Thanks Ben, I’ve only had half a cup of coffee this am, so it’s possible I’m not yet awake :)
I have a question about reasons 2 and 3 as they’re closely related to the attack vector. According to Google, spear phishing attacks have a shelf life of 7 minutes while bulk campaigns have a shelf life of 13 hours. Even if we disbelieve this data and multiple the numbers by 10, we end up with the majority of the harm being done within a week. Also, if bad actors can automatically acquire a DV cert for any available domain they please, is there actual risk of bad actors waiting for a domain to expire so they can have a valid cert? And they can easily execute a man-in-the-middle attack using a new cert that has a shelf life of 3 months. All I’ve been working on for years is anti-phishing techniques, so I’m not seeing all of the benefits as some others see them, but perhaps I’m missing something. I’m talking about the human element of bad actors here, because at the end of the day, it’s all about them and what they will do with expired certs. If we were talking about EV I’d see every single benefit as described, but not for DV. When I look at our phishing data, the reasons provided for reducing the shelf life of DV outweighs the cost. There is a cost to website owners. I’d argue it’s an expensive exercise. CAs stand to generate more revenue by shortening the life of a cert, so I don’t know what their motivates could be to fight against this change - aside from wanting to support their customers (website owners). There was no consensus in the CA/Browser Forum - CAs voted against this change. For those who think I love CAs, my company displaces the need for EV, so I’m certainly not fighting on their behalf. I just don’t see the benefits as browser vendors see them, and there is still no data that I can find, to help me better understand the fine details of points 2 and 3. I believe browser vendors have the right to enforce what they deem appropriate. I’m simply asking for more details given that you’re engaging with the community. Thanks, Paul > On Jul 9, 2020, at 8:46 AM, Ben Wilson via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > All, > This is just to let everyone know that I posted a new Mozilla Security blog > post this morning. Here is the link> > https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/ > As I note at the end of the blog post, we continue to seek safeguarding > secure browsing by working with CAs as partners, to foster open and frank > communication, and to be diligent in looking for ways to keep our users > safe. > Thanks, > Ben > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
