On 27/08/2019 08:03, Peter Gutmann wrote: > Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> > writes: > >> <https://www.typewritten.net/writer/ev-phishing/> and >> <https://stripe.ian.sh/> both took advantage of weaknesses in two >> government registries > > They weren't "weaknesses in government registries", they were registries > working as designed, and as intended. The fact that they don't work in > they way EV wishes they did is a flaw in EV, not a problem with the > registries. >
"Working as designed" doesn't mean "working as it should". The confusion that could be created online by getting EV certificates matching those company registrations were almost the same as those that could be created in the offline world by the registrations directly. >> Both demonstrations caused the researchers real name and identity to become >> part of the CA record, which was hand waved away by claiming that could >> have been avoided by criminal means. > > It wasn't "wished away", it's avoided without too much trouble by criminals, > see my earlier screenshot of just one of numerous black-market sites where > you can buy fraudulent EV certs from registered companies. Again, EV may > wish this wasn't the case, but that's not how the real world works. > The screenshots you showed were for code signing EV certificates, not TLS EV certificates. They seem related to a report a few years ago that spurned work to check the veracity of those screenshots and create appropriate countermeasures. >> 12 years old study involving en equally outdated browser. > > So you've published a more recent peer-reviewed academic study that > refutes the earlier work? Could you send us the reference? > These two studies are outdated because they study the effects in a different overall situation (they were both made when the TLS EV concept had not yet been globally deployed). They are thus based on entirely different facts (measured and unmeasured) than the situation in 2019. Very early in this thread someone quoted from a very recent study published at usenix, comparing the prevalence of malicious sites with different types of certificates. The only response was platitudes, such as a emphasizing a small number being nonzero. Someone is trying very hard to create a fait acompli without going through proper debate and voting in relevant organizations such as the CAB/F. So when challenged they play very dirty, using every rhetorical trick they can find to overpower criticism of the action. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
