On 8/26/2019 5:39 AM, Josef Schneider via dev-security-policy wrote:
Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane:
On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote:
Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but
using an EV SSL in conjunction with a domain name and website with the true
intent to dupe potential customers is another matter. I'm trying to get past
the theoretical and get to real world instances.
I don't understand the idea that the Stripe proof-of-concept is
"theoretical". We know that phishing is epidemic, and we also know that
phishers presently need -- at most -- a DV cert. The POC shows that --
should something cause phishers to need an EV cert -- they can also get
one of those quickly and inexpensively. But why would a phisher bother
with an EV cert if a DV cert works just as well?
The important question is can they get this without making them easily
traceable?
Sure I can register a company and get an EV certificate for that company. But
can I do this completely anonymous like getting a DV cert?
How long do you think would it have taken for the police to come and get Ian
Carroll if he'd actually committed fraud?
Probably years, if ever, particularly if he lived in a subpoena-haven
like Russia. My impression (as a U.S. citizen) is that U.S. police don't
take online crimes seriously, and neither does the federal government.
This idea is supported by the enormous amount of phishing and other
online frauds in the U.S. My email client flags several new
phishes/frauds each day. True, there has been a bit of action about the
online crimes that subverted U.S. elections in 2016, but that's an
unusual exception to the rule. Russia is, of course, refusing to
extradite the people that Sp. Counsel Mueller indicted.
...What I propose is for mozilla to not say "Fuck it, it's not working, just remove
it!" but instead try to focus on finding a better UX solution to the problem that
end users are not aware if a site that should have an EV certificate is not presenting
one.
I think this is a reasonable idea, particularly the last clause. I am
not against EV, but neither am I convinced of its usefulness.
-R
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
