Re: [FORGED] Re: SSL Certs for Malicious Websites

On 29/05/16 11:48, Peter Gutmann wrote: > Are you really trying to claim that the sad farce that is current browser PKI > is absolutely the very best that browser vendors can do in terms of protecting > users online? I'm sure things can always be better. My point was that the current system, for

RE: [FORGED] Re: SSL Certs for Malicious Websites

Gervase Markham writes: >It depends what alternative configuration-free idiot-proof secure >communications technology you have invented in your fantasy world to take its >place. Are you really trying to claim that the sad farce that is current browser PKI is absolutely the

Re: [FORGED] Re: SSL Certs for Malicious Websites

On 27/05/16 13:20, Peter Gutmann wrote: > Apart from the lucky CAs who have been given government- > mandated monopolies, would any CA still exist today if there weren't a need to > pay someone to turn off the browser warnings? It depends what alternative configuration-free idiot-proof secure

RE: [FORGED] Re: SSL Certs for Malicious Websites

Ryan Sleevi writes: >This seems both off-topic and not productively addressing the topic at hand. Yeah, maybe it's best taken to another list like cypherpunks or the crypto list. It was intended as an honest, and probably pretty blunt, assessment of the state of HTTPS: It was

Re: [FORGED] Re: SSL Certs for Malicious Websites

On Thursday 26 May 2016 05:13:43 Peter Gutmann wrote: > Richard Z writes: > >If any criminal can easily get EV certificates what is the point of > >https? > The point of HTTPS is twofold: > > 1. Convince users that the Internet is safe to do business on > (financial

Re: SSL Certs for Malicious Websites

On Wed, May 25, 2016 at 6:50 AM, wrote: > If I understand you correctly, you are saying that CAs should not be doing > any "internet policing" or "content policing" when they receive credible > reports their certs are being used by phishers, malware providers, etc. -- >

RE: [FORGED] Re: SSL Certs for Malicious Websites

Richard Z writes: >If any criminal can easily get EV certificates what is the point of https? The point of HTTPS is twofold: 1. Convince users that the Internet is safe to do business on (financial transfers, medical data). 2. Provide a steady revenue stream for CAs.

Re: SSL Certs for Malicious Websites

On Wed, May 25, 2016 at 11:54:50AM -0400, Eric Mill wrote: > On Wed, May 25, 2016 at 9:50 AM, wrote: > > > > > Why should CAs delegate to or rely on browsers for this type of user > > protection? Isn't it better for CAs to remain involved by revoking certs / > > refusing to

Re: SSL Certs for Malicious Websites

On Wed, May 25, 2016 at 9:50 AM, wrote: > > Why should CAs delegate to or rely on browsers for this type of user > protection? Isn't it better for CAs to remain involved by revoking certs / > refusing to issue certs to known bad sites, like CAs have done for at least > the

Re: SSL Certs for Malicious Websites

On Wed, May 25, 2016 at 01:09:53AM -0700, Ryan Sleevi wrote: > On Tue, May 24, 2016 at 10:25 AM, wrote: > > Here's my question -- what do Google and Microsoft do with such reports? > > Do they investigate and then put a site on the "bad" list, eg, for > > injecting

Re: SSL Certs for Malicious Websites

On Tue, May 24, 2016 at 10:25 AM, wrote: > Here's my question -- what do Google and Microsoft do with such reports? Do > they investigate and then put a site on the "bad" list, eg, for injecting > malware? If not, then no one will stop the malware site. If yes -- what

Re: SSL Certs for Malicious Websites

On Tuesday, May 24, 2016 at 2:01:22 PM UTC+2, Ryan Sleevi wrote: > On Friday, May 20, 2016 at 10:24:56 AM UTC-7, Andrew Ayer wrote: > > In fact, Kathleen asked explicitly for what the answers "should be" in > > addition to what they are, so my email was not unrelated. To be more > > explicit, I

Re: SSL Certs for Malicious Websites

On Friday, May 20, 2016 at 10:24:56 AM UTC-7, Andrew Ayer wrote: > In fact, Kathleen asked explicitly for what the answers "should be" in > addition to what they are, so my email was not unrelated. To be more > explicit, I think the answers to questions 3-5 should be no. The > reason why is

