On Wed, Dec 13, 2017 at 4:14 PM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Monday, December 11, 2017 at 6:01:25 PM UTC-6, Ryan Sleevi wrote: > > > > Not really - what matters is that the user insists they got had via a > > > phishing link or other process - that can certainly be verified after > the > > > fact > > > > > > No. > > Why's that? This is how investigations begin. > I think you're operating on a somewhat reductionist view that doesn't align with the real world experiences of users. That's not to say it doesn't make a good narrative, and one that concievably could happen, but it doesn't align with the common cause. An example that I admit is contrived, but no more than I think your original case was, is a user on an ephemeral messaging app receiving a link. No 'investigation' can happen because that message is no longer available. You can replace this with "I deleted the email after I got hacked" or "I think I clicked on something, I'm not sure" (such as a banner ad). Further, fraud itself is based on cost. The investigatory cost of finding 'what' hacked the user and 'when' is a profoundly expensive case, and thus the cost of doing that (routinely) versus the cost of eating the fraud and/or shifting the liability quickly is the attractive cost. This is no different then the real-world where storefronts build in models for 'loss' (that is, shoplifting), because the cost to the brand and the store to aggressively police such quickly outweighs the potential losses. > > I'm confused. I never suggested that the user's assertion that they saw > this would cause any change in liability. In fact, anyone responsible > would explain that to the user even as the user tries to report it. The > value would be that if the certificate that managed to sway the user can be > found and tracked down (which should be possible via CT), the possibility > exists that the person(s) responsible for the deception may ultimately be > caused to suffer for their deception. > The problem is that you are shifting the liability to the user, but may not be realizing it. Your presumed model is that the information that swayed the user was correct and accurate to the extent the user was fooled. Yet there's no reason to believe the user checked for "Stripe, Inc [US]", they could have just looked for "Striping, Inc [US]" and not realized the confusion. I also think you're unrealistically relying on CT to detect what you believe may be modeled as fraud (expecting, I presume, something similar to Ian's level of attack), whereas I'm saying even at the most bare minimum, this doesn't functionally mitigate, because it's still assuming the user has checked the URL bar to ensure there's enough similarity such that you would be able to, with some model (ML? what) detect other certs that 'maybe' were involved - but you can't be sure, since Ian's "Stripe, Inc" is a fully legitimate certificate, so you don't *know* he was involved. > One should presume that if the EV presented certificate confused the user > who relied upon it into thinking they were dealing with a particular party, > that the contents should contain sequences or homograph sequences that > closely mirror what the real site would indicate. > But there's the rub - for EV to be valuable, you're saying the responsibility *is* on the user to do *at minimum* that level of checking. If they haven't, then you can't link - because you can't expect that it will contain sequences or homoglyphs or homographs that are similar. It could just be "J Random EV" cert. That's what I mean by shifting the liability - in order for there to be any investigation, the user must have been perfect, 100% of the time, *and* the attacker must not have exploited any of the technical means mentioned. > Security research is legitimate. The people who created these entities > and got these certificates are innocent of any crime. What they are not is > immune from reasonable investigation to show this. Yes. They are. If someone suggested tomorrow that an EV certificate caused that person to > believe that they were at the Stripe site, it would be entirely reasonable > for any law enforcement agency or investigator to track down these > researchers and ask them to explain why they sought certificates and entity > creation that seem engineered to deceive. No. It wouldn't. Innocence until proven guilty is a virtue, and at least in the context of EV certificates, there is zero legitimate reason to be suspicious. Under that model, it becomes quite easy to harass competitors, for example. This is why complex processes exist (e.g. the WIPO process). > The matter should resolve when they show legitimate cause. This doesn't > mean that they should be given a free pass and ignored, if subsequently, > someone phishes a Stripe customer by way of a look-alike entity and cert. > No, this is an entirely unreasonable burden, and rather antithetical to good governance. That said, I understand it may be a position you hold, but I find it imminently disagreeable, and so if the value of EV is predicated on 'the strong can bully the weak', then it's deeply unsavory. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy