This discussion is a prime example why OV / EV TLS certificates should be phased out. They are promising more to the end user than they can deliver and the community wasn’t able to make them truly work in 25 years…
/Rufus From: [email protected] <[email protected]> On Behalf Of Daniel Veditz Sent: Thursday, 8 September 2022 23:45 To: Michel Le Bihan <[email protected]> Cc: [email protected] Subject: Re: Certificates with Cloudflare, Inc. in subject Disclaimer: I work for Mozilla, but not on certificate policy. This is a personal observation. On Thu, Sep 8, 2022 at 3:08 AM Michel Le Bihan <[email protected]<mailto:[email protected]>> wrote: A user visiting the website of a fake shop could check the certificate and if they don't know what Cloudflare is, they could believe that the shop is operated by an existing company registered in the US and therefore trust the (fake) shop. On the other hand, if it didn't say "Cloudflare" people might think they --were-- talking directly to the shop, and they are not. They are talking to a Cloudflare server which could do anything at all with the traffic before passing it along. You need to know it's Cloudflare before you even realize you're trusting a proxy to faithfully transmit the traffic. Besides, all the shop's actual certificate proves is that they were able to get a certificate for that domain. It does not mean you can trust the shop because it could well be fake either way. A user on a phishing site targeting Cloudflare could check the certificate, see Cloudflare in the subject and believe it to be an official Cloudflare website. That's a problem for Cloudflare to worry about. They *do* put "sni.cloudflaressl.com<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsni.cloudflaressl.com%2F&data=05%7C01%7Crufus.buschart%40siemens.com%7Ca5f941bcd64e4bbd2c3b08da91e5db62%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637982713661126534%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=AnNmBoxYjvzRBJJHAwCBSHOoNDsENuRIF%2Bi5JIMFPC4%3D&reserved=0>" in the common name which does not match the domain you've reached and should be a clue. A user using a website that is using Cloudflare proxy could check the certificate and remember that it has Cloudflare in the subject. Then when he will be on a phishing website, he will check the certificate subject, see the same value and believe it to be oferated by the same entity and enter his credentials. Couldn't you say the same about any other cert? One day you go to https://mozllla.org<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozllla.org%2F&data=05%7C01%7Crufus.buschart%40siemens.com%7Ca5f941bcd64e4bbd2c3b08da91e5db62%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637982713661126534%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ek1nSi9ZIBu%2BmmwxrfZbo671N2FcqGlKW7YWkiMXRNM%3D&reserved=0> by mistake, and when you look at the certificate the common name matches that and there's no Subject Name at all -- like most certs. Other than giving you a second chance to catch the typo, how does that help protect against phishing? Actually, if you go to the real https://www.mozilla.org<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mozilla.org%2F&data=05%7C01%7Crufus.buschart%40siemens.com%7Ca5f941bcd64e4bbd2c3b08da91e5db62%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637982713661282762%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=O2hcKhREPf5BPESByOTCV6W3JaaZ%2F5ZYv9z9liRI9bU%3D&reserved=0> and look at the cert it will say "www.mozilla.moz.works<http://www.mozilla.moz.works>" which looks totally fake. Names are a terrible basis for trust. ... or various recommendations explaining how to check certificate details to asses whether a website is trustworthy should be changed. What recommendations are those? You can't judge whether a site is trustworthy or not by its certificate. Scammers get certificates all the time. "Legitimate" companies pay huge fines for having defrauded the public all the time. I take your point that it wouldn't hurt if they picked a more descriptive name. On the other hand, if someone is trying to trust a site "by name" I'd expect them to look up the name and find out what "Cloudflare, Inc" does. Either way it doesn't seem like a policy issue that this group deals with. -Dan Veditz -- You received this message because you are subscribed to the Google Groups "[email protected]<mailto:[email protected]>" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADYDTCCXUm_P0x%2BnUHAcVEh_gHS8JXvoeh3Skd3nRH9kv5gZkA%40mail.gmail.com<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FCADYDTCCXUm_P0x%252BnUHAcVEh_gHS8JXvoeh3Skd3nRH9kv5gZkA%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crufus.buschart%40siemens.com%7Ca5f941bcd64e4bbd2c3b08da91e5db62%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637982713661282762%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BKADFx%2B0%2FngxWDuo23KcL%2BxXSRYJlGMdNxVlFxJn3TY%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/AM8PR10MB465883EE6AE2A736E702E6259E439%40AM8PR10MB4658.EURPRD10.PROD.OUTLOOK.COM.
