On 13/12/2017 20:55, Gervase Markham wrote:
On 11/12/17 17:00, Ryan Sleevi wrote:
Fundamentally, I think this is misleading. It presumes that, upon
something bad happening, someone can link it back to that certificate
to link it back to that identity. If I was phished, and entered my
credentials, there's no reason to believe I've maintained the record
details including the phishing link to know I was phished. Are users
supposed to spleunk their HTTP cache or maintain complete archives of
every link they visited, such that they can get the cert back from it
to aid an investigation?
This is something that has always worried me about the EV value
proposition. Even if it worked perfectly, once one has realised one has
been scammed, one would want to find the cert again to know where to
serve the lawsuit papers or send the police. Unless your browser caches
all EV certs for sites you've ever visited in the past month, and
provides some UI for querying that cache, then that's not necessarily
going to be possible. So having the info about the site owner in the
cert isn't actually useful.
CT does address this to a degree, but only to a degree.
In the case of non-phishing frauds, the EV cert and the display of the
company name in the address bar matching the company name on payment
documents (receipts, off-site credit card clearing services etc.) would
serve to verify to the user that the company to sue is the one they
thought they were dealing with, thus reducing this down to the
traditional situation of the victim knowing a-priori who is at fault.
It's the scenario of the user ordering a book from LittleExampleBookshop
(with a green address bar saying "Little Example Books Inc (Virginia,
US)"), but getting a much less valuable book, then wanting to prosecute
Little Example Bookshop for not fulfilling the purchase contract. No
offense meant to any real world bookshop.
Phishing frauds are a different matter, as there it is a matter of
having enough signals that the scammer is not whom they claim to be,
despite lots of flashy claims to the contrary.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
