Gervase Markham wrote:
Ben Bucksch wrote:
OK. My thought is that we don't have many chances to push things like
that and have users consider it. If we make them aware of it, it
better be bulletproof, or we should not bother them with it, just
treat it as little better SSL cert, no special treatment.
You're absolutely right. Educating users is an enormous effort. That's
why I think whatever UI we choose (green bar, not green bar, whatever)
should be decoupled from the underlying enabling technology (EV,
DNSSec, phishing blacklist, whatever) we use to run it. That way, we
only have to educate users once.
Right. But how many phishers have an office with a street sign
saying "eBay" and a lobby?
...
Except you can't, because there won't be any information sources
which confirm that your number belongs to Microsoft. Because it
doesn't.
...
I don't think any information source would confirm that your address
belonged to eBay.
Reliable sources like the phonebook or a random commercial database?
Do you have access to change either of those to associate your address
with eBay?
Remember, of course, the phisher does not know which sources the CA is
going to use. Those are (reasonably enough) kept confidential.
You are, and the CAs writing the guidelines are, not assuming that
the procedures are specifically gamed, things so arranged that the
malicious applicant would pass them, including renting a fake office
with sign, putting up fake phone numbers and listening them for a few
days or weeks, or specifically targetting the commercial database(s)
that the CA uses to get your bad info in there. Esp. the latter is
probably trivially easy, because the commercial databases are not
security shops, just providing contact info for initiating business.
Esp. so in the US, from what I've heard.
Yes, what you say about renting a fake office is possible. But think
for a moment - if everyone who wanted to set up a phishing site had to
do that, how much less phishing would there be?
People who rent offices leave a paper trail - they have to show their
face, leave deposits and bank details, people remember them. You can't
do all of this anonymously from Russia any more.
That's true. But look at spam. Most spam originates at the US, and
spammers keep normal businesses, yet the US completely fails to stop the
problem. One or two law suits, that's it, no impact.
But let me turn the question around: if "social engineering" means you
can't trust what anyone says about anything, how do you establish
anything to be true?
The government takes are of that, registering people when they are born,
issueing passports and ID cards for them. And we can check the
signatures against that.
That's the base of my argument, put shortly: Everything else is hearsay.
[cut]
The request is filed, and Joe intercepts the relevant mail. However,
Foo CA rings BigCorp, talks to Fred Smith and finds he never signed
the application, so it's rejected.
If you can intercept all mail, you can probably drag a phone call to you
as well.
Something like that. Basically, you need to make sure that the person
who signed the application actually exists and did sign the
application. I can't quite see how you object to that check :-) It
doesn't help with the problems you are particularly concerned about,
but it's not meant to.
This and the weak phone number verification is in the critical path to
verify the request is authorized, there's no signature (and check of it)
necessary, that's the problem.
What do you mean by "bad certs"?
Cert saying I'm A Corp although I'm B Corp. CA failing on checks.
I suspect CAs will be "unofficially" looking out for the same tricks
immediately. They don't want to be landed with the liability
They disclaim any liability!
Unqualified scepticism without rationale
Well, I think history has shown us that scepticism beyond all common
sense is necessary when it comes to big CAs.
To be even more explicit: you definitely mean "every CA-issued
certificate", rather than "every *EV* certificate"?
No, I'm talking only about EV here.
Given that nothing breaks anymore, we have no need to blink.
What do you mean by "nothing breaks"? If we are talking about *every*
certificate, then for non-EV ones, all we can do if they tell us to
get stuffed is to yank roots. And then lots of things break.
I mean nothing forces us to treat EV (or any SSL certs for that matter)
as verified or secure. We can let the user go there, but pretend it's a
normal, unsecured HTTP site. Details are UI.
As I said, exactly this is offered as service in Germany for 10 Eur,
one-time fee. If they can make a site visit, they can also look at a
personal ID card and check a signature. My grocery store does it!
What gives?
Germany is not the rest of the world.
This was just an example that it is possible, quite so, and to give an
idea about the effort / money required, to add some facts, instead of a
blank "too expensive".
Surely you can see the massive differences between the grocery store
situation and the cert situation? ... You are present at your grocery
store
Correct, but the ID card verification service by the post office, used
by movie mail-rent and a variety of other purposes, *is* comparable.
Or, if you want another example: Delivery of a delivery-confirmed
letter. I'm sure that exists in the US. The postman wants your paper
signature that you received the letter. He usually doesn't check the
signature against any papers / ID cards, but the expensive part is the
visiting. And it costs $5-10.
It's not cheap to get site visits done.
Right. It may cost them $10. Or maybe even $20! Yikes!
I don't know. I'd say the legal business name - "trading as" would be
a different field.
But then you'd have certs with O fields with names no-one had ever
heard of. If you go to what you think is Sony's site, and it says
"Sonii Corporation" (one possible official romanisation of their
Japanese name), that would make you really suspicious, wouldn't it? It
should. That's exactly the sort of thing phishers do, after all - have
a name that's similar but not quite the same.
I mention this merely to show that it's not an easy problem to solve.
If the real name is all useless, what do you put in the cert and display
to the user? The "trading as" name? (Sorry, havn't read the spec on
that.) If so, how do you verify that it doesn't overlap with another
company? Company names and trademarks, potentially world-wide?
Ben
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
