On Monday, December 11, 2017 at 5:00:14 PM UTC-6, Ryan Sleevi wrote: > > That Kentucky registration for Stripe, Inc. -- Is it completely fraudulent > > as to registered agent, business address, etc? If it's not, then the > > certificate and underlying entity serve as an archived investigative entry > > point for law enforcement or potential civil action. > > Fundamentally, I think this is misleading. It presumes that, upon something > bad happening, someone can link it back to that certificate to link it back > to that identity. If I was phished, and entered my credentials, there's no > reason to believe I've maintained the record details including the phishing > link to know I was phished. Are users supposed to spleunk their HTTP cache or > maintain complete archives of every link they visited, such that they can get > the cert back from it to aid an investigation?
Not really - what matters is that the user insists they got had via a phishing link or other process - that can certainly be verified after the fact - did someone steal their money in a sketchy way, but with apparent user authorization? Further, the user swears back and forth that the green bar was there and they looked to see that it matched the site's name - their bank, PayPal, etc. All EV certs are CT logged, find the cert or homograph from there, track to issuer and validation details, chase the entity document path, etc. > > The problem with this comparison (and indeed, CAs' like to bring it up), is > there's no model of how it gets to the civil action or criminal investigation > to begin with, in a way that is equivalent with the supposed risks it > prevents. It begins with a sufficient loss, an aggressive attorney, or an aggressive complaining witness before law enforcement. > > > Even if it is, someone filed the paperwork. Court houses have clerks, > > guards, video cameras, etc... It still may present a real physical point > > from which to bootstrap an investigation. > > Court houses also have online systems. I think if you read both Ian and > James' work, you'll see the issues they're raising address this hypothetical. I shall certainly read their work closely on that matter. In my experience, these generally don't allow filings for new businesses from those not previously known to the court/registrar in real life. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