Re: SSL Certs for Malicious Websites

On Wednesday, May 18, 2016 at 6:22:39 PM UTC+3, Peter Bowen wrote: > On Wed, May 18, 2016 at 7:16 AM, Gervase Markham wrote: > > I think the bullet as a whole could mean that we reserve the right to > > not include CAs who happily issue certs to "www.paypalpayments.com" to > >

Re: SSL Certs for Malicious Websites

On Sat, May 21, 2016 at 12:04 PM, wrote: > > Peter, once again you are ignoring the full language of BR 4.9.2 to > 4.10.2. These CA requirements are not limited to reports of "misuse" > submitted to a CA, but apply to reports of "suspected Key Compromise, > Certificate

Re: SSL Certs for Malicious Websites

On Thu, May 19, 2016 at 05:20:07PM +1000, Matt Palmer wrote: > On Tue, May 17, 2016 at 11:14:21PM +0200, Richard Z wrote: > > There are crime friendly providers already and having crime friendly CAs is > > something that users would definitely notice. > > Why? Do users typically notice the

Re: SSL Certs for Malicious Websites

On Friday, May 20, 2016 at 6:22:21 PM UTC-7, Peter Bowen wrote: > [ Disclaimer: This message is my personal view and does not > necessarily represent that of my employer. ] > > On Fri, May 20, 2016 at 5:41 PM, [Kirk Hall] wrote: > > Peter -- the reference to BR 9.6.8(8) is interesting, but is

Re: SSL Certs for Malicious Websites

[ Disclaimer: This message is my personal view and does not necessarily represent that of my employer. ] On Fri, May 20, 2016 at 5:41 PM, wrote: > Peter -- the reference to BR 9.6.8(8) is interesting, but is not really > relevant to discussion of the requirements of BR

Re: SSL Certs for Malicious Websites

[ Disclaimer: This message is my personal view and does not necessarily represent that of my employer. ] On Thu, May 19, 2016 at 9:15 AM, wrote: > This has been a very surprising discussion to me. If most CAs were asked “Do > you think CAs are supposed to investigate

Re: SSL Certs for Malicious Websites

On Thu, 19 May 2016 16:52:26 -0700 (PDT) tech29...@gmail.com wrote: > Your main concern – unjustified delay in issuing a certificate to > your customer while a human looks at the domain to decide if there is > a problem - is not really related to any of Kathleen’s questions. > Your other comments

Re: SSL Certs for Malicious Websites

On 19/05/16 00:45, Matt Palmer wrote: > How so? It could be a site providing information from a third party on how > to make and receive payments via PayPal. It could also be a site operated > by a third party on behalf of PayPal. Inferring nefarious intent from a > domain name seems like a

Re: SSL Certs for Malicious Websites

On 18/05/16 17:35, Ben Wilson wrote: > Looking at the threat from a defense-in-depth/orthogonal perspective, > doesn't it make sense that everyone -- browsers, ICANN, CAs, etc. -- does > something to combat malicious websites for the public? Not necessarily, if what they do ends up damaging

Re: SSL Certs for Malicious Websites

On Friday, May 20, 2016 at 2:09:42 AM UTC-7, Ben Laurie wrote: > > 4.9.3. Procedure for Revocation Request > > > >"*** The CA SHALL provide Subscribers, Relying Parties, Application > > Software Suppliers, and other third parties with clear instructions for > > reporting suspected Private

Re: SSL Certs for Malicious Websites

Matt, that's a bit harsh, and you are all over the map. I was only responding to Kathleen's questions, which asked what do the current BRs require CAs to do when they receive reports of SSL certificates issued to malware injection sites. I was not proposing any new rules or any new

Re: SSL Certs for Malicious Websites

Andrew - As I outlined in my message above, the BRs cover two distinct situations: (1) when must CAs revoke certs that have already been issued for “Certificate misuse, or other types of fraud, compromise, misuse, or inappropriate conduct related to Certificates,” and (2) when CAs must refuse

Re: SSL Certs for Malicious Websites

Well said, Andrew. You've summarised the issue excellently. - Matt On Thu, May 19, 2016 at 03:19:13PM -0700, Andrew Ayer wrote: > Kathleen, > > I believe that certificate authorities should be content-neutral. They > should not be required to assess "misuse" or "fraud," nor be required > to

Re: SSL Certs for Malicious Websites

On Tue, 17 May 2016 03:19:22 + Peter Gutmann wrote: > Matt Palmer writes: > >On Mon, May 16, 2016 at 02:22:08PM +0200, Richard Z wrote: > >> knowingly issuing/tolerating certificates for sites known to > >> inject malware is > >> * contrary to

Re: SSL Certs for Malicious Websites

Kathleen, I believe that certificate authorities should be content-neutral. They should not be required to assess "misuse" or "fraud," nor be required to revoke certificates except upon request of the owner of a domain listed in the certificate. Requiring CAs to police website content is

Re: SSL Certs for Malicious Websites

This has been a very surprising discussion to me. If most CAs were asked “Do you think CAs are supposed to investigate and revoke one of your certificates that is reported to you for injecting malware on Relying Parties clients?” their answer would be “Yes, of course – that’s required under

Re: SSL Certs for Malicious Websites

On Tue, May 17, 2016 at 11:14:21PM +0200, Richard Z wrote: > There are crime friendly providers already and having crime friendly CAs is > something that users would definitely notice. Why? Do users typically notice the crime friendly hosting providers? - Matt

Re: SSL Certs for Malicious Websites

On Tue, May 17, 2016 at 01:04:28AM +, Charles Reiss wrote: > On 05/16/16 12:22, Richard Z wrote: > >On Sun, May 15, 2016 at 05:43:39PM -0700, Peter Bowen wrote: > > > >>Some CAs may choose to not issue to sites known to inject malware, but > >>this outside the scope of the SSL requirements.

Re: SSL Certs for Malicious Websites

On Wed, May 18, 2016 at 03:16:59PM +0100, Gervase Markham wrote: > > What is meant by "fraudulent use"? > > I think the bullet as a whole could mean that we reserve the right to > not include CAs who happily issue certs to "www.paypalpayments.com" to > just anyone without any checks or High Risk

Re: SSL Certs for Malicious Websites

On Wed, May 18, 2016 at 04:35:49PM +, Ben Wilson wrote: > Looking at the threat from a defense-in-depth/orthogonal perspective, > doesn't it make sense that everyone -- browsers, ICANN, CAs, etc. -- does > something to combat malicious websites for the public? Because the next steps after

Re: SSL Certs for Malicious Websites

I would simply like to state that my views, and the views of Let's Encrypt, are closely aligned with those already expressed here by Peter Bowen and Eric Mill. I will add, since I don't think it has been made clear enough here already, that violations of a CA's subscriber agreement can and

Re: SSL Certs for Malicious Websites

curity-policy > [mailto:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On > Behalf Of Peter Bowen > Sent: Wednesday, May 18, 2016 9:23 AM > To: Gervase Markham <g...@mozilla.org> > Cc: mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson > <kwil.

Re: SSL Certs for Malicious Websites

On Wed, May 18, 2016 at 7:16 AM, Gervase Markham wrote: > I think the bullet as a whole could mean that we reserve the right to > not include CAs who happily issue certs to "www.paypalpayments.com" to > just anyone without any checks or High Risk string list or anything. > Such

Re: SSL Certs for Malicious Websites

In the case of a DV certificate it's exactly what it says, validating the ownership of a domain, and nothing more. While users _may believe_ that TLS is supposed to protect them from malware, hackers, or 'untrustworthy' sites in general _it is not_. TLS exists to encrypt the connection between a

Re: SSL Certs for Malicious Websites

On Mon, May 16, 2016 at 8:24 AM, Ben Wilson wrote: > Gerv wrote, > "Counter-question to many of these: who defines what is malware, and who > made them king?" > > The contract that the CA enters into with the subscriber should have done > that. > > Subscriber Agreements

Re: SSL Certs for Malicious Websites

On Monday, May 16, 2016 at 9:20:56 AM UTC-7, Kathleen Wilson wrote: > I am wondering if the BRs need to be updated to: > + Define what is meant by "Certificate misuse, or other types of fraud". > (e.g. being used for a purpose outside of that contained in the cert, or > applicant provided false

Re: SSL Certs for Malicious Websites

On Tuesday, 17 May 2016 04:19:57 UTC+1, Peter Gutmann wrote: > So you're saying users expect CAs to certify malware sites? I'm a user, and that's what I expect, so trivially yes. ___ dev-security-policy mailing list

Re: SSL Certs for Malicious Websites

On Tue, 17 May 2016 12:51:53 +0200, Hubert Kario wrote: > problem is, that this is a slippery slope. What's malware for one person > is a research subject for another. What's inflammatory or misleading > information for one person is parody and joke material to other. What's > illegal in one

