Re: DNS fragmentation attack subverts DV, 5 public CAs vulnerable

2018-12-11 Thread Leo Grove via dev-security-policy
On Tuesday, December 11, 2018 at 11:27:52 AM UTC-6, Hector Martin 'marcan' wrote: > On 12/12/2018 01.47, Ryan Sleevi via dev-security-policy wrote: > > Is this new from the past discussion? > > I think what's new is someone actually tried this, and found 5 CAs that > are vulnerable and for which

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Leo Grove via dev-security-policy
> > See also the screenshot I posted earlier.  That was from a black-market web > site selling EV certificates to anyone with the stolen credit cards to pay for > them.  These are legit EV certs issued to legit companies, available off the > shelf for criminals to use.  For a little extra payment

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Leo Grove via dev-security-policy
On Sunday, August 18, 2019 at 12:15:58 AM UTC-5, Matt Palmer wrote: > On Fri, Aug 16, 2019 at 10:03:53PM -0700, Leo Grove via dev-security-policy > wrote: > > However, as a user I support EV SSL. I personally have never come across > > a scam site that displayed an EV S

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Leo Grove via dev-security-policy
I don't know about other CAs, but at SSL.com we issue a very limited number of EV SSL certificates in comparison to other certificates so it's not a big revenue driver. However, as a user I support EV SSL. I personally have never come across a scam site that displayed an EV SSL (I'm not saying

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-27 Thread Leo Grove via dev-security-policy
> > There are also opportunities for browsers here. I have to admit I > primarily use Google Chrome, rather than Firefox, so my observations may be > a little tainted, but I see various places where signals far more valuable > than the green lock could be implemented. Consider that most

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Leo Grove via dev-security-policy
On Thursday, August 29, 2019 at 5:26:55 PM UTC-5, Kirk Hall wrote: > On Thursday, August 29, 2019 at 3:10:49 PM UTC-7, Ryan Sleevi wrote: > > On Thu, Aug 29, 2019 at 5:18 PM Kirk Hall via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > > > > > > Don't argue with me,

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-22 Thread Leo Grove via dev-security-policy
On Thursday, August 22, 2019 at 5:50:35 PM UTC-5, Ronald Crane wrote: > On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: > > I can tell you that anti-phishing services and browser phishing filters > > have also have concluded that EV sites are very unlikely to be phishing >

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Leo Grove via dev-security-policy
On Tuesday, October 8, 2019 at 10:36:19 PM UTC-5, Matt Palmer wrote: > On Tue, Oct 08, 2019 at 07:16:59PM -0700, Paul Walsh via dev-security-policy > wrote: > > Why isn’t anyone’s head blowing up over the Let’s Encrypt stats? > > Because those stats don't show anything worth blowing up ones head

Re: Welcome Ben Wilson to Mozilla!

2020-04-13 Thread Leo Grove via dev-security-policy
Congrats Ben! Looking forward to working with you. Regards, Leo On Monday, April 13, 2020 at 1:32:42 PM UTC-5, Ben Wilson wrote: > Thanks, Kathleen > > I'm really excited to begin working with all of you! > > Cheers and stay safe, > > Ben Wilson > > On Mon, Apr 13, 2020 at 11:07 AM Kathleen