Ugh, some poor language/typos but I”m sure people can navigate them. Sorry about that.
> On Jul 9, 2020, at 10:04 AM, Paul Walsh <p...@metacert.com> wrote: > > Thanks Ben, > > I’ve only had half a cup of coffee this am, so it’s possible I’m not yet > awake :) > > I have a question about reasons 2 and 3 as they’re closely related to the > attack vector. > > According to Google, spear phishing attacks have a shelf life of 7 minutes > while bulk campaigns have a shelf life of 13 hours. Even if we disbelieve > this data and multiple the numbers by 10, we end up with the majority of the > harm being done within a week. > > Also, if bad actors can automatically acquire a DV cert for any available > domain they please, is there actual risk of bad actors waiting for a domain > to expire so they can have a valid cert? And they can easily execute a > man-in-the-middle attack using a new cert that has a shelf life of 3 months. > > All I’ve been working on for years is anti-phishing techniques, so I’m not > seeing all of the benefits as some others see them, but perhaps I’m missing > something. > > I’m talking about the human element of bad actors here, because at the end of > the day, it’s all about them and what they will do with expired certs. > > If we were talking about EV I’d see every single benefit as described, but > not for DV. When I look at our phishing data, the reasons provided for > reducing the shelf life of DV outweighs the cost. > > There is a cost to website owners. I’d argue it’s an expensive exercise. CAs > stand to generate more revenue by shortening the life of a cert, so I don’t > know what their motivates could be to fight against this change - aside from > wanting to support their customers (website owners). There was no consensus > in the CA/Browser Forum - CAs voted against this change. > > For those who think I love CAs, my company displaces the need for EV, so I’m > certainly not fighting on their behalf. I just don’t see the benefits as > browser vendors see them, and there is still no data that I can find, to help > me better understand the fine details of points 2 and 3. > > I believe browser vendors have the right to enforce what they deem > appropriate. I’m simply asking for more details given that you’re engaging > with the community. > > Thanks, > Paul > > > > >> On Jul 9, 2020, at 8:46 AM, Ben Wilson via dev-security-policy >> <dev-security-policy@lists.mozilla.org >> <mailto:dev-security-policy@lists.mozilla.org>> wrote: >> >> All, >> This is just to let everyone know that I posted a new Mozilla Security blog >> post this morning. Here is the link> >> https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/ >> >> <https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/> >> As I note at the end of the blog post, we continue to seek safeguarding >> secure browsing by working with CAs as partners, to foster open and frank >> communication, and to be diligent in looking for ways to keep our users >> safe. >> Thanks, >> Ben >> _______________________________________________ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy