On Thu, 29 Aug 2019 17:05:43 +0200 Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> The example given a few messages above was a different jurisdiction > than those two easily duped company registries. I see. Perhaps Vienna, Austria has a truly exemplary registry when it comes to such things. Do you have evidence of that? I probably can't read it even if you do. But Firefox isn't a Viennese product, it's available all over the world. If only some handful of exemplary registries contain trustworthy information, you're going to either need to persuade the CAs to stop issuing for all other jurisdictions, or accept that it isn't actually helpful in general. > You keep making the logic error of concluding from a few example to > the general. The IRA's threat to Margaret Thatcher applies: We only have to be lucky once. You will have to be lucky always. Crooks don't need to care about whether their crime is "generally" possible, they don't intend to commit a "general" crime, they're going to commit a specific crime. > A user can draw conclusions from their knowledge of the legal climate > in a jurisdiction, such as how easy it is to register fraudulent > untraceable business names there, and how quickly such fraudulent > business registrations are shut down by the legal teams of high > profile companies such as MasterCard Inc. Do you mean knowledge here, or beliefs? Because it seems to me users would rely on their beliefs, that may have no relationship whatsoever to the facts. > That opinion still is lacking in strong evidence of anything but spot > failures under specific, detectable circumstances. We only have to be lucky once. > Except that any event allowing a crook to hijack http urls to a > domain is generally sufficient for that crook to instantly get and > use a corresponding DV certificate. If the crook hijacks the actual servers, game is over anyway, regardless of what type of certificate is used. Domain owners can set CAA (now that it's actually enforced) to deny crooks the opportunity from an IP hijack. More sophisticated owners can use CAA and DNSSEC to deny crooks the opportunity to use this even against a DNS hijack, so that crooks need to attack a registrar or registry. If the crook only does some sort of IP hijack they need to control the IP from the perspective of the issuer as well as from the perspective of their target in order to obtain and use a DV certificate with methods like 3.2.2.4.6 This means small hijacks (e.g. of a single ISP or public access point) are unlikely to be effective for obtaining a certificate. You are correct that a large hijack (e.g. BGP hijack to move an entire /24 for most of the Internet to some system you control) would work on most domains, BUT this is relatively difficult for an attacker, cannot be done silently and is already being addressed by numerous initiatives by people over in that community rather than m.d.s.policy > Yes, I think you have repeatedly used the failures of UK and US > company registries as reason to dismiss all other governments. I don't have examples from other countries either way. I assure you if I could say "Oh, in New Zealand it works great" based on solid information like a track record of actually prosecuting people who make bogus registrations - I'd do that. Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy