On 26/08/2019 21:49, Jonathan Rudenberg wrote: > On Mon, Aug 26, 2019, at 15:01, Jakob Bohm via dev-security-policy wrote: >> <https://www.typewritten.net/writer/ev-phishing/> and >> <https://stripe.ian.sh/> both took advantage of weaknesses in two >> government registries to create actual dummy companies with misleading >> names, then trying to get EV certs for those (with mixed success, as at >> least some CAs rejected or revoked the certs despite the government >> failures). > > There were no "weaknesses" or "government failures" here, everything was > operating exactly as designed. >
The weakness is that those two government registries don't prevent conflicting or obviously bad registrations, not even by retroactively aborting the process in a few business days. Even without the Internet this constitutes an obvious avenue for frauds. > >> At least the first of those demonstrations involved a no >> longer trusted CA (Symantec). > > This doesn't appear to be relevant. The process followed was compliant with > the EVGLs, and Symantec was picked because they were one of the most popular > CAs at the time. > Symantec was distrusted for sloppy operation, that document version (which we have since been informed was not the final version) claimed that the only other CA tried did in fact reject the cert application, indicating that issuing may not have been following "best current practice" at the time. The revised link posted tonight reverses this information. > >> Both demonstrations caused the >> researchers real name and identity to become part of the CA record, >> which was hand waved away by claiming that could have been avoided by >> criminal means. > > It's not handwaving to make the assertion that a fraudster would be willing > to commit fraud while committing fraud. Can you explain why you think this > argument is flawed? > The EVG requires the CA to attempt to verify the personal identity information. Stating without evidence that this verification is easily defrauded is hand waving it away. > >> Studies quoted by Tom Ritter on 24/08/2019: >> >>> >>> "By dividing these users into three groups, our controlled study >>> measured both the effect of extended validation certificates that >>> appear only at legitimate sites and the effect of reading a help file >>> about security features in Internet Explorer 7. Across all groups, we >>> found that picture-in-picture attacks showing a fake browser window >>> were as effective as the best other phishing technique, the homograph >>> attack. Extended validation did not help users identify either >>> attack." >>> >>> https://www.adambarth.com/papers/2007/jackson-simon-tan-barth.pdf >>> >> >> 12 years old study involving en equally outdated browser. > > Can you explain why you believe the age this study is disqualifying? What > components of the study do you believe are no longer valid due to their age? > Are you aware of subsequent studies showing different results? > IE7 may have had a bad UI since changed. 12 years ago, there had not been any big outreach campaigns telling users to look for the green bar, nor a 10 year build up of user expectation that it would be there for such sites. > >>> "Our results showed that the identity indicators used in the >>> unmodified FF3browser did not influence decision-making for the >>> participants in our study interms of user trust in a web site. These >>> new identity indicators were ineffectivebecause none of the >>> participants even noticed their existence." >>> >>> http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.543.2117&rep=rep1&type=pdf >>> >> >> An undated(!) study involving highly outdated browsers. No indication >> this was ever in a peer reviewed journal. > > This is a peer-reviewed paper that was published in the proceedings of > ESORICS 2008: 13th European Symposium on Research in Computer Security, > Málaga, Spain, October 6-8, 2008. Dates are actually (unfortunately) uncommon > on CS papers unless the publication metadata/frontmatter is intact. > The link posted on Saturday did not in any way provide that publication data, attempting to remove the "type=pdf" parameter from the link just provided a 404, rather than the expected metadata page or link, which is probably a failure of the citeseerx software. Once again, the study is more than 10 years old, not reflecting the public consciousness after years of outreach and user experience. > >>> DV is sufficient. Why pay for something you don't need? >>> >> >> Unproven claim, especially by studies from before free DV without >> traceable credit card payments became the norm. > > I don't follow your argument here. The evidence shows that DV is sufficient > for phishing, as has been repeatedly explained on this thread. > Because no actual proof that DV versus EV makes no difference in the current (not ancient or anecdotal) situation has been posted. Back when DV certificates cost money, the mere act of paying for a DV cert would leave a paper trail. It was a weak assurance, but an assurance nonetheless. One would also presume that credit card payment reversal due to card theft/fraud would cause the CA to revoke out of self interest. Remember this entire thread is all about attempts to justify Firefox actively changing the UI to remove information, not about Firefox creating the EV UI. Thus the burden of proof is upon those seeking the change. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
