Can you share what the working group has been brainstorming on? Near as I can tell, this is a validly issued EV cert, for a valid KY company. If "Stripe, Inc of Kentucky" were in a distinct industry from this Stripe there wouldn't even be a trademark claim (I'm not a lawyer, etc.).
Lest anyone think "well, they should be able to tell if this was being used maliciously", there's no reason a clever attacker couldn't make a fake landing page for their fake Stripe, Inc, while sending phishing emails that point to various other URLs, which show unrelated phishing contents. Alex On Mon, Dec 11, 2017 at 2:14 PM, Tim Hollebeek via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > It turns out that the CA/Browser Validation working group is currently > looking into how to address these issues, in order to tighten up validation > in these cases. We discussed it a bit last Thursday, and will be > continuing > the discussion on the 21st. > > If anyone has any good ideas, we'd be more than happy to hear them. > > -Tim > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+tim.hollebeek= > digicert.com@lists.mozilla > .org] On Behalf Of Ryan Sleevi via dev-security-policy > Sent: Monday, December 11, 2017 12:01 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: On the value of EV > > Recently, researchers have been looking into the value proposition of EV > certificates, and more importantly, how easy it is to obtain certificates > that may confuse or mislead users - a purpose that EV is supposedly > intended > to avoid. > > James Burton was able to obtain a certificate for "Identity Verified", as > described in > https://clicktime.symantec.com/a/1/UMvfjhjcKci8WaOicVRiVWm_ > NzyoAX0Pc2qXQBXjH > nE=?d=4GxSxTMvs_XrCwnblzpDidRZeFwt4_CpS4UexlQ_ > QRYfMXTACGlU9KcLjcIV2AmJ-zJBtL > FaDv8U-F04Ie90QpnF8tK-ybyXlpLa2rqOTh9r7oBUmc1owCqd- > 3508LqFwnMSFygeNRYQQYxQ02 > VE4dkt0wPLETCFlfrS7_BHqaxO5w6BikwFhE-nrVLpigRJAQlM14eULh56NL69CQWUV > KrPl_t11B > ctsMNiFHBfSsJIZQ-82hU2y9cXYXVjjBcvic6aPKW8LtO7N > ZsXhDeVSSC6deBqC3QcR-K_Rip9Vt > yCDvYUoxnv9khLm24jo5M6xium8o1FiYEr5jvgfuRegHNRO1YAs1qwAmURlv > ecDTXHAOGDfgwKo7 > DsjmEeyhtB5pylwlXn6YvgPEnUzvJZqqgb-lNj1M94f08yucGQETp7UZXA19h3qg% > 3D%3D&u=htt > ps%3A%2F%2F0.me.uk%2Fev-phishing%2F , which is a fully valid and legal EV > certificate, but which can otherwise confuse users. > > Today, Ian Carroll disclosed how easy he was able to get a certificate for > "Stripe, Inc", registered within the US, and being granted the full EV > treatment as the 'legitimate' stripe.com. He's written up the explanation > at > https://clicktime.symantec.com/a/1/Fahzn1Xee7EnTLqF7kqdnVFVklYxzL > F8hiDkGN7kU > UM=?d=4GxSxTMvs_XrCwnblzpDidRZeFwt4_CpS4UexlQ_ > QRYfMXTACGlU9KcLjcIV2AmJ-zJBtL > FaDv8U-F04Ie90QpnF8tK-ybyXlpLa2rqOTh9r7oBUmc1owCqd- > 3508LqFwnMSFygeNRYQQYxQ02 > VE4dkt0wPLETCFlfrS7_BHqaxO5w6BikwFhE-nrVLpigRJAQlM14eULh56NL69CQWUV > KrPl_t11B > ctsMNiFHBfSsJIZQ-82hU2y9cXYXVjjBcvic6aPKW8LtO7N > ZsXhDeVSSC6deBqC3QcR-K_Rip9Vt > yCDvYUoxnv9khLm24jo5M6xium8o1FiYEr5jvgfuRegHNRO1YAs1qwAmURlv > ecDTXHAOGDfgwKo7 > DsjmEeyhtB5pylwlXn6YvgPEnUzvJZqqgb-lNj1M94f08yucGQETp7UZXA19h3qg% > 3D%3D&u=htt > ps%3A%2F%2Fstripe.ian.sh%2F > > I suppose this is both a question for policy and for Mozilla - given the > ability to provide accurate-but-misleading information in EV certificates, > and the effect it has on the URL bar (the lone trusted space for security > information), has any consideration been given to removing or deprecating > EV > certificates? > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://clicktime.symantec.com/a/1/kDDKlZK0leEPqVUm7AaittNvNX0qYV > u4pVG8QnvM6 > 8E=?d=4GxSxTMvs_XrCwnblzpDidRZeFwt4_CpS4UexlQ_ > QRYfMXTACGlU9KcLjcIV2AmJ-zJBtL > FaDv8U-F04Ie90QpnF8tK-ybyXlpLa2rqOTh9r7oBUmc1owCqd- > 3508LqFwnMSFygeNRYQQYxQ02 > VE4dkt0wPLETCFlfrS7_BHqaxO5w6BikwFhE-nrVLpigRJAQlM14eULh56NL69CQWUV > KrPl_t11B > ctsMNiFHBfSsJIZQ-82hU2y9cXYXVjjBcvic6aPKW8LtO7N > ZsXhDeVSSC6deBqC3QcR-K_Rip9Vt > yCDvYUoxnv9khLm24jo5M6xium8o1FiYEr5jvgfuRegHNRO1YAs1qwAmURlv > ecDTXHAOGDfgwKo7 > DsjmEeyhtB5pylwlXn6YvgPEnUzvJZqqgb-lNj1M94f08yucGQETp7UZXA19h3qg% > 3D%3D&u=htt > ps%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
