Disclaimer: I work for Mozilla, but not on certificate policy. This is a personal observation.
On Thu, Sep 8, 2022 at 3:08 AM Michel Le Bihan <[email protected]> wrote: > A user visiting the website of a fake shop could check the certificate and > if they don't know what Cloudflare is, they could believe that the shop is > operated by an existing company registered in the US and therefore trust > the (fake) shop. On the other hand, if it didn't say "Cloudflare" people might think they --were-- talking directly to the shop, and they are not. They are talking to a Cloudflare server which could do anything at all with the traffic before passing it along. You need to know it's Cloudflare before you even realize you're trusting a proxy to faithfully transmit the traffic. Besides, all the shop's actual certificate proves is that they were able to get a certificate for that domain. It does not mean you can trust the shop because it could well be fake either way. > A user on a phishing site targeting Cloudflare could check the > certificate, see Cloudflare in the subject and believe it to be an official > Cloudflare website. > That's a problem for Cloudflare to worry about. They *do* put " sni.cloudflaressl.com" in the common name which does not match the domain you've reached and should be a clue. A user using a website that is using Cloudflare proxy could check the > certificate and remember that it has Cloudflare in the subject. Then when > he will be on a phishing website, he will check the certificate subject, > see the same value and believe it to be oferated by the same entity and > enter his credentials. > Couldn't you say the same about any other cert? One day you go to https://mozllla.org by mistake, and when you look at the certificate the common name matches that and there's no Subject Name at all -- like most certs. Other than giving you a second chance to catch the typo, how does that help protect against phishing? Actually, if you go to the real https://www.mozilla.org and look at the cert it will say "www.mozilla.moz.works" which looks totally fake. Names are a terrible basis for trust. > ... or various recommendations explaining how to check certificate details > to asses whether a website is trustworthy should be changed. > What recommendations are those? You can't judge whether a site is trustworthy or not by its certificate. Scammers get certificates all the time. "Legitimate" companies pay huge fines for having defrauded the public all the time. I take your point that it wouldn't hurt if they picked a more descriptive name. On the other hand, if someone is trying to trust a site "by name" I'd expect them to look up the name and find out what "Cloudflare, Inc" does. Either way it doesn't seem like a policy issue that this group deals with. -Dan Veditz -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADYDTCCXUm_P0x%2BnUHAcVEh_gHS8JXvoeh3Skd3nRH9kv5gZkA%40mail.gmail.com.
