I’m not sure how that answered my question? Nothing about the post seems to be about phishing, which is not surprising, since certificates have nothing to do with phishing, but your response just talks more about phishing.
It seems you may be misinterpreting “security risks” as “phishing“, since you state they’re interchangeable. Just like Firefox’s sandbox isn’t about phishing, nor is the same-origin policy about phishing, nor is Rust’s memory safety about phishing, it seems like certificate security is also completely unrelated to phishing, and the “security risks” unrelated to phishing. On Thu, Jul 9, 2020 at 2:48 PM Paul Walsh <p...@metacert.com> wrote: > Good question. And I can see why you might ask that question. > > The community lead of PhishTank mistakenly said that submissions should > only be made for URLs that are used to steal' credentials. This helps to > demonstrate a misconception. While this might have been ok in the past, > it’s not today. > > Phishing is a social engineering technique, used to trick consumers into > trusting URLs / websites so they can do bad things - including but not > limited to, man-in-the-middle attacks. Mozilla references this attack > vector as one of the main reasons for wanting to reduce the life of a cert. > They didn’t call it “phishing” but that’s precisely what it is. > > We can remove all of my references to “phishing” and replace it with > “security risks” or “social engineering” if it makes this conversation a > little easier. > > And, according to every single security company in the world that focuses > on this problem, certificates are absolutely used by bad actors - if only > to make sure they don’t see a “Not Secure” warning. > > I’m not talking about EV or identity related info here as it’s not > related. I’m talking about the risk of a bad actor caring to use a cert > that was issued to someone else when all they have to do is get a new one > for free. > > I don’t see the risk that some people see. Hoping to be corrected because > the alternative is that browsers are about to make life harder and more > expensive for website owners with little to no upside - outside that of a > researchers lab. > > Warmest regards, > Paul > > > On Jul 9, 2020, at 11:26 AM, Ryan Sleevi <r...@sleevi.com> wrote: > > > > On Thu, Jul 9, 2020 at 1:04 PM Paul Walsh via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> >> According to Google, spear phishing > > > I didn't see phishing mentioned in Mozilla's post, which is unsurprising, > since certificates have nothing to do with phishing. Did I overlook > something saying it was about phishing? > > It seems reasonable to read it as it was written, which doesn't mention > phishing, which isn't surprising, because certificates have never been able > to address phishing. > > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
