On 8/26/2019 5:39 AM, Josef Schneider via dev-security-policy wrote:
Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane:
On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote:
Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but 
using an EV SSL in conjunction with a domain name and website with the true 
intent to dupe potential customers is another matter. I'm trying to get past 
the theoretical and get to real world instances.
I don't understand the idea that the Stripe proof-of-concept is
"theoretical". We know that phishing is epidemic, and we also know that
phishers presently need -- at most -- a DV cert. The POC shows that --
should something cause phishers to need an EV cert -- they can also get
one of those quickly and inexpensively. But why would a phisher bother
with an EV cert if a DV cert works just as well?
The important question is can they get this without making them easily 
traceable?
Sure I can register a company and get an EV certificate for that company. But 
can I do this completely anonymous like getting a DV cert?

How long do you think would it have taken for the police to come and get Ian 
Carroll if he'd actually committed fraud?

Probably years, if ever, particularly if he lived in a subpoena-haven like Russia. My impression (as a U.S. citizen) is that U.S. police don't take online crimes seriously, and neither does the federal government. This idea is supported by the enormous amount of phishing and other online frauds in the U.S. My email client flags several new phishes/frauds each day. True, there has been a bit of action about the online crimes that subverted U.S. elections in 2016, but that's an unusual exception to the rule. Russia is, of course, refusing to extradite the people that Sp. Counsel Mueller indicted.

...What I propose is for mozilla to not say "Fuck it, it's not working, just remove 
it!" but instead try to focus on finding a better UX solution to the problem that 
end users are not aware if a site that should have an EV certificate is not presenting 
one.

I think this is a reasonable idea, particularly the last clause. I am not against EV, but neither am I convinced of its usefulness.

-R

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to