On 29/08/2019 10:58, Nick Lamb wrote:
> On Wed, 28 Aug 2019 11:51:37 -0700 (PDT)
> Josef Schneider via dev-security-policy
> <dev-security-policy@lists.mozilla.org> wrote:
>> Not legally probably and this also depends on the jurisdiction. Since
>> an EV cert shows the jurisdiction, a user can draw conclusions from
>> that.
> Yes it is true that crimes are illegal. This has not previously stopped
> criminals, and I think your certainty that it will now is misplaced.
> What conclusions would you draw from the fact that the jurisdiction is
> the United Kingdom of Great Britain and Northern Ireland? Or the US
> state of Delaware ?
> Those sound fine right? Lots of reputable businesses?
> Yes, because those are great places to register a business,
> tremendously convenient. They have little if any regulation on
> registering businesses, light touch enforcement and they attract a
> modest fee for each one.
> This is of course also exactly the right environment for crooks.

The example given a few messages above was a different jurisdiction than 
those two easily duped company registries.

You keep making the logic error of concluding from a few example to the 

A user can draw conclusions from their knowledge of the legal climate in 
a jurisdiction, such as how easy it is to register fraudulent 
untraceable business names there, and how quickly such fraudulent 
business registrations are shut down by the legal teams of high profile 
companies such as MasterCard Inc.

Such knowledge can be expected to be greater among residents of said 
jurisdiction, who may also be in a much better position to recognize 
that an address is a building site, the city stadium etc.

>> But removing the bar is also not the correct solution. If you find
>> out that the back door to your house is not secured properly, will
>> you remove the front door because it doesn't matter anyway or do you
>> strengthen the back door?
> Certainly if crooks are seen to walk in through the back door and none
> has ever even attempted to come through the upstairs windows, it is
> strange to insist that removing the bars from your upstairs windows to
> let in more light makes the house easier to burgle.

None attempting to enter through the visibly barred window says nothing 
about how many turned away when seeing the bars.  Nor does it say 
anything about which other measures have been taken to deal with the 
known problems of the back door (Maybe they make a habit of blocking the 
door between the back entrance and the stairwell whenever leaving the 

>> The current
>> EV validation information in the URL works and is helpful to some
>> users (maybe only a small percentage of users, but still...)
> Is it helpful, or is it misleading? If you are sure it's helpful, and
> yet as we saw above you don't really understand the nuances of what
> you're looking at (governments are quite happy to collect business
> registration fees from crooks) then I'd say that means it's misleading.

You presume government failures in some jurisdictions imply such 
failures everywhere.  Some jurisdictions require various economic 
assurances of registered companies, often tiered by the desired level of 
incorporation.  Some require a known arrestable citizen or liability 
insured public accountant to securely sign off on the registration.

>> EV certificates do make more assurances about the certificate owner
>> than DV certificates. This is a fact. This information can be very
>> useful for someone that understands what it means. Probably most
>> users don't understand what it means. But why not improve the display
>> of this valuable information instead of hiding it?
> The information is valuable to my employer, which does with it
> something that is useless to Mozilla's users and probably not in line
> with what EV certificate purchasers were intending, but I'm not on
> m.d.s.policy to speak for my employer, and they understood that
> perfectly well when they hired me.
> In my opinion almost any conceivable display of this information is
> likely to mislead users in some circumstances and bad guys are ideally
> placed to create those circumstances. So downgrading the display is a
> reasonable choice especially when screen real estate is limited.

That opinion still is lacking in strong evidence of anything but spot 
failures under specific, detectable circumstances.

>> Certificates cannot magically bring security. Certificates are about
>> identity. But the fact that the owner of the website somebank.eu is
>> the owner of the domain somebank.eu is not that helpful in
>> determining the credibility.
> If I process a link (as browsers do many times in constructing even
> trivial web pages these days) then this assures me it actually links to
> what was intended.
> This is enough to bootstrap WebAuthn (unphishable second factor
> credentials) and similar technologies, to safeguard authentication
> cookies and sandbox active code inside an eTLD+1 or narrower. All very
> useful even though the user isn't aware of them directly.
> For end users it means bookmarks they keep and links they follow from
> outside actually lead where they should, and not somewhere else as
> would trivially happen without this verification.

Except that any event allowing a crook to hijack http urls to a domain 
is generally sufficient for that crook to instantly get and use a 
corresponding DV certificate.

>> But the information that the owner of
>> somebank.eu is a incorporated company from Germany officially called
>> "Somebank AG" is more valuable. Maybe some people don't care and
>> enter their account data happily at s0m1b4nk.xyz, maybe most people
>> do. We don't know and we probably can't know how many people stopped
>> and thought if they are actually at the correct website because the
>> green bar was missing. But I am certain that it was more than zero.
> Why are you certain of this? Just gut feeling?

There is a plausible reason why it can happen, and a sufficiently large 
volume of global web traffic that anything possible will have most 
likely happened.

The surprise nature of this change has given researchers insufficient 
time to do large scale measurements before you remove the object to be 

>> Why not for example always open a small overlay with information when
>> someone starts entering data in a password field? Something like "You
>> are entering a password at web.page. You visited this page 5 times
>> before, first on August 4th 2019. We don't know anything about the
>> owner" or for EV "You are entering a password at web.page. You
>> visited this page 5 times before, first on August 4th 2019. This
>> server is run by "WebPage GmbH" from Vienna, Austria [fancy flag
>> picture]".

Anything inside the viewing frame belongs to the website and can be 
trivially spoofed with identically looking HTML.  Any indication of the 
trustworthiness of the content source needs to be in the screen areas 
exclusively belonging to the browser, browser plugins and other trusted 

This is the basic inside/outside barrier studied by philosophers and 
psychiatrists for more than a century, and instinctive in most human 

> This server is run by "Authorised Web Site" from London, UK [Union
> flag].
> Sounds legitimate.
> Remember, the British government doesn't care that Authorised Web Site
> is a stupid name for a company, that its named officers are the
> characters in Toy Story, that its claimed offices are a building site,
> nor even that it has never filed (and never will file) any business
> accounts. They collected their registration fee and that's all they
> ever cared about.

Yes, I think you have repeatedly used the failures of UK and US company 
registries as reason to dismiss all other governments.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded 
dev-security-policy mailing list

Reply via email to