On Mon, Aug 26, 2019, at 20:44, Jakob Bohm via dev-security-policy wrote: > On 26/08/2019 21:49, Jonathan Rudenberg wrote: > > On Mon, Aug 26, 2019, at 15:01, Jakob Bohm via dev-security-policy wrote: > >> <https://www.typewritten.net/writer/ev-phishing/> and > >> <https://stripe.ian.sh/> both took advantage of weaknesses in two > >> government registries to create actual dummy companies with misleading > >> names, then trying to get EV certs for those (with mixed success, as at > >> least some CAs rejected or revoked the certs despite the government > >> failures). > > > > There were no "weaknesses" or "government failures" here, everything was > > operating exactly as designed. > > > > The weakness is that those two government registries don't prevent > conflicting or obviously bad registrations, not even by retroactively > aborting the process in a few business days. > > Even without the Internet this constitutes an obvious avenue for frauds.
There was no conflict. In the US, each state has unique laws around incorporation of entities. There is certainly no requirement that you can't have a corporate entity with the same name in two different states. There was nothing "conflicting" or "obviously bad" about Ian's corporation. > >> At least the first of those demonstrations involved a no > >> longer trusted CA (Symantec). > > > > This doesn't appear to be relevant. The process followed was compliant with > > the EVGLs, and Symantec was picked because they were one of the most > > popular CAs at the time. > > > > Symantec was distrusted for sloppy operation, that document version > (which we have since been informed was not the final version) claimed > that the only other CA tried did in fact reject the cert application, > indicating that issuing may not have been following "best current > practice" at the time. The revised link posted tonight reverses this > information. The original decision not to issue an EV certificate by Comodo was arbitrary and not based on any documented practices or guidelines. Additionally, as James mentioned and you can see here, Comodo issued the certificate: https://crt.sh/?id=438718367 > > > >> Both demonstrations caused the > >> researchers real name and identity to become part of the CA record, > >> which was hand waved away by claiming that could have been avoided by > >> criminal means. > > > > It's not handwaving to make the assertion that a fraudster would be willing > > to commit fraud while committing fraud. Can you explain why you think this > > argument is flawed? > > > > The EVG requires the CA to attempt to verify the personal identity > information. Stating without evidence that this verification is easily > defrauded is hand waving it away. This is incorrect, Private Organization subjects (EVG 8.5.2) do not require any individual identity verification. Additionally, assuming that "personal identity information" can be validated without the opportunity for fraud has no basis in reality. > >> Studies quoted by Tom Ritter on 24/08/2019: > >> > >>> > >>> "By dividing these users into three groups, our controlled study > >>> measured both the effect of extended validation certificates that > >>> appear only at legitimate sites and the effect of reading a help file > >>> about security features in Internet Explorer 7. Across all groups, we > >>> found that picture-in-picture attacks showing a fake browser window > >>> were as effective as the best other phishing technique, the homograph > >>> attack. Extended validation did not help users identify either > >>> attack." > >>> > >>> https://www.adambarth.com/papers/2007/jackson-simon-tan-barth.pdf > >>> > >> > >> 12 years old study involving en equally outdated browser. > > > > Can you explain why you believe the age this study is disqualifying? What > > components of the study do you believe are no longer valid due to their > > age? Are you aware of subsequent studies showing different results? > > > > IE7 may have had a bad UI since changed. 12 years ago, there had not > been any big outreach campaigns telling users to look for the green bar, > nor a 10 year build up of user expectation that it would be there for > such sites. > Can you provide some references to these "big outreach campaigns" and documentation of the "build up of user expectation"? > >>> "Our results showed that the identity indicators used in the > >>> unmodified FF3browser did not influence decision-making for the > >>> participants in our study interms of user trust in a web site. These > >>> new identity indicators were ineffectivebecause none of the > >>> participants even noticed their existence." > >>> > >>> http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.543.2117&rep=rep1&type=pdf > >>> > >> > >> An undated(!) study involving highly outdated browsers. No indication > >> this was ever in a peer reviewed journal. > > > > This is a peer-reviewed paper that was published in the proceedings of > > ESORICS 2008: 13th European Symposium on Research in Computer Security, > > Málaga, Spain, October 6-8, 2008. Dates are actually (unfortunately) > > uncommon on CS papers unless the publication metadata/frontmatter is intact. > > > > The link posted on Saturday did not in any way provide that publication > data, attempting to remove the "type=pdf" parameter from the link just > provided a 404, rather than the expected metadata page or link, which is > probably a failure of the citeseerx software. > > Once again, the study is more than 10 years old, not reflecting the > public consciousness after years of outreach and user experience. What evidence do you have of this "public consciousness"? As referenced previously paypal.com does not have any EV UI in the most popular browser/OS after years of having EV treatment and I haven't seen any evidence of this being noticed outside the security community. All of the evidence (including peer-reviewed scientific studies) points to users completely ignoring/being unaware of EV UI. I'd be very interested to see your evidence to the contrary. > >>> DV is sufficient. Why pay for something you don't need? > >>> > >> > >> Unproven claim, especially by studies from before free DV without > >> traceable credit card payments became the norm. > > > > I don't follow your argument here. The evidence shows that DV is sufficient > > for phishing, as has been repeatedly explained on this thread. > > > > Because no actual proof that DV versus EV makes no difference in the > current (not ancient or anecdotal) situation has been posted. > > Back when DV certificates cost money, the mere act of paying for a DV > cert would leave a paper trail. It was a weak assurance, but an > assurance nonetheless. One would also presume that credit card payment > reversal due to card theft/fraud would cause the CA to revoke out of > self interest. > > Remember this entire thread is all about attempts to justify Firefox > actively changing the UI to remove information, not about Firefox > creating the EV UI. Thus the burden of proof is upon those seeking > the change. What are you arguing here? Why does it matter that DV had a paper trail? There's no burden of proof required for Firefox to remove this UI, but all of the reliable evidence supports their decision. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
