Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

Doesn't Chrome's behaviour already "penalise" plaintext HTTP? You can't build a login form, or use shiny new features. We aren't where we'd ideally be, everybody is agreed about that. That's not the same thing as agreeing our direction of travel is wrong. I am far from home reduced to using mob

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

On 2017-03-30 23:30, Alex Gaynor via dev-security-policy wrote: >>> 1. HTTP >>> 2. "I explicitly asked for security and didn't get it" (HTTPS with no >>> validation) >>> 3. HTTPS > > You're not wrong that (2) is better than (1). It's also indistinguishable > from a downgrade attack from (3). But

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

On Wed, Mar 29, 2017 at 7:30 AM, Hector Martin via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > We actually have *five* levels of trust here: > > 1. HTTP > 2. HTTPS with no validation (self-signed or anonymous ciphersuite) > 3. HTTPS with DV > 4. HTTPS with OV > 5. HTTPS w

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

> Not for those sorts of differences. There are in an IDN context: > http://unicode.org/reports/tr39/ wasn't aware of that TS, thanks! ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-secur

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

On 28/03/17 08:23, Peter Gutmann via dev-security-policy wrote: Martin Heaps via dev-security-policy writes: This topic is frustrating in that there seems to be a wide attempt by people to use one form of authentication (DV TLS) to verify another form of authentication (EV TLS). The overall

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

On 27/03/17 23:15, mono.r...@gmail.com wrote: > Are there general proposals yet on how to distinguish phishing vs > legitimate when it comes to domains? (like apple.com vs app1e.com vs > mom'n'pop farmer's myapple.com) Not for those sorts of differences. There are in an IDN context: http://unicode

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

* mono riot: >> I've been wondering if CT is a good tool for things like safe >> browsing to monitor possible phishing sites and possibly detect >> them faster. > > Are there general proposals yet on how to distinguish phishing vs > legitimate when it comes to domains? (like apple.com vs app1e.com

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

On Mon, Mar 27, 2017 at 10:16:52PM +0200, Kurt Roeckx via dev-security-policy wrote: > On Mon, Mar 27, 2017 at 09:02:48PM +0100, Gervase Markham via > dev-security-policy wrote: > > On 27/03/17 16:08, Martin Heaps wrote: > > > The next level is now that any business or high valued entity should >

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

> I've been wondering if CT is a good tool for things like safe > browsing to monitor possible phishing sites and possibly detect > them faster. Are there general proposals yet on how to distinguish phishing vs legitimate when it comes to domains? (like apple.com vs app1e.com vs mom'n'pop farmer'

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

Martin Heaps via dev-security-policy writes: >This topic is frustrating in that there seems to be a wide attempt by people >to use one form of authentication (DV TLS) to verify another form of >authentication (EV TLS). The overall problem is that browser vendors have decreed that you can't have

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

On Mon, Mar 27, 2017 at 09:02:48PM +0100, Gervase Markham via dev-security-policy wrote: > On 27/03/17 16:08, Martin Heaps wrote: > > The next level is now that any business or high valued entity should > > over the course of the next few years implement EV certificates (many > > already have) and

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

On 27/03/17 16:08, Martin Heaps wrote: > The next level is now that any business or high valued entity should > over the course of the next few years implement EV certificates (many > already have) and that browsers should make EV certificates MORE > noticable on websites.. or we should decide

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

This topic is frustrating in that there seems to be a wide attempt by people to use one form of authentication (DV TLS) to verify another form of authentication (EV TLS). There seems an issue for people not being able to understand that a FREE service with a vey low bar in knowledge requiremen

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

Hi David, I am the author of the research discussed in that Bleeping Computer post.. Your post is a bit brief, so I'm not sure if you are just sharing news, or wanted to discuss a certain aspect of this story or topic. So I will just share some general thoughts: 1. The most important thing to

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

Much has been written about this issue of late; most of the focus has been on Let's Encrypt, but they are not the only CA issuing certificates to phishing sites, though because of the scale Let's Encrypt operates at, they issue the most, and thus take most of the heat. One of the better articles o

Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

The subject is the title of a Slashdot article posted today. The article can be accessed at . The article contains two links. One is to a Bleeping Computer article that gives m