On Tue, May 24, 2016 at 10:25 AM, <tech29...@gmail.com> wrote: > Here's my question -- what do Google and Microsoft do with such reports? Do > they investigate and then put a site on the "bad" list, eg, for injecting > malware? If not, then no one will stop the malware site. If yes -- what > criteria does Google (and Microsoft, etc.) use to put the site on your bad > list?
https://www.microsoft.com/security/portal/mmpc/shared/objectivecriteria.aspx https://www.google.com/transparencyreport/safebrowsing/faq/?hl=en#how-do-you-determine-that-a-site-is-unsafe > It seems the problem of "what is malware, what is phishing, what is abuse" > must be decided by someone. My opinion is that CAs at least have to try (set > up a meaningful process, and respond to complaints by following the process, > and in some cases revoking), and not just defer all action to browsers. Unsurprisingly, I disagree. We're debating whether the ability to have encryption - which provides an incredibly value service against network level attackers - should be coupled with trust. Coupling certificates to this can do greater HARM than good - imagine a download site that provides general purpose file hosting from users, and one user happens to upload malware. If you revoke that certificate, you introduce active harm to all the good files being downloaded. Further, the distinction between "Why is it different from browsers" is the ability for the end user to have choice. The end user can't change the site's certificate. > And does Safe Browsing have a method by which a site can appeal and get off > the list? While I'm sure your curiosity is real, it remains unclear how or why that relates. The information can also be obtained independently, so perhaps you could clarify how/why it relates to this topic? Otherwise, I might suggest you read the above links. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy