On 8/14/2020 2:14 PM, Tobias S. Josefowitz via dev-security-policy wrote:
On Fri, Aug 14, 2020 at 10:32 PM Ronald Crane via dev-security-policy
wrote:
Why not just do the right thing?
The domain you send your emails from is, as far as I can tell, at
least as much in breach of Germany's
On 8/14/2020 2:38 PM, Matthias van de Meent via dev-security-policy wrote:
On Fri, 14 Aug 2020, 21:52 Ronald Crane via dev-security-policy, <
dev-security-policy@lists.mozilla.org> wrote:
It could raise legal issues for a CA to refuse to revoke an obvious
phishing domain after
On 8/14/2020 1:17 PM, Tobias S. Josefowitz via dev-security-policy wrote:
On Fri, Aug 14, 2020 at 9:52 PM Ronald Crane via dev-security-policy
wrote:
It could raise legal issues for a CA to refuse to revoke an obvious
phishing domain after notice that it is fraudulent, or at least after
notice
It could raise legal issues for a CA to refuse to revoke an obvious
phishing domain after notice that it is fraudulent, or at least after
notice that it's actually being used to defraud.
For example, Calif. Penal Code s.530.5 says:
(d)(2) Every person who, with _actual knowledge_ that the
On 8/13/2020 3:18 PM, Tobias S. Josefowitz via dev-security-policy wrote:
On Thu, Aug 13, 2020 at 11:48 PM Ronald Crane via dev-security-policy
wrote:
On 8/13/2020 2:25 PM, Tobias S. Josefowitz via dev-security-policy wrote:
Detecting phishing domains by "looking at them as strings"
On 8/13/2020 2:25 PM, Tobias S. Josefowitz via dev-security-policy wrote:
On Thu, Aug 13, 2020 at 10:31 PM Ronald Crane via dev-security-policy
wrote:
[...] Registrars (and CAs) are
in excellent positions to impede the use of phishing domains, since they
hand them out (registrars) or issue
On 8/13/2020 1:08 PM, Kurt Roeckx via dev-security-policy wrote:
On Thu, Aug 13, 2020 at 12:43:01PM -0700, Ronald Crane via dev-security-policy
wrote:
I'd argue that domain registrars, CAs, and hosting services _should_ have an
obligation to deny services to obvious phishing domains. [1
I'd argue that domain registrars, CAs, and hosting services _should_
have an obligation to deny services to obvious phishing domains. [1]
(This is independent of what (if any) obligations they might currently
have.) Phishing continues to be epidemic. It is not enough that some
user agents
This is an abusive practice that tends to injure the operation of the
internet, particularly by encouraging victims to operate sites without
authentication and encryption in the interregnum between revocation and
the acquisition of a new cert. It also needlessly raises the cost to
operate a
NYT 12/23/2019 on the ToTok spying app and DarkMatter:
--
WASHINGTON — It is billed as an easy and secure way to chat by video or
text message with friends and family, even in a country that has
restricted popular messaging services like WhatsApp and Skype.
But the service, ToTok, is
Let’s Encrypt.
2. Why did you message the entire community about whatever it is you’ve found?
Thanks,
Paul
Sent from my iPhone
On Oct 12, 2019, at 11:04 AM, Ronald Crane via dev-security-policy
wrote:
Just FYI, metacert.com served up this cert recently:
https://crt.sh/?id=1884181370 .
-R
Just FYI, metacert.com served up this cert recently:
https://crt.sh/?id=1884181370 .
-R
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On 10/9/2019 3:17 PM, Paul Walsh wrote:
On Oct 9, 2019, at 3:06 PM, Ronald Crane via dev-security-policy
wrote:
On 10/9/2019 2:24 PM, Paul Walsh via dev-security-policy wrote:
it indefinitely.
[PW] Here’s the kink Ronald. I agree with you. Mozilla’s decision to implement
DoH is going
On 10/8/2019 7:04 PM, Paul Walsh via dev-security-policy wrote:
On Oct 2, 2019, at 3:41 PM, Ronald Crane via dev-security-policy
wrote:
On 10/2/2019 3:00 PM, Paul Walsh via dev-security-policy wrote:
On Oct 2, 2019, at 2:52 PM, Ronald Crane via dev-security-policy
wrote:
[snip]
Some
On 10/9/2019 11:02 AM, Paul Walsh via dev-security-policy wrote:
On Oct 9, 2019, at 10:42 AM, Ronald Crane via dev-security-policy
wrote:
On 10/2/2019 3:50 PM, Paul Walsh via dev-security-policy wrote:
[snip]
sɑlesforce[.com] is available for purchase right now.
