In the case of a DV certificate it's exactly what it says, validating the ownership of a domain, and nothing more. While users _may believe_ that TLS is supposed to protect them from malware, hackers, or 'untrustworthy' sites in general _it is not_. TLS exists to encrypt the connection between a client and a server.
What users expect, because of poor wording by people conveying the use of TLS in the past (I think we are all probably a bit guilty of perpetuating this error), should not dictate how CAs actually operate. On 05/17/2016 12:36 PM, Peter Gutmann wrote: > Hubert Kario <hka...@redhat.com> writes: > >> then users expect impossible > > Users expect CAs to be something other than certificate vending machines. The > fact that CAs fail to do this is a problem with browser PKI and CAs, not with > users. > > (There have been numerous cases of security people reporting CA-certified > phishing and malware sites to the CAs that did it. The general response has > been "not our problem, they paid their money and we gave them a cert". So > even if you tell the CA, they're likely not going to fix it). > > Peter. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- Roland Bracewell Shoemaker Software Engineer Linux Foundation / Internet Security Research Group _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
