On Monday, December 11, 2017 at 6:01:25 PM UTC-6, Ryan Sleevi wrote: > > Not really - what matters is that the user insists they got had via a > > phishing link or other process - that can certainly be verified after the > > fact > > > No.
Why's that? This is how investigations begin. > > - did someone steal their money in a sketchy way, but with apparent user > > authorization? Further, the user swears back and forth that the green bar > > was there and they looked to see that it matched the site's name - their > > bank, PayPal, etc. > > > All users will swear this if it avoids liability. And let’s be honest, it’s > actively hostile to users to say they bear liability if they don’t do this > - for every click of the page. I'm confused. I never suggested that the user's assertion that they saw this would cause any change in liability. In fact, anyone responsible would explain that to the user even as the user tries to report it. The value would be that if the certificate that managed to sway the user can be found and tracked down (which should be possible via CT), the possibility exists that the person(s) responsible for the deception may ultimately be caused to suffer for their deception. Real world contracts, business relationships, and statutes define who is responsible for what frauds and torts arise in engaging in commerce whether online or not. EV status is not about shifting liability. A significant value that EV does provide (or at least have strong potential to provide) is the ability of a user to assess the EV certificate and its most essential contents as one additional factor to rely upon in the calculus of whether or not to assume the risk of entering certain confidential data into the website they are visiting. > > All EV certs are CT logged, find the cert or homograph from there, track > > to issuer and validation details, chase the entity document path, etc. One should presume that if the EV presented certificate confused the user who relied upon it into thinking they were dealing with a particular party, that the contents should contain sequences or homograph sequences that closely mirror what the real site would indicate. > > And of course ignoring all the innocent bystanders along the way - such as > Ian, who has not phished Stripe users. Security research is legitimate. The people who created these entities and got these certificates are innocent of any crime. What they are not is immune from reasonable investigation to show this. If someone suggested tomorrow that an EV certificate caused that person to believe that they were at the Stripe site, it would be entirely reasonable for any law enforcement agency or investigator to track down these researchers and ask them to explain why they sought certificates and entity creation that seem engineered to deceive. The matter should resolve when they show legitimate cause. This doesn't mean that they should be given a free pass and ignored, if subsequently, someone phishes a Stripe customer by way of a look-alike entity and cert. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