I was going to suggest
On 10/3/2019 8:44 PM, Matt Palmer via dev-security-policy wrote:
On Thu, Oct 03, 2019 at 05:36:50PM -0700, Ronald Crane via dev-security-policy
wrote:
On 10/3/2019 2:09 PM, Ryan Sleevi via dev-security-policy wrote:
[snip]
I guess I wasn't specific enough. I am looking for a good study
On 10/3/2019 2:09 PM, Ryan Sleevi via dev-security-policy wrote:
[snip]
I guess I wasn't specific enough. I am looking for a good study that
supports the proposition that the Internet community has (1) made a
concerted effort to ensure that there is only one authentic domain per
entity (or, at
On 10/2/2019 9:44 PM, Peter Gutmann via dev-security-policy wrote:
Ronald Crane via dev-security-policy
writes:
Please cite the best study you know about on this topic (BTW, I am *not* snidely
implying that there isn't one).
Sure, gimme a day or two since I'm away at the moment
On 10/2/2019 3:27 PM, Peter Gutmann wrote:
Ronald Crane via dev-security-policy
writes:
"Virtually impossible"? "Anyone"? Really? Those are big claims that need real
data.
How many references to research papers would you like? Would a dozen do, or
do you want two d
On 10/2/2019 2:47 PM, Paul Walsh via dev-security-policy wrote:
On Oct 2, 2019, at 1:16 PM, Ronald Crane via dev-security-policy
wrote:
On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote:
New tools such as Modlishka now automate phishing attacks, making it virtually
impossible
On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote:
New tools such as Modlishka now automate phishing attacks, making it virtually
impossible for any browser or security solution to detect - bypassing 2FA.
Google has admitted that it’s unable to detect these phishing scams as they
On 9/8/2019 2:46 AM, Daniel Marschall via dev-security-policy wrote:
But the EV string always shows the country name. Therefore, the string should be
unambiguous, because there can be only one company called "Google Inc" in a
specific country (say Tonga).
The second sentence is generally
On 8/29/2019 11:07 AM, Nick Lamb via dev-security-policy wrote:
...
If you _work_ for such an institution [e.g.,a bank], the best thing
you could do to
protect your customers against Phishing, a very popular attack that
TLS is often expected to mitigate, is offer WebAuthn
You also could
On 8/26/2019 5:39 AM, Josef Schneider via dev-security-policy wrote:
Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane:
On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote:
Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but
using an EV SSL in
On 8/23/2019 3:53 PM, Daniel Marschall via dev-security-policy wrote:
Am Freitag, 23. August 2019 00:50:35 UTC+2 schrieb Ronald Crane:
On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote:
Whatever the merits of EV (and perhaps there are some -- I'm not
convinced either way)
On 8/23/2019 6:41 AM, Tom Ritter via dev-security-policy wrote:
On Fri, 23 Aug 2019 at 05:00, Leo Grove via dev-security-policy
wrote:
On Thursday, August 22, 2019 at 5:50:35 PM UTC-5, Ronald Crane wrote:
On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote:
I can tell you
On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote:
I can tell you that anti-phishing services and browser phishing filters have
also have concluded that EV sites are very unlikely to be phishing sites and so
are safer for users.
Whatever the merits of EV (and perhaps
On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote:
Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but
using an EV SSL in conjunction with a domain name and website with the true
intent to dupe potential customers is another matter. I'm trying to get past
On 8/15/2019 10:58 AM, Doug Beattie via dev-security-policy wrote:
So far I see is a number of contrived test cases picking apart small components
of EV, and no real data to back it up.
I also would like to see more evidence of problems. However, I have to
object to the idea that
Mostly
Thank you for posting that notice.
It's not clear whether the leak impacted issuance. From the link you cited:
*** Other documents appeared to be Comodo vulnerability reports. ***
Ursem’s cursory review of the data did
On 7/18/2019 9:15 PM, alwayshisforever5183--- via dev-security-policy wrote:
How do I remove the cert root?
Use tools/options, type "cert" in the "find in options" box, then click
"view certificates". Select "authorities" tab. Now examine the list
until you find the certificate(s) you want
I have to rebut the idea that revoking trust is an adequate -- let alone
an "essentially absolute" -- recourse for a CA's abuse of its authority.
The fact is that an abusive CA can cause unwanted (and potentially
harmful) code and data to be injected into -- and personal data to be
32 matches
Mail list logo