On Thursday, August 29, 2019 at 5:28:29 PM UTC-7, Ryan Sleevi wrote:
> On Thu, Aug 29, 2019 at 8:23 PM Kirk Hall via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
> 
> > On Thursday, August 29, 2019 at 5:07:03 PM UTC-7, Ryan Sleevi wrote:
> > > On Thu, Aug 29, 2019 at 6:26 PM Kirk Hall via dev-security-policy <
> > > dev-security-policy@lists.mozilla.org> wrote:
> > >
> > > > > Could you point to the browsing phishing filters and anti-phishing
> > > > services
> > > > > that do? It might be an opportunity for you to find out how they deal
> > > > with
> > > > > this, and report back, so we don't have to presume anything.
> > > >
> > > > Let's hear directly from the experts - can you get someone from Google
> > > > Safe Browsing to post to this list, and then we can all ask him or her
> > our
> > > > questions and get the definitive answers.  Thanks.
> > >
> > >
> > > I think it’s a great idea to hear from the experts!
> > >
> > > So far, it’s hard to tell who they are, because you haven’t been able to
> > > provide any details about who does what you describe. It sounded
> > initially
> > > like a hypothetical, but now that you’ve stated it’s factual, perhaps you
> > > could provide sources? And then ask folks at those organizations and
> > report
> > > back? It seems that you’re passionate about this, and I can’t think of
> > > anyone better suited to demonstrate whether or not this actually happens
> > > than someone as passionate for the truth as you. I’m sure you’ll be able
> > to
> > > find out whether or not the world works like you described and report
> > back
> > > to us all.
> > >
> > > Look forward to hearing more about who actually does this, and how they
> > > solve the very obvious security risks. I’m assuming that if we don’t hear
> > > back, it might mean no one actually does this, or that perhaps no one has
> > > solved this obvious security issues.
> >
> > Uh... Ryan...  some of the experts work down the hall from you.  Google
> > Safe Browsing.  This was the question I posed to you:
> >
> > "Can you get someone from Google Safe Browsing to post to this list, and
> > then we can all ask him or her our questions and get the definitive
> > answers."
> >
> > What is your response?
> >
> 
> Oh, I thought I made it clear, I'm posting in a personal capacity.
> 
> As you're the one making the claim, I was hoping you might demonstrate
> whether there's any truth. I certainly wouldn't want to bother anyone just
> because someone on the Internet said something. I'm sure no one would get
> any work done if they had to respond to everyone who had a half-baked idea
> about how things might work.
> 
> Of course, that also wouldn't help answer the question I asked of you, in
> the context of what you claimed:
> "Could you point to the browsing phishing filters and anti-phishing
> services that do? It might be an opportunity for you to find out how they
> deal with this, and report back, so we don't have to presume anything."
> 
> What is your response?

What the heck does it mean when sometimes you say you are posting "in a 
personal capacity" and sometimes you don't?  To me, it always appears that your 
postings on the Mozilla list are always the same as your postings on the 
CA/Browser Forum list and are always for the purpose of promoting Google's 
policies and objectives.  Is there really a difference?

Ryan, seriously - please (acting in a personal capacity, or in an official 
capacity, you choose) pull in a Google Safe Browsing expert so we can all get 
some answers on this fairly important question - does GSB use any EV 
certificate identity data in its phishing algorithms.  My understanding is that 
the answer is yes, but there is an easy way to confirm that (or change that) by 
talking to a Google Safe Browsing expert, and it's in your hands.

The information I have about use of EV identity data for anti-phishing 
algorithms was all provided in private communications, so I would not be able 
to name any names without permission.  I have already emailed two people about 
this, but if you're not even willing to put this group in contact with GSB or 
provide any information from GSB (either yes or no on whether GSB uses EV cert 
identity information), then I'm not going to bother any further.  Your 
unwillingness to help the group on this list get that information from GSB 
speaks volumes.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to