> On Oct 9, 2019, at 4:19 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> 
> Paul Walsh via dev-security-policy <dev-security-policy@lists.mozilla.org> 
> writes:
> 
>> The data suggests that automatically issued DV certs for free is a favorite
>> for criminals.
> 
> True, but that one's just an instance of Sutton's Law, they go for those
> because they're the least effort.  I was at a talk yesterday by a pen-tester
> who talked about phishing CEOs and the like and a throwaway comment he used at
> one point was "we got a cert [for their phishing site] from Let's Encrypt". It
> was completely casual, just a built-in part of the process, because the years
> of training people to look for the padlock/ green bar/dancing unicorns means
> that that's what the bad guys do to make the phish look more convincing. If
> Let's Encrypt didn't exist, the phrase would have been "we bought a cheap cert
> from GoDaddy".  If browsers only allowed EV certs, it would have been "we
> bought an EV cert through a shell corporation" or "... from an underground
> market”.

I don’t disagree with any of this. But you’re responding to one point I made. 
When it’s taken in context of other points it has more meaning. I’ll even add 
to it Peter to further your point and my support for it… If every mainstream 
browser implemented a great icon for website identity and almost all consumers 
relied on it, the risk of EV certs being obtained by threat actors would 
increase. This is why I have also said that I think CAs would need to “tighten 
up their belts” when it comes to their processes for verification and 
revocation. 

My point still stands in regards to the need for new UI for website identity 
because everyone relies on the lock on dangerous websites. 

Right now, there is *NO* bar for criminals - zero. We’ve done the opposite to 
what we could have done with email spam decades ago - charge such a small 
amount to send an email that it would increase the cost of spam. Not saying it 
would work but you get my point. 

> 
> Point is, once you've got some universally-recognised signalling mechanism
> that a site is OK, it'll be used by the bad guys to make their attacks totally
> convincing, whether it's DV certs, EV certs, free certs, expensive certs, or
> whatever.

I agree. But also Peter, there are new blockchain-based solutions for “KYC” 
(know your customer) that can be used in conjunction with existing processes, 
couple with a few additional techniques. I’d do this if I were running a CA 
that charges for website identity, but I don’t. 

> 
>> I can’t add any more evidence to prove that something needs to be done about
>> Let’s Encrypt as an entire initiative is an overall failure in my opinion.
> 
> It's actually been phenomenally successful.  Browsers won't allow you to
> encrypt a connection without a certificate, and Let's Encrypt enables that. It
> hands out magic tokens to turn on encryption in browsers, nothing more,
> nothing less, and it's been very successful at that.

Perhaps you can comment on the cost of this greatness? I’ve cited a lot of 
stats that suggest everyone has a friend, colleague or family member who has 
been  victim of an attack of some kind, either directly or indirectly thanks to 
Let’s Encrypt SSL certificates - notwithstanding everything we agree on above. 
I have personally spoken to people who have lost their entire lifes savings in 
a phishing attack because they relied on the padlock - which almost certainly 
was issued by Let’s Encrypt - who could have had checks to reduce the risk - 
not necessarily completely mitigate it. 

Right now they do absolutely nothing in the same way 4chan and 8chan were 
amazing for freedom of speech but... That’s not ok. We all have an obligation 
to try to reduce the risk of our technology being used for bad. Now we’re down 
the rabbit hole of another topic - but it is important to discuss as it gets to 
the heart of the lack of research by anyone who is advocating for HTTPS 
EVERYWHERE and the negative impact it’s having thanks to the lack of UI for 
website identity. 

- Paul


> 
> Peter.

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to