Government will implement “Gov.UK Verify” – a new way for people to prove their identity on-line when using government services – across central government“. Does this mean that the trials to date have been successful? Or does it mean that Verify will only be implemented when the trials have been successful?
Jim has blogged for me before on the strange history of the Government Verify programme and I have no doubt he will do so again. Meanwhile one of his erstwhile colleagues is trying to calculate how much it would cost to fraudulently acquire the identity of some-one dependent on benefits using the routines proposed by the suppliers whose services are currently being tested. After wading through pages of gobbledeygook he came to the conclusion that it could cost as little as £250 to acquire (via existing publicly available services) and scan the paper documentation and/or generate the digital footprint that would satisfy some of the supposedly agreed providers. I await his detailed working but this may explain why mainstream “trust” services are reluctant to get engaged – other than to certify those who they already “know” via more robust routines, including physical presence.
Jim, however, points out that Verify hasn’t got around to ‘level 3’, and the current (watered-down) level 2 (balance of probability – not properly defined) envisages doing everything online because the costs of manual paper-handling would exceed the budget: Level 1 – self asserted – doesn’t need any third party, so no justification for paying for one. He also thinks it may be easier to take over an account after it has been created because that may need no more than a quick look around the device being used for access. He is more concerned about denial of service (from failed masquerades), followed by the imbuggerance (which I assume is a spook technical term equivalent to “compromise”) of two factor authentication while a smart phone is being used for browsing and text, thus ensuring that it adds no security.
Jim goes on as follows:
“The recent scare over another false security certificate at the heart of widely used products and services should remind us of the vulnerability of those who assume that all certification routines are equally valid. The complexity of the chain of trust in which the compromise occurred means no-one should be surprised. After the £8M for damage caused by Companies House for a missing ‘s’, we should spare a thought for those trying to understand the liabilities for online transactions, which jurisdictions apply, whose services they can trust for what and the recourse available to them if that trust turns out to be misplaced.
How confident can you be that the Gov.UK website you visit is secure?
The supposedly monolithic gov.uk relies on a variety of chains of trust. When you get past ‘This web site does not supply ownership information’ the www.gov.uk chain (see foot of this blog details) starts in Ireland, then goes through the US. Meanwhile the chain for *.blog.gov.uk starts in Sweden, and comes via Salford. MI5.gov.uk and SIS.gov.uk use US-based certificates.
If you go to a German government site the chain is shorter and simpler, based on German certificates. Other nations can have stranger chains of trust. www.whitehouse.gov comes to you “securely” using a trust chain that says it starts in the Irish Republic, and ends us in the US via the Netherlands.
Is this ‘security theatre’, or does it matter? Will it help to have the .uk namespace under the control of Nominet? That is if there is a way to check that the control is more than nominal?
Should you be worrying about how you can verify that you are indeed using a secure link to a trustworthy website, following the padlock (or warning triangle) in the top left. Your browser probably has a few hundred roots of trust, possibly including those from countries you’ve not heard of. By looking at ‘subject’ in further information’, you can see where the chain of trust starts in this case, and then how it follows down to where you are.
The policies under which these certificates are issued can be searched for . even if you find the right ones (and how can you be sure?) somewhere in the dense legalese, probably at paragraph 9.8, will be some modest limit for you and all other users combined, and para 9.14 will identify the relevant jurisdiction.
For commercial transactions for ordinary users, the credit card terms may be more relevant, not least because the customer only needs one. Someday it might even follow the model envisaged in the recent EU eIDAS Regulation, but what happens for the public sector/government sites that offer a secure link? Remembering that many, including the GCHQ website and transparency.number10.gov.uk do not.”
P.S. The Gov.UK chains of trust refered to by Jim appear to be as follows:
CN = *.blog.gov.uk https://identityassurance.blog.gov.uk/
OU = EssentialSSL Wildcard
OU = Domain Control Validated
is provided by
CN = EssentialSSL CA
O = COMODO CA Limited
L = Salford
ST = Greater Manchester
C = GB
which comes from
CN = AddTrust External CA Root
OU = AddTrust External TTP Network
O = AddTrust AB
C = SE
www.gov.uk says “This web site does not supply ownership information” but the chain appears to be as follows:
CN = www.gov.uk
O = Government Digital Service
L = London
ST = England
C = GB
is issued by
CN = DigiCert High Assurance CA-3
OU = www.digicert.com
O = DigiCert Inc
C = US
in turn issued by
CN = Baltimore CyberTrust Root
OU = CyberTrust
O = Baltimore
C = IE
P.P.S. A reader has just pointed out the Register Article which explains the ambiguity