On Oct 9, 2019, at 7:30 AM, Leo Grove via dev-security-policy <firstname.lastname@example.org> wrote: > > On Tuesday, October 8, 2019 at 10:36:19 PM UTC-5, Matt Palmer wrote: >> On Tue, Oct 08, 2019 at 07:16:59PM -0700, Paul Walsh via dev-security-policy >> wrote: >>> Why isn’t anyone’s head blowing up over the Let’s Encrypt stats? >> >> Because those stats don't show anything worth blowing up ones head over. I >> don't see anything in them that indicates that those 14,000 certificates -- >> or even one certificate, for that matter --was issued without validating >> control over the domain name(s) indicated in the certificates.
[PW] Here are some facts from the cybersecurity world - which is completely impartial to browser vendors and CAs as well as “HTTPS Everywhere” advocates. Security companies only care about the safety and wellbeing of people who use the internet - it doesn’t care about personal and emotional feelings in this political debate. I have already provided links to every source in previous emails. 93% of breaches start with phishing Phishing increased by 250% in 2018 Phishing URLs outnumber malicious attachments five to one 91% of all phishing sites have a DV cert 95% of phishing sites with a DV cert come from Let’s Encrypt Phishing is growing at the same rate as that of Let’s Encrypt Phishing can only get worse The data suggests that automatically issued DV certs for free is a favorite for criminals. This is 100% because consumers who are aware of the padlock, automatically rely on it for trust and assume they can trust the owner. ***This means most breaches happen because people look at the padlock and fall for Let’s Encrypt encryption.*** This should at least, stop everyone in their tracks to ask, “How can we encrypt the web while not making it less safe?” If not, your motives are all wrong in my opinion. If all of this doesn’t paint a bleak picture I can’t add any more evidence to prove that something needs to be done about Let’s Encrypt as an entire initiative is an overall failure in my opinion. While it’s helping to scale encryption for a more “private” web, it’s an existential treat to internet safety. There is a solution to this problem: Make website identity better so consumers stop relying on the padlock for trust. I’ve provided data to demonstrate how this can work. I haven’t received any opposing views on my data/findings. And there’s no research to prove otherwise. If consumers stopped looking at the padlock all of the above would go away - until threat actors find another vector. It would introduce other issues to address - for example, CAs would need to really tighten up all of their processes because threat actors might buy an EV cert if the cost is worth it. >> > > Validation compliance is not the topic of this thread. Stripe Inc was able to > get their EV certificate in a compliant way after all. It sounds like since > 14k DV certs were issued to phishing sites in a compliant way, everything is > a-ok? > > What are your thoughts if those 14k certs were EV? > >> EV and DV serve different purposes, and while DV is more-or-less solving the >> problem it sets out to solve, the credible evidence presented shows that EV >> does not solve any problem that browsers are interested in. >> >>> If people think “EV is broken” they must think DV is stuck in hell with >>> broken legs. >> >> Alternately, people realise that EV and DV serve different purposes through >> different methods, and thus cannot be compared in the trivial and flippant >> way you suggest. >> >> - Matt > > You've mentioned "EV and DV serve different purposes" twice and I think that > is misleading. EV requires DV validation as well, and they both serve to > authenticate and encrypt. However, EV goes beyond authenticating only the > domain name which is where DV stops. EV attempts to bind the domain name to > an actual owner. > > People deploying EV expect to get DV and something more. When the browsers > stop displaying the EV UI, it will be indistinguishable from DV on cursory > glance. To me, this shows EV and DV serve similar purposes, but EV attempts > to go further in the context of authentication. [PW] Bravo - great reminder. If people dislike the cost, process or timing, they should debate those things separately. I personally believe the entire EV process can be massively improved with very specific tools and methodologies - but that’s for another conversation. This is about Mozilla removing UI instead of making it better. - Paul > > _______________________________________________ > dev-security-policy mailing list > email@example.com > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy