Re: Concerns with Let's Encrpyt repeated issuing for known fraudulent sites

Thu, 13 Aug 2020 13:32:55 -0700 

On 8/13/2020 1:08 PM, Kurt Roeckx via dev-security-policy wrote:

On Thu, Aug 13, 2020 at 12:43:01PM -0700, Ronald Crane via dev-security-policy 
wrote:

I'd argue that domain registrars, CAs, and hosting services _should_ have an
obligation to deny services to obvious phishing domains. [1] (This is
independent of what (if any) obligations they might currently have.)
Phishing continues to be epidemic. It is not enough that some user agents
attempt to prevent users from following suspected phishing links.

How this obligation should be implemented is an involved question that I'm
not prepared to address. The first step, though, is establishing the
principle that registrars, CAs, and hosting services are not mere pipe
utilities with no obligations to prevent obvious malefactors from injecting
sewage into them.

-R

[1] No, electric utilities, etc., should not also be obligated to deny them
electricity, etc. This would require an impractical (and privacy-invading)
level of investigation. An electric-utility customer does not submit a list
of domain(s) to the electric utility to obtain service. A phisher _does_
submit such a list to its registrar, CA, and host.

It's possible that the host does not know the anything related to
the DNS name, for instance because it rents virtual machines and
assigns them an IP address. The registrar might be hosting the
DNS.
This is a good point, as far as it goes. Requirements need to be practical, and should avoid invading privacy. Registrars (and CAs) are in excellent positions to impede the use of phishing domains, since they hand them out (registrars) or issue certificates for them (CAs). As you point out, VPS hosts would have a more difficult time discerning whether a given phishing domain is resolving to a VM on their servers. On the other hand, most hosts maintain their own DNS, so they practically can (and should) weed out known phishing domains, or at least ones that their DNS indicates that they also host. 

-R



You could also argue that the TLDs should be responsible for it.


Kurt

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
          • Re: Concerns... Paul Walsh via dev-security-policy
            • Re: Con... Burton via dev-security-policy
              • Re:... Paul Walsh via dev-security-policy
              • Re:... Burton via dev-security-policy
              • Re:... Paul Walsh via dev-security-policy
              • Re:... Burton via dev-security-policy
            • Re: Con... Tobias S. Josefowitz via dev-security-policy
              • Re:... Paul Walsh via dev-security-policy
              • Re:... Ronald Crane via dev-security-policy
              • Re:... Kurt Roeckx via dev-security-policy
              • Re:... Ronald Crane via dev-security-policy
              • Re:... Tobias S. Josefowitz via dev-security-policy
              • Re:... Ronald Crane via dev-security-policy
              • Re:... Tobias S. Josefowitz via dev-security-policy
              • Re:... Ronald Crane via dev-security-policy
              • Re:... Tobias S. Josefowitz via dev-security-policy
              • Re:... Tobias S. Josefowitz via dev-security-policy
            • Re: Con... Eric Mill via dev-security-policy
              • Re:... Paul Walsh via dev-security-policy
        • Re: Concerns wit... Paul Walsh via dev-security-policy
  • Re: Concerns with Let's Encrp... Ronald Crane via dev-security-policy

Reply via email to