On Wed, May 25, 2016 at 01:09:53AM -0700, Ryan Sleevi wrote: > On Tue, May 24, 2016 at 10:25 AM, <tech29...@gmail.com> wrote: > > Here's my question -- what do Google and Microsoft do with such reports? > > Do they investigate and then put a site on the "bad" list, eg, for > > injecting malware? If not, then no one will stop the malware site. If yes > > -- what criteria does Google (and Microsoft, etc.) use to put the site on > > your bad list? > > https://www.microsoft.com/security/portal/mmpc/shared/objectivecriteria.aspx > https://www.google.com/transparencyreport/safebrowsing/faq/?hl=en#how-do-you-determine-that-a-site-is-unsafe > > > It seems the problem of "what is malware, what is phishing, what is abuse" > > must be decided by someone. My opinion is that CAs at least have to try > > (set up a meaningful process, and respond to complaints by following the > > process, and in some cases revoking), and not just defer all action to > > browsers. > > Unsurprisingly, I disagree. We're debating whether the ability to have > encryption - which provides an incredibly value service against > network level attackers - should be coupled with trust.
imho it is debattable whether https-everywhere is worth any tradeoffs in CA requirements. If any criminal can easily get EV certificates what is the point of https? > .... Coupling > certificates to this can do greater HARM than good - imagine a > download site that provides general purpose file hosting from users, > and one user happens to upload malware. If you revoke that > certificate, you introduce active harm to all the good files being > downloaded. How is any harm done here - with or without certificate you have not the slightest assurance that any of the files is "good"? However, when visiting my home-banking site I indeed want the assurance that the site owning the EV certificate takes full responsibility for all content. > Further, the distinction between "Why is it different from browsers" > is the ability for the end user to have choice. The end user can't > change the site's certificate. You can choose to accept any certificate of any site if you think you want to trust the site whether or not it has been issued by a CA. One of my banks did deliberately provide a self signed certificate (without any CA validation) and asked customers to verify the certificate by comparing the fingerprint with a hardcopy sent by surface mail. Richard -- Name and OpenPGP keys available from pgp key servers _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
