Re: Talk at FOSDEM
Thank you for the link, Gerv. That was a very interesting watch. Curious correlation [post video] between Earnst and Young re:Wosign and Earnst and Young re: CrossCert (although I assume this CrossCert relationship was only forthcoming after your talk). And the gent around the 38 minute mark turning the lights off as you where talking was somewhat amusing (sorry) ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites
This topic is frustrating in that there seems to be a wide attempt by people to use one form of authentication (DV TLS) to verify another form of authentication (EV TLS). There seems an issue for people not being able to understand that a FREE service with a vey low bar in knowledge requirement on the part of the end user (the website owner) will be used across the spectrum of human achievement (good and bad). Economics: If something costs money, they far fewer people will make use of it, this has been (one of) the core reasonings behind "Lets Encrpyt" and other free SSL service providers. Education: If something requires a skill and background knowledge to work properly and correctly then far fewer people will be willing to deploy it across their websites. The next level is now that any business or high valued entity should over the course of the next few years implement EV certificates (many already have) and that browsers should make EV certificates MORE noticable on websites. BUT: The end nessecity is that the general public need to be educated that a "secure" website does not mean an "authenticated" business, person or organisation. The general public needs to be aware of the difference between a DV and EV certificate. The community has spent meany years trying to highlight that lack of secure SSL/TLS for websites, that now it's in place, the community needs to highlight the different *Types* of certificates available and what they mean for the website visitor. In addition I think this topic seems to be highlighted as an excuse by parties who (for some reason) don't like Lets Encrypt and similar services and want to use it as a way for people who don't understand what DV TLS actually does, to use it to draw attention to others who do not know what DV TLS does, to highlight that Lets Encrypt is somehow Bad or Evil for providing a secure service for nefarious websites. Some ideas: 1) Browsers can gradually make the EV certificates more prominent, something such as first time a site is visited with an EV certificate that a popup notice appears declaring the name and address of the owner of the site. 2) Websites themselves need to deploy better Content Security Policy practises. Very few websites seem to be using CSP despite it being a very powerful and flexible tool for preventing any site masqurading as another by "borrowing" their media and contents. 3) There could be a system of word recognition / repetition count for something such as browse plugins to detect websites that use the "Paypal" word for instance above a certain level and then notifying the user the site is NOT an actual paypal domain. (sorry, I'm sure most of you reading this are well aware of the details, I wanted a bit of a vent) ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Misissued/Suspicious Symantec Certificates
On Tuesday, 28 February 2017 17:45:19 UTC, Santhan Raj wrote: > WebTrust for Certification Authorities , SSL > BaselinewithNetwork Security, Version 2.0,available > at > http://www.webtrust.org/homepage‐documents/item79806.pdf. 404 - File or directory not found. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Symantec Response L
On Tuesday, 11 April 2017 22:09:39 UTC+1, Eric Mill wrote: > On Tue, Apr 11, 2017 at 6:37 AM, Gervase Markham via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > An (interactive) picture might help illustrate what I'm pointing to. This > is the Federal PKI: > https://fpki-graph.fpki-lab.gov > Just as an aside: Fascinating as this graphic is, loading it gives me a "Secure Connection Failure" (SEC_ERROR_CERT_BAD_ACCESS_LOCATION) as well as an OCSP ERROR in its revokation status. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: [EXT] Symantec response to Google proposal
As an incidental, I am negatively influenced by reading Symantecs response: On Friday, 2 June 2017 16:48:45 UTC+1, Steve Medin wrote: > > https://www.symantec.com/connect/blogs/symantec-s-response-google- > s-subca-proposal > > > > > Our primary objective has always been to minimize any potential business > > disruption for our customers So, Symantec's primary objective is not PK Security, PKI Trust, or Best Practise, or even Baseline Requirements? > > Our CA business is led and staffed by experienced individuals around the > > world > > who serve our customers while ensuring our issuance practices comply with > > industry and browser requirements. This is fundametally inaccurate, if this was true then the issues that Mozilla and others have discovered wouldn't have been there to find. > > As the largest issuer of EV and OV certificates in the industry according > > to > > Netcraft, Symantec handles significantly larger volumes of validation > > workloads across more geographies than most other CA’s. To our knowledge, > > no > > other single CA operates at the scale nor offers the broad set of > > capabilities > > that Symantec offers today. So what if Symantec is the largest? If I am the busiest barman in the West and serving thousands of drinks an hour, if these drinks are in fact diluted down, the VOLUME of drinks I serve does not make up for the QUALITY of the drinks I serve. Likewise, Every time Symantec issues an EV or OV certificate, they are paid, they make money. That's business, but if Symantec then decide not to reinvest in their infrastructure to support that business, why on earth should the rest of the PKI infrastructure have to give them some sort of special leniency? > > Google shared this new proposal for Symantec’s CA with the community on May > > 15. We have since been reviewing this proposal and weighing its merits > > against feedback we’ve heard from the broader community, including our CA > > customers. If Symantec customers (who DO NOT KNOW the technical or even broader details of the issues at hand) have an nifluence on the way Symantec acts, it's not going to be best interest for the wider PKI security because it's doubtful of the technical knowledge available to these influncers. This whole blog post unfortuantely comes across as Symantec weasel-wording it's way out of self improvement or even real acceptance of the bad practise that has been documented so far. Disappointing, but un-surprising. I feel Symantec needs the associated potential business penalty of running the risk of lost business (which I'm sure they can afford, being the biggest EV and OV provider in the world) to remind them, and to underline to them the importance of adhereing to the Baseline requirements and keeping the PKI secure. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
