Re: Talk at FOSDEM

2017-02-09 Thread Martin Heaps via dev-security-policy
Thank you for the link, Gerv. That was a very interesting watch. Curious 
correlation [post video] between Earnst and Young re:Wosign and Earnst and 
Young re: CrossCert (although I assume this CrossCert relationship was only 
forthcoming after your talk).

And the gent around the 38 minute mark turning the lights off as you where 
talking was somewhat amusing (sorry)
dev-security-policy mailing list

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-27 Thread Martin Heaps via dev-security-policy
This topic is frustrating in that there seems to be a wide attempt by people to 
use one form of authentication (DV TLS) to verify another form of 
authentication (EV TLS). 

There seems an issue for people not being able to understand that a FREE 
service with a vey low bar in knowledge requirement on the part of the end user 
(the website owner) will be used across the spectrum of human achievement (good 
and bad).

Economics: If something costs money, they far fewer people will make use of it, 
this has been (one of) the core reasonings behind "Lets Encrpyt" and other free 
SSL service providers. 

Education: If something requires a skill and background knowledge to work 
properly and correctly then far fewer people will be willing to deploy it 
across their websites.

The next level is now that any business or high valued entity should over the 
course of the next few years implement EV certificates (many already have) and 
that browsers should make EV certificates MORE noticable on websites. 

The end nessecity is that the general public need to be educated that a 
"secure" website does not mean an "authenticated" business, person or 
organisation. The general public needs to be aware of the difference between a 
DV and EV certificate. 

The community has spent meany years trying to highlight that lack of secure 
SSL/TLS for websites, that now it's in place, the community needs to highlight 
the different *Types* of certificates available and what they mean for the 
website visitor.

In addition I think this topic seems to be highlighted as an excuse by parties 
who (for some reason) don't like Lets Encrypt and similar services and want to 
use it as a way for people who don't understand what DV TLS actually does, to 
use it to draw attention to others who do not know what DV TLS does, to 
highlight that Lets Encrypt is somehow Bad or Evil for providing a secure 
service for nefarious websites.

Some ideas:

1) Browsers can gradually make the EV certificates more prominent, something 
such as first time a site is visited with an EV certificate that a popup notice 
appears declaring the name and address of the owner of the site. 

2) Websites themselves need to deploy better Content Security Policy practises. 
Very few websites seem to be using CSP despite it being a very powerful and 
flexible tool for preventing any site masqurading as another by "borrowing" 
their media and contents.  

3) There could be a system of word recognition / repetition count for something 
such as browse plugins to detect websites that use the "Paypal" word for 
instance above a certain level and then notifying the user the site is NOT an 
actual paypal domain.

(sorry, I'm sure most of you reading this are well aware of the details, I 
wanted a bit of a vent)
dev-security-policy mailing list

Re: Misissued/Suspicious Symantec Certificates

2017-03-01 Thread Martin Heaps via dev-security-policy
On Tuesday, 28 February 2017 17:45:19 UTC, Santhan Raj  wrote:

> WebTrust  for Certification   Authorities ,   SSL 
> BaselinewithNetwork Security,   Version 2.0,available 
>   at

404 - File or directory not found.
dev-security-policy mailing list

Re: Symantec Response L

2017-04-14 Thread Martin Heaps via dev-security-policy
On Tuesday, 11 April 2017 22:09:39 UTC+1, Eric Mill  wrote:
> On Tue, Apr 11, 2017 at 6:37 AM, Gervase Markham via dev-security-policy <
>> wrote:
> An (interactive) picture might help illustrate what I'm pointing to. This
> is the Federal PKI:

Just as an aside: 

Fascinating as this graphic is, loading it gives me a "Secure Connection 
Failure" (SEC_ERROR_CERT_BAD_ACCESS_LOCATION) as well as an OCSP ERROR in its 
revokation status.  

dev-security-policy mailing list

Re: [EXT] Symantec response to Google proposal

2017-06-05 Thread Martin Heaps via dev-security-policy
As an incidental, I am negatively influenced by reading Symantecs response:

On Friday, 2 June 2017 16:48:45 UTC+1, Steve Medin  wrote:

>  s-subca-proposal
> > Our primary objective has always been to minimize any potential business
> > disruption for our customers

So, Symantec's primary objective is not PK Security, PKI Trust, or Best 
Practise, or even Baseline Requirements?

> > Our CA business is led and staffed by experienced individuals around the 
> > world 
> > who serve our customers while ensuring our issuance practices comply with 
> > industry and browser requirements.  

This is fundametally inaccurate, if this was true then the issues that Mozilla 
and others have discovered wouldn't have been there to find.

> > As the largest issuer of EV and OV certificates in the industry according 
> > to 
> > Netcraft, Symantec handles significantly larger volumes of validation 
> > workloads across more geographies than most other CA’s. To our knowledge, 
> > no 
> > other single CA operates at the scale nor offers the broad set of 
> > capabilities 
> > that Symantec offers today.

So what if Symantec is the largest? If I am the busiest barman in the West and 
serving thousands of drinks an hour, if these drinks are in fact diluted down, 
the VOLUME of drinks I serve does not make up for the QUALITY of the drinks I 

Likewise, Every time Symantec issues an EV or OV certificate, they are paid, 
they make money. That's business, but if Symantec then decide not to reinvest 
in their infrastructure to support that business, why on earth should the rest 
of the PKI infrastructure have to give them some sort of special leniency?
> > Google shared this new proposal for Symantec’s CA with the community on May
> > 15. We have since been reviewing this proposal and weighing its merits 
> > against feedback we’ve heard from the broader community, including our CA 
> > customers.

If Symantec customers (who DO NOT KNOW the technical or even broader details of 
the issues at hand) have an nifluence on the way Symantec acts, it's not going 
to be best interest for the wider PKI security because it's doubtful of the 
technical knowledge available to these influncers. 

This whole blog post unfortuantely comes across as Symantec weasel-wording it's 
way out of self improvement or even real acceptance of the bad practise that 
has been documented so far.

Disappointing, but un-surprising. 

I feel Symantec needs the associated potential business penalty of running the 
risk of lost business (which I'm sure they can afford, being the biggest EV and 
OV provider in the world) to remind them, and to underline to them the 
importance of adhereing to the Baseline requirements and keeping the PKI 

dev-security-policy mailing list