Good question. And I can see why you might ask that question. The community lead of PhishTank mistakenly said that submissions should only be made for URLs that are used to steal' credentials. This helps to demonstrate a misconception. While this might have been ok in the past, it’s not today.
Phishing is a social engineering technique, used to trick consumers into trusting URLs / websites so they can do bad things - including but not limited to, man-in-the-middle attacks. Mozilla references this attack vector as one of the main reasons for wanting to reduce the life of a cert. They didn’t call it “phishing” but that’s precisely what it is. We can remove all of my references to “phishing” and replace it with “security risks” or “social engineering” if it makes this conversation a little easier. And, according to every single security company in the world that focuses on this problem, certificates are absolutely used by bad actors - if only to make sure they don’t see a “Not Secure” warning. I’m not talking about EV or identity related info here as it’s not related. I’m talking about the risk of a bad actor caring to use a cert that was issued to someone else when all they have to do is get a new one for free. I don’t see the risk that some people see. Hoping to be corrected because the alternative is that browsers are about to make life harder and more expensive for website owners with little to no upside - outside that of a researchers lab. Warmest regards, Paul > On Jul 9, 2020, at 11:26 AM, Ryan Sleevi <r...@sleevi.com> wrote: > > > > On Thu, Jul 9, 2020 at 1:04 PM Paul Walsh via dev-security-policy > <dev-security-policy@lists.mozilla.org > <mailto:dev-security-policy@lists.mozilla.org>> wrote: > > According to Google, spear phishing > > I didn't see phishing mentioned in Mozilla's post, which is unsurprising, > since certificates have nothing to do with phishing. Did I overlook something > saying it was about phishing? > > It seems reasonable to read it as it was written, which doesn't mention > phishing, which isn't surprising, because certificates have never been able > to address phishing. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
