On 8/23/2019 3:53 PM, Daniel Marschall via dev-security-policy wrote:
Am Freitag, 23. August 2019 00:50:35 UTC+2 schrieb Ronald Crane:
On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote:
Whatever the merits of EV (and perhaps there are some -- I'm not
convinced either way) this data is negligible evidence of them. A DV
cert is sufficient for phishing, so there's no reason for a phisher to
obtain an EV cert, hence very few phishing sites use them, hence EV
sites are (at present) mostly not phishing sites.
Can you proove that your assumption "very few phishing sites use EV (only) because DV is
sufficient" is correct? I do think the truth is "very few phishing sites use EV, because
EV is hard to get".
Well, I can't "prove" the assertion, but I can provide some evidence for
it. For example, Russia's GRU phished (Hillary Clinton's campaign
manager) John Podesta in 2016 using the URL-shortening service bit.ly.
[1] Since such services are widely used for legitimate links, most
people click on them as a matter of course, except for some denizens of
security forums such as this one. In any case, the link forwarded him to
an GRU site, into which he entered his Gmail credentials, and the rest
is history. I don't know whether the GRU site used an EV cert, but I am
unaware of any evidence for that idea.
Someone earlier in this thread cited a stat that the vast majority of
phishing sites that use certs use DV certs. According an (apparently
CA-sponsored) study from 2017 [2], only about 12% of phishing sites even
bother to use SSL. Of those, basically all use DV certs (Id. at p.2-3).
This data implies that most users who can be phished can be phished
without even using SSL, and most of the remainder can be phished using a
DV cert.
Now *maybe* (1) if EV certs were widely used, and (2) verification was
uniformly-strong, and (3) browser publishers really tried to train
users, and (4) legitimate sites stopped using URL-shortening services
and multiple domains, and (5) we solved the Stripe POC issue (multiple
domains presented as owned by a company with a name similar to the
desired one, but actually registered to a different entity in a
different jurisdiction), *then* EV would significantly improve users'
safety. Maybe.
-R
[1]
https://www.cbsnews.com/news/the-phishing-email-that-hacked-the-account-of-john-podesta/
. This article claims that the GRU successfully used the same trick on
(Former U.S. Secretary of State) Colin Powell and the Democratic
National Committee.
[2]
https://casecurity.org/wp-content/uploads/2017/09/Incidence-of-Phishing-Among-DV-OV-and-EV-Websites-9-13-2017-short-ve....pdf
I do not think EV certificates are easy to get. The black market stories are
probably more about code signing certificates, I guess. And even if you would
find an EV SSL certificate on the black market, then it would be revoked as
soon as it is used, and that organization will never get an EV certificate
again. So the harm that black market certificates (if there are any at all...)
is very small!
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
