Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-30 Thread Nick Lamb via dev-security-policy
Doesn't Chrome's behaviour already "penalise" plaintext HTTP? You can't build a login form, or use shiny new features. We aren't where we'd ideally be, everybody is agreed about that. That's not the same thing as agreeing our direction of travel is wrong. I am far from home reduced to using

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-30 Thread Hector Martin via dev-security-policy
On 2017-03-30 23:30, Alex Gaynor via dev-security-policy wrote: >>> 1. HTTP >>> 2. "I explicitly asked for security and didn't get it" (HTTPS with no >>> validation) >>> 3. HTTPS > > You're not wrong that (2) is better than (1). It's also indistinguishable > from a downgrade attack from (3). But

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-29 Thread Ryan Sleevi via dev-security-policy
On Wed, Mar 29, 2017 at 7:30 AM, Hector Martin via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > We actually have *five* levels of trust here: > > 1. HTTP > 2. HTTPS with no validation (self-signed or anonymous ciphersuite) > 3. HTTPS with DV > 4. HTTPS with OV > 5. HTTPS

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-29 Thread mono.riot--- via dev-security-policy
> Not for those sorts of differences. There are in an IDN context: > http://unicode.org/reports/tr39/ wasn't aware of that TS, thanks! ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-29 Thread Hector Martin via dev-security-policy
On 28/03/17 08:23, Peter Gutmann via dev-security-policy wrote: Martin Heaps via dev-security-policy writes: This topic is frustrating in that there seems to be a wide attempt by people to use one form of authentication (DV TLS) to verify another form

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-28 Thread Gervase Markham via dev-security-policy
On 27/03/17 23:15, mono.r...@gmail.com wrote: > Are there general proposals yet on how to distinguish phishing vs > legitimate when it comes to domains? (like apple.com vs app1e.com vs > mom'n'pop farmer's myapple.com) Not for those sorts of differences. There are in an IDN context:

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-28 Thread Florian Weimer via dev-security-policy
* mono riot: >> I've been wondering if CT is a good tool for things like safe >> browsing to monitor possible phishing sites and possibly detect >> them faster. > > Are there general proposals yet on how to distinguish phishing vs > legitimate when it comes to domains? (like apple.com vs

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-27 Thread Matt Palmer via dev-security-policy
On Mon, Mar 27, 2017 at 10:16:52PM +0200, Kurt Roeckx via dev-security-policy wrote: > On Mon, Mar 27, 2017 at 09:02:48PM +0100, Gervase Markham via > dev-security-policy wrote: > > On 27/03/17 16:08, Martin Heaps wrote: > > > The next level is now that any business or high valued entity should

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-27 Thread mono.riot--- via dev-security-policy
> I've been wondering if CT is a good tool for things like safe > browsing to monitor possible phishing sites and possibly detect > them faster. Are there general proposals yet on how to distinguish phishing vs legitimate when it comes to domains? (like apple.com vs app1e.com vs mom'n'pop

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-27 Thread Peter Gutmann via dev-security-policy
Martin Heaps via dev-security-policy writes: >This topic is frustrating in that there seems to be a wide attempt by people >to use one form of authentication (DV TLS) to verify another form of >authentication (EV TLS). The overall problem is that browser

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-27 Thread Kurt Roeckx via dev-security-policy
On Mon, Mar 27, 2017 at 09:02:48PM +0100, Gervase Markham via dev-security-policy wrote: > On 27/03/17 16:08, Martin Heaps wrote: > > The next level is now that any business or high valued entity should > > over the course of the next few years implement EV certificates (many > > already have)

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-27 Thread Gervase Markham via dev-security-policy
On 27/03/17 16:08, Martin Heaps wrote: > The next level is now that any business or high valued entity should > over the course of the next few years implement EV certificates (many > already have) and that browsers should make EV certificates MORE > noticable on websites.. or we should

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-27 Thread Martin Heaps via dev-security-policy
This topic is frustrating in that there seems to be a wide attempt by people to use one form of authentication (DV TLS) to verify another form of authentication (EV TLS). There seems an issue for people not being able to understand that a FREE service with a vey low bar in knowledge

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-26 Thread Vincent Lynch via dev-security-policy
Hi David, I am the author of the research discussed in that Bleeping Computer post.. Your post is a bit brief, so I'm not sure if you are just sharing news, or wanted to discuss a certain aspect of this story or topic. So I will just share some general thoughts: 1. The most important thing

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-26 Thread Adam Caudill via dev-security-policy
Much has been written about this issue of late; most of the focus has been on Let's Encrypt, but they are not the only CA issuing certificates to phishing sites, though because of the scale Let's Encrypt operates at, they issue the most, and thus take most of the heat. One of the better articles

Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-26 Thread David E. Ross via dev-security-policy
The subject is the title of a Slashdot article posted today. The article can be accessed at . The article contains two links. One is to a Bleeping Computer article that gives