Re: SSL Certs for Malicious Websites

On Tuesday 17 May 2016 03:19:22 Peter Gutmann wrote: > Matt Palmer writes: > >On Mon, May 16, 2016 at 02:22:08PM +0200, Richard Z wrote: > >> knowingly issuing/tolerating certificates for sites known to inject > >> malware is > >> * contrary to user expectaions > > >

RE: SSL Certs for Malicious Websites

Matt Palmer writes: >On Mon, May 16, 2016 at 02:22:08PM +0200, Richard Z wrote: >> knowingly issuing/tolerating certificates for sites known to inject >> malware is >> * contrary to user expectaions > >[Citation needed] So you're saying users expect CAs to certify malware

Re: SSL Certs for Malicious Websites

On Mon, May 16, 2016 at 02:22:08PM +0200, Richard Z wrote: > On Sun, May 15, 2016 at 05:43:39PM -0700, Peter Bowen wrote: > > > Some CAs may choose to not issue to sites known to inject malware, but > > this outside the scope of the SSL requirements. The EV Guidelines it > > very clear that the

Re: SSL Certs for Malicious Websites

On Mon, May 16, 2016 at 09:20:40AM -0700, Kathleen Wilson wrote: > In regards to Mozilla policy, maybe we should consider adding text about > Mozilla's expectations for CAs when they find out that a TLS/SSL > certificate that they issued is being used to do bad things. Mozilla should expect that

Re: SSL Certs for Malicious Websites

On 16/05/16 17:20, Kathleen Wilson wrote: This discussion should consider what's best for Mozilla's users. Perhaps that aligns precisely with the minimum requirements in the EVGs, or perhaps it doesn't. Mozilla are free to specify additional requirements if they feel the need to do so, just as

Re: SSL Certs for Malicious Websites

> > This discussion should consider what's best for Mozilla's users. Perhaps > > that aligns precisely with the minimum requirements in the EVGs, or perhaps > > it doesn't. Mozilla are free to specify additional requirements if they > > feel the need to do so, just as Microsoft did recently... >

RE: SSL Certs for Malicious Websites

Gerv wrote, "Counter-question to many of these: who defines what is malware, and who made them king?" The contract that the CA enters into with the subscriber should have done that. Subscriber Agreements should have language in them that says something to the effect, "We can revoke your

Re: SSL Certs for Malicious Websites

On 16/05/16 01:13, Kathleen Wilson wrote: > 3) If a website is using its SSL certificate to mask injection of malware and > evidence of that is presented to the issuing CA, is that sufficient misuse > for the CA to be required to revoke the certificate? Counter-question to many of these: who

Re: SSL Certs for Malicious Websites

On Mon, May 16, 2016 at 6:06 AM, Rob Stradling wrote: > On 16/05/16 01:43, Peter Bowen wrote: > > This discussion should consider what's best for Mozilla's users. Perhaps > that aligns precisely with the minimum requirements in the EVGs, or perhaps > it doesn't. Mozilla

Re: SSL Certs for Malicious Websites

On 16/05/16 01:43, Peter Bowen wrote: Some CAs may choose to not issue to sites known to inject malware, but this outside the scope of the SSL requirements. The EV Guidelines it very clear that the reputation and actions of the Subject are not in scope: Peter, I'd just like to point out that

Re: SSL Certs for Malicious Websites

On Sun, May 15, 2016 at 05:43:39PM -0700, Peter Bowen wrote: > "By providing more reliable third-party verified identity and address > information regarding the business, EV Certificates may help to [...] > Assist law enforcement organizations in their investigations of > phishing and other online

Re: SSL Certs for Malicious Websites

On Sun, May 15, 2016 at 05:43:39PM -0700, Peter Bowen wrote: > Some CAs may choose to not issue to sites known to inject malware, but > this outside the scope of the SSL requirements. The EV Guidelines it > very clear that the reputation and actions of the Subject are not in > scope: knowingly

Re: SSL Certs for Malicious Websites

(Top posting to bring the questions to the top) > 1) What does "Certificate misuse, or other types of fraud" in the definition > of Certificate Problem Report actually mean? > 2) What does "misused" mean in Section 4.9.1.1? I think there are a several of different things that could fall within