Re: When good certs do bad things

2016-05-26 Thread Ryan Sleevi
On Thu, May 26, 2016 at 1:58 PM, Phillip Hallam-Baker wrote: > What has encryption got to do with it? The "bad" raised was unrelated to certificates, publicly trusted or otherwise. As Nick also pointed out, a number of the "bad" is just as accomplish through other means

Re: When good certs do bad things

2016-05-26 Thread Peter Kurrasch
You are right to point out that many of those scenarios could be accomplished with a self-signed cert or indeed no cert at all. The decision to use a good cert or the likelihood of a good cert being used in any given scenario is not necessarily that important. What matters is that once we find

Re: Job: Is it OK to post a job listing in this forum?

2016-05-26 Thread David E. Ross
> On Thu, May 26, 2016 at 6:17 PM, Kathleen Wilson > wrote: > >> Hi All, >> >> I have been asked if it is OK to post job listings in >> mozilla.dev.security.policy. Surprisingly, I don't recall ever being asked >> that question before, and I am not aware of a written policy

Re: Job: Is it OK to post a job listing in this forum?

2016-05-26 Thread Eric Mill
I could tolerate a policy like that, and it's always possible to revisit it if it turns out to be abused, or causes people to unsubscribe (which I would recommend Mozilla watching, especially right after postings go out). One suggested change: > * The Subject of the posting begins with "Job: "

Job: Is it OK to post a job listing in this forum?

2016-05-26 Thread Kathleen Wilson
Hi All, I have been asked if it is OK to post job listings in mozilla.dev.security.policy. Surprisingly, I don't recall ever being asked that question before, and I am not aware of a written policy about the content of postings to mozilla.dev.security.policy. So, here is a proposal: ~~ Jobs

Re: When good certs do bad things

2016-05-26 Thread Ryan Sleevi
On Thu, May 26, 2016 at 7:40 AM, Peter Kurrasch wrote: > My suggestion is to frame the issue‎ as: What is reasonable to expect of a > CA if somebody sees bad stuff going on? How should CA's be notified? What > sort of a response is warranted and in what timeframe? What

When good certs do bad things

2016-05-26 Thread Peter Kurrasch
It strikes me that some people might not have a good idea how people use certs to do bad things. As the token bad guy in this forum I'll take it upon myself to share some examples of how I might use a perfectly good cert in a "bad" way:‎* ‎Create a phishing site to harvest login credentials from

Re: [FORGED] Re: SSL Certs for Malicious Websites

2016-05-26 Thread Hubert Kario
On Thursday 26 May 2016 05:13:43 Peter Gutmann wrote: > Richard Z writes: > >If any criminal can easily get EV certificates what is the point of > >https? > The point of HTTPS is twofold: > > 1. Convince users that the Internet is safe to do business on > (financial

Re: SSL Certs for Malicious Websites

2016-05-26 Thread Ryan Sleevi
On Wed, May 25, 2016 at 6:50 AM, wrote: > If I understand you correctly, you are saying that CAs should not be doing > any "internet policing" or "content policing" when they receive credible > reports their certs are being used by phishers, malware providers, etc. -- >