Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-30 Thread Nick Lamb via dev-security-policy
Doesn't Chrome's behaviour already "penalise" plaintext HTTP? You can't build a login form, or use shiny new features. We aren't where we'd ideally be, everybody is agreed about that. That's not the same thing as agreeing our direction of travel is wrong. I am far from home reduced to using mob

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-30 Thread Hector Martin via dev-security-policy
On 2017-03-30 23:30, Alex Gaynor via dev-security-policy wrote: >>> 1. HTTP >>> 2. "I explicitly asked for security and didn't get it" (HTTPS with no >>> validation) >>> 3. HTTPS > > You're not wrong that (2) is better than (1). It's also indistinguishable > from a downgrade attack from (3). But

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-29 Thread Ryan Sleevi via dev-security-policy
On Wed, Mar 29, 2017 at 7:30 AM, Hector Martin via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > We actually have *five* levels of trust here: > > 1. HTTP > 2. HTTPS with no validation (self-signed or anonymous ciphersuite) > 3. HTTPS with DV > 4. HTTPS with OV > 5. HTTPS w

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-29 Thread mono.riot--- via dev-security-policy
> Not for those sorts of differences. There are in an IDN context: > http://unicode.org/reports/tr39/ wasn't aware of that TS, thanks! ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-secur

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-29 Thread Hector Martin via dev-security-policy
On 28/03/17 08:23, Peter Gutmann via dev-security-policy wrote: Martin Heaps via dev-security-policy writes: This topic is frustrating in that there seems to be a wide attempt by people to use one form of authentication (DV TLS) to verify another form of authentication (EV TLS). The overall

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-28 Thread Gervase Markham via dev-security-policy
On 27/03/17 23:15, mono.r...@gmail.com wrote: > Are there general proposals yet on how to distinguish phishing vs > legitimate when it comes to domains? (like apple.com vs app1e.com vs > mom'n'pop farmer's myapple.com) Not for those sorts of differences. There are in an IDN context: http://unicode

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-28 Thread Florian Weimer via dev-security-policy
* mono riot: >> I've been wondering if CT is a good tool for things like safe >> browsing to monitor possible phishing sites and possibly detect >> them faster. > > Are there general proposals yet on how to distinguish phishing vs > legitimate when it comes to domains? (like apple.com vs app1e.com

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-27 Thread Matt Palmer via dev-security-policy
On Mon, Mar 27, 2017 at 10:16:52PM +0200, Kurt Roeckx via dev-security-policy wrote: > On Mon, Mar 27, 2017 at 09:02:48PM +0100, Gervase Markham via > dev-security-policy wrote: > > On 27/03/17 16:08, Martin Heaps wrote: > > > The next level is now that any business or high valued entity should >

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-27 Thread mono.riot--- via dev-security-policy
> I've been wondering if CT is a good tool for things like safe > browsing to monitor possible phishing sites and possibly detect > them faster. Are there general proposals yet on how to distinguish phishing vs legitimate when it comes to domains? (like apple.com vs app1e.com vs mom'n'pop farmer'

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-27 Thread Peter Gutmann via dev-security-policy
Martin Heaps via dev-security-policy writes: >This topic is frustrating in that there seems to be a wide attempt by people >to use one form of authentication (DV TLS) to verify another form of >authentication (EV TLS). The overall problem is that browser vendors have decreed that you can't have

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-27 Thread Kurt Roeckx via dev-security-policy
On Mon, Mar 27, 2017 at 09:02:48PM +0100, Gervase Markham via dev-security-policy wrote: > On 27/03/17 16:08, Martin Heaps wrote: > > The next level is now that any business or high valued entity should > > over the course of the next few years implement EV certificates (many > > already have) and

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-27 Thread Gervase Markham via dev-security-policy
On 27/03/17 16:08, Martin Heaps wrote: > The next level is now that any business or high valued entity should > over the course of the next few years implement EV certificates (many > already have) and that browsers should make EV certificates MORE > noticable on websites.. or we should decide

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-27 Thread Martin Heaps via dev-security-policy
This topic is frustrating in that there seems to be a wide attempt by people to use one form of authentication (DV TLS) to verify another form of authentication (EV TLS). There seems an issue for people not being able to understand that a FREE service with a vey low bar in knowledge requiremen

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-26 Thread Vincent Lynch via dev-security-policy
Hi David, I am the author of the research discussed in that Bleeping Computer post.. Your post is a bit brief, so I'm not sure if you are just sharing news, or wanted to discuss a certain aspect of this story or topic. So I will just share some general thoughts: 1. The most important thing to

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-26 Thread Adam Caudill via dev-security-policy
Much has been written about this issue of late; most of the focus has been on Let's Encrypt, but they are not the only CA issuing certificates to phishing sites, though because of the scale Let's Encrypt operates at, they issue the most, and thus take most of the heat. One of the better articles o

Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-26 Thread David E. Ross via dev-security-policy
The subject is the title of a Slashdot article posted today. The article can be accessed at . The article contains two links. One is to a Bleeping Computer article that gives m