On Oct 9, 2019, at 7:30 AM, Leo Grove via dev-security-policy 
<dev-security-policy@lists.mozilla.org> wrote:
> 
> On Tuesday, October 8, 2019 at 10:36:19 PM UTC-5, Matt Palmer wrote:
>> On Tue, Oct 08, 2019 at 07:16:59PM -0700, Paul Walsh via dev-security-policy 
>> wrote:
>>> Why isn’t anyone’s head blowing up over the Let’s Encrypt stats?
>> 
>> Because those stats don't show anything worth blowing up ones head over.  I
>> don't see anything in them that indicates that those 14,000 certificates --
>> or even one certificate, for that matter --was issued without validating
>> control over the domain name(s) indicated in the certificates.

[PW] Here are some facts from the cybersecurity world - which is completely 
impartial to browser vendors and CAs as well as “HTTPS Everywhere” advocates. 
Security companies only care about the safety and wellbeing of people who use 
the internet - it doesn’t care about personal and emotional feelings in this 
political debate. I have already provided links to every source in previous 
emails. 

93% of breaches start with phishing
Phishing increased by 250% in 2018
Phishing URLs outnumber malicious attachments five to one
91% of all phishing sites have a DV cert
95% of phishing sites with a DV cert come from Let’s Encrypt
Phishing is growing at the same rate as that of Let’s Encrypt
Phishing can only get worse

The data suggests that automatically issued DV certs for free is a favorite for 
criminals. This is 100% because consumers who are aware of the padlock, 
automatically rely on it for trust and assume they can trust the owner.

***This means most breaches happen because people look at the padlock and fall 
for Let’s Encrypt encryption.*** This should at least, stop everyone in their 
tracks to ask, “How can we encrypt the web while not making it less safe?” If 
not, your motives are all wrong in my opinion. 

If all of this doesn’t paint a bleak picture I can’t add any more evidence to 
prove that something needs to be done about Let’s Encrypt as an entire 
initiative is an overall failure in my opinion. While it’s helping to scale 
encryption for a more “private” web, it’s an existential treat to internet 
safety. 

There is a solution to this problem:

Make website identity better so consumers stop relying on the padlock for 
trust. I’ve provided data to demonstrate how this can work. I haven’t received 
any opposing views on my data/findings. And there’s no research to prove 
otherwise. 

If consumers stopped looking at the padlock all of the above would go away - 
until threat actors find another vector. It would introduce other issues to 
address - for example, CAs would need to really tighten up all of their 
processes because threat actors might buy an EV cert if the cost is worth it. 

>> 
> 
> Validation compliance is not the topic of this thread. Stripe Inc was able to 
> get their EV certificate in a compliant way after all. It sounds like since 
> 14k DV certs were issued to phishing sites in a compliant way, everything is 
> a-ok?
> 
> What are your thoughts if those 14k certs were EV? 
> 
>> EV and DV serve different purposes, and while DV is more-or-less solving the
>> problem it sets out to solve, the credible evidence presented shows that EV
>> does not solve any problem that browsers are interested in.
>> 
>>> If people think “EV is broken” they must think DV is stuck in hell with
>>> broken legs.
>> 
>> Alternately, people realise that EV and DV serve different purposes through
>> different methods, and thus cannot be compared in the trivial and flippant
>> way you suggest.
>> 
>> - Matt
> 
> You've mentioned "EV and DV serve different purposes" twice and I think that 
> is misleading. EV requires DV validation as well, and they both serve to 
> authenticate and encrypt. However, EV goes beyond authenticating only the 
> domain name which is where DV stops. EV attempts to bind the domain name to 
> an actual owner. 
> 
> People deploying EV expect to get DV and something more. When the browsers 
> stop displaying the EV UI, it will be indistinguishable from DV on cursory 
> glance. To me, this shows EV and DV serve similar purposes, but EV attempts 
> to go further in the context of authentication.

[PW] Bravo - great reminder. If people dislike the cost, process or timing, 
they should debate those things separately. I personally believe the entire EV 
process can be massively improved with very specific tools and methodologies - 
but that’s for another conversation. This is about Mozilla removing UI instead 
of making it better.

- Paul

> 
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to