> On Oct 9, 2019, at 4:19 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > > Paul Walsh via dev-security-policy <email@example.com> > writes: > >> The data suggests that automatically issued DV certs for free is a favorite >> for criminals. > > True, but that one's just an instance of Sutton's Law, they go for those > because they're the least effort. I was at a talk yesterday by a pen-tester > who talked about phishing CEOs and the like and a throwaway comment he used at > one point was "we got a cert [for their phishing site] from Let's Encrypt". It > was completely casual, just a built-in part of the process, because the years > of training people to look for the padlock/ green bar/dancing unicorns means > that that's what the bad guys do to make the phish look more convincing. If > Let's Encrypt didn't exist, the phrase would have been "we bought a cheap cert > from GoDaddy". If browsers only allowed EV certs, it would have been "we > bought an EV cert through a shell corporation" or "... from an underground > market”.
I don’t disagree with any of this. But you’re responding to one point I made. When it’s taken in context of other points it has more meaning. I’ll even add to it Peter to further your point and my support for it… If every mainstream browser implemented a great icon for website identity and almost all consumers relied on it, the risk of EV certs being obtained by threat actors would increase. This is why I have also said that I think CAs would need to “tighten up their belts” when it comes to their processes for verification and revocation. My point still stands in regards to the need for new UI for website identity because everyone relies on the lock on dangerous websites. Right now, there is *NO* bar for criminals - zero. We’ve done the opposite to what we could have done with email spam decades ago - charge such a small amount to send an email that it would increase the cost of spam. Not saying it would work but you get my point. > > Point is, once you've got some universally-recognised signalling mechanism > that a site is OK, it'll be used by the bad guys to make their attacks totally > convincing, whether it's DV certs, EV certs, free certs, expensive certs, or > whatever. I agree. But also Peter, there are new blockchain-based solutions for “KYC” (know your customer) that can be used in conjunction with existing processes, couple with a few additional techniques. I’d do this if I were running a CA that charges for website identity, but I don’t. > >> I can’t add any more evidence to prove that something needs to be done about >> Let’s Encrypt as an entire initiative is an overall failure in my opinion. > > It's actually been phenomenally successful. Browsers won't allow you to > encrypt a connection without a certificate, and Let's Encrypt enables that. It > hands out magic tokens to turn on encryption in browsers, nothing more, > nothing less, and it's been very successful at that. Perhaps you can comment on the cost of this greatness? I’ve cited a lot of stats that suggest everyone has a friend, colleague or family member who has been victim of an attack of some kind, either directly or indirectly thanks to Let’s Encrypt SSL certificates - notwithstanding everything we agree on above. I have personally spoken to people who have lost their entire lifes savings in a phishing attack because they relied on the padlock - which almost certainly was issued by Let’s Encrypt - who could have had checks to reduce the risk - not necessarily completely mitigate it. Right now they do absolutely nothing in the same way 4chan and 8chan were amazing for freedom of speech but... That’s not ok. We all have an obligation to try to reduce the risk of our technology being used for bad. Now we’re down the rabbit hole of another topic - but it is important to discuss as it gets to the heart of the lack of research by anyone who is advocating for HTTPS EVERYWHERE and the negative impact it’s having thanks to the lack of UI for website identity. - Paul > > Peter. _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy