Duane wrote:
Gervase Markham wrote:
fraudster needs to spend a disproportionate amount of time, money and
effort faking, spoofing or subverting all of the different data sources
used - such that they won't bother.
No, you hope they won't do it, but given enough incentive to move away
from non-https sites, and domain validated sites, there is enough people
caught by these scams to more then make it worth their while.
Let's say that the EV guidelines required the person purchasing the
certificate to travel, at their own expense, to a facility in downtown
Boise, Idaho. There, they would be photographed (naked) from front and
back, fingerprinted, DNA-sampled and have their passport number taken.
All this information would then be made public as part of the certificate.
If that were the case, I suggest that no fraudster would ever attempt to
get an EV certificate. However, we probably wouldn't sell all that many
of them either.
Hence, we have to try and find a sweet spot where the amount of
validation required is do-able for a sensible price, and is not too
inconvenient for a genuine applicant, and yet is disproportionately hard
to spoof for a fraudster. Things like site visits are particularly hard
to spoof, and yet easy for a genuine company to submit to.
You are asserting, without proof, that no such sweet spot exists. I am
suggesting that the current EV guidelines are round about the right
place. I invite your comments as to why that might not be the case. You
might, for example, postulate a scenario where a fraudster could fake
out all of the required steps for a cost of, say, under $20,000, without
revealing very much information about himself. If you can do that, we
would certainly look at the loopholes you've found and try to close them
by strengthening the checks.
You also indicated law enforcement agencies would hunt down and capture
these perpetrators, which is another false assumption as most of the
world has bigger problems then catching people stealing money from
westerners.
Possibly so; but no system can make it safe to do business with a
website in a country which does not prosecute criminals. The only
solution is not to do business with sites based in that country. Hence
the country indicator.
Gerv
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
