On 29/08/2019 19:47, Nick Lamb wrote: > On Thu, 29 Aug 2019 17:05:43 +0200 > Jakob Bohm via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > >> The example given a few messages above was a different jurisdiction >> than those two easily duped company registries. > > I see. Perhaps Vienna, Austria has a truly exemplary registry when it > comes to such things. Do you have evidence of that? I probably can't > read it even if you do. >
I have no specific knowledge, but Austrians probably do, using empirical data from their life experience and press coverage of all kinds of business and fraud related mischief: Did fraudsters get away with registering misleading company names? were the registrations revoked by authorities soon after discovery? Was there a serious police effort to prosecute? Same for any other country as known by its citizens. > But Firefox isn't a Viennese product, it's available all over the > world. If only some handful of exemplary registries contain trustworthy > information, you're going to either need to persuade the CAs to stop > issuing for all other jurisdictions, or accept that it isn't actually > helpful in general. > The point is you keep bringing up examples from exactly two countries in a world with more than 100 countries. The usefulness of knowing that a Mozilla-accepted and regularly audited CA has confirmed the connection to match a government record in a country ties directly to the trust that people can reasonably attribute to that part of that government. This in turn is approximately the same trust applicable to those government records being reflected in other parts of official life, such as phone books, building permits, business certificates posted in offices, etc. etc. In either case there is some residual risk of fraud, as always. >> You keep making the logic error of concluding from a few example to >> the general. > > The IRA's threat to Margaret Thatcher applies: > > We only have to be lucky once. You will have to be lucky always. > > Crooks don't need to care about whether their crime is "generally" > possible, they don't intend to commit a "general" crime, they're going > to commit a specific crime. > Almost any anti-crime effort has some probability of success and failure. If a measure would stop the IRA's attacks on Thatcher 99.5% of the time, they would, on average, have to try 100 times to get a 50/50 chance of getting lucky. If another measure takes away another 80% of their chance, she would get 99.9% and so on. At some point her chances became good enough to actually retire and die of old age having accumulated even more enemies. One of the measures known to have saved her at least once was a number of barriers forcing an IRA rocket attack to fly just far enough to miss. Certainly not a perfect measure, but clearly better than nothing. >> A user can draw conclusions from their knowledge of the legal climate >> in a jurisdiction, such as how easy it is to register fraudulent >> untraceable business names there, and how quickly such fraudulent >> business registrations are shut down by the legal teams of high >> profile companies such as MasterCard Inc. > > Do you mean knowledge here, or beliefs? Because it seems to me users > would rely on their beliefs, that may have no relationship whatsoever > to the facts. > Of cause they would use their imperfect knowledge (beliefs) about the country they live and survive in. Knowing what kind of official paperwork to trust is a basic life skill in any society with common literacy (illiterates wouldn't be able to read what it says on an official document, nor read the words in a browser UI). >> That opinion still is lacking in strong evidence of anything but spot >> failures under specific, detectable circumstances. > > We only have to be lucky once. > When fighting a wave of similar crimes committed many times, reducing the number of times the criminals get lucky is a win, even if that crime is murder instead of theft. >> Except that any event allowing a crook to hijack http urls to a >> domain is generally sufficient for that crook to instantly get and >> use a corresponding DV certificate. > > If the crook hijacks the actual servers, game is over anyway, > regardless of what type of certificate is used. > Hijacking the authorized server is obviously game over. Hijacking DNS or IP routing in any repeatable manner can be used to get a DV cert, then a bit later presenting that to victim browsers. Of cause if the hijack ability happens to not include the view from any of the DV issuing CAs, then that one-two punch fails. > Domain owners can set CAA (now that it's actually enforced) to deny > crooks the opportunity from an IP hijack. More sophisticated owners can > use CAA and DNSSEC to deny crooks the opportunity to use this even > against a DNS hijack, so that crooks need to attack a registrar or > registry. > DNSSEC, like certificate pinning, is unfortunately designed as a massive footgun, making its use rare. The DNSSEC community has mostly responded by providing non-transparent tools that don't even tell the admin what exactly they do, turning it into an Uzi footgun. So DNS hijacks and/or CAs treating unsigned CAA as blanket permission would be the best option for such attacks. Another option would be whichever DV CA is already used by the real site. > If the crook only does some sort of IP hijack they need to control the > IP from the perspective of the issuer as well as from the perspective > of their target in order to obtain and use a DV certificate with methods > like 3.2.2.4.6 > Not at the exact same time though. > This means small hijacks (e.g. of a single ISP or public access point) > are unlikely to be effective for obtaining a certificate. > > You are correct that a large hijack (e.g. BGP hijack to move an > entire /24 for most of the Internet to some system you control) would > work on most domains, BUT this is relatively difficult for an attacker, > cannot be done silently and is already being addressed by numerous > initiatives by people over in that community rather than m.d.s.policy > A hijack of the the ISP access point near the server would do the trick, perhaps by renting a server from that same ISP, or by exploiting a router bug. >> Yes, I think you have repeatedly used the failures of UK and US >> company registries as reason to dismiss all other governments. > > I don't have examples from other countries either way. I assure you if > I could say "Oh, in New Zealand it works great" based on solid > information like a track record of actually prosecuting people who > make bogus registrations - I'd do that. > Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy