Ben Bucksch wrote:
Gervase Markham wrote:
People who rent offices leave a paper trail - they have to show their
face, leave deposits and bank details, people remember them. You can't
do all of this anonymously from Russia any more.
That's true. But look at spam. Most spam originates at the US, and
spammers keep normal businesses, yet the US completely fails to stop the
problem. One or two law suits, that's it, no impact.
That analogy fails because while spam is only sort-of illegal, stealing
thousands of dollars through fraud is extremely illegal. The authorities
have a much greater motivation to put a stop to phishing.
But let me turn the question around: if "social engineering" means you
can't trust what anyone says about anything, how do you establish
anything to be true?
The government takes are of that, registering people when they are born,
issueing passports and ID cards for them. And we can check the
signatures against that.
That's the base of my argument, put shortly: Everything else is hearsay.
And this is why I am gently trying to suggest that not everywhere else
in the world is like Germany. You are quite happy with "the government
registers everybody when they are born"; in other countries, that
doesn't happen as people see it as an infringement of civil liberties.
Or, they just don't have the infrastructure.
What can I tell you to convince you that the problem is not as simple as
you think it is? The CAB Forum does have a reasonable number of people
working on the problem. Now, either they are all blithering idiots, or
it's actually quite complicated to make this work worldwide. All I can
do is say that, from my point of view, it's the latter rather than the
former.
[cut]
The request is filed, and Joe intercepts the relevant mail. However,
Foo CA rings BigCorp, talks to Fred Smith and finds he never signed
the application, so it's rejected.
If you can intercept all mail, you can probably drag a phone call to you
as well.
I don't think that follows; certainly not in my scenario. You'd need to
bribe at least one, and possibly all the receptionists. This is starting
to look expensive and complicated to set up just one phishing site.
I really think we are getting into the range where phishers would take
one look at all this effort, and go rob an old lady instead.
Something like that. Basically, you need to make sure that the person
who signed the application actually exists and did sign the
application. I can't quite see how you object to that check :-) It
doesn't help with the problems you are particularly concerned about,
but it's not meant to.
This and the weak phone number verification is in the critical path to
verify the request is authorized, there's no signature (and check of it)
necessary, that's the problem.
How would this check you speak of work?
The CA has a signature, claiming to be that of "Fred Bloggs". They want
to confirm that Fred Bloggs works for the company and signed the paper.
So they ring the company, ask for Fred Bloggs, and confirm he signed it.
Now you have argued that there's a weakness in the part where they find
out the phone number (although I don't really see it; the CAs are using
the mechanisms everyone else uses to find phone numbers). But if we
leave that aside, how could that signature be any more verified?
Getting someone to drive out to Foo Corp in person, ring the bell, find
Fred Bloggs, and ask him the question in person rather than over the
phone doesn't seem to me to be any more secure.
I suspect CAs will be "unofficially" looking out for the same tricks
immediately. They don't want to be landed with the liability
They disclaim any liability!
Not any liability.
Unqualified scepticism without rationale
Well, I think history has shown us that scepticism beyond all common
sense is necessary when it comes to big CAs.
I don't agree. Despite the fact that Duane and crew continually bring up
Verisign's little accident from ten years ago, I really don't see this
"obvious" pattern of terrible CA behaviour that people seem to think exists.
Or, if you want another example: Delivery of a delivery-confirmed
letter. I'm sure that exists in the US. The postman wants your paper
signature that you received the letter. He usually doesn't check the
signature against any papers / ID cards, but the expensive part is the
visiting. And it costs $5-10.
Yes, but sadly the USPS does not sell on their signature checking services.
It's not cheap to get site visits done.
Right. It may cost them $10. Or maybe even $20! Yikes!
No. It costs hundreds of dollars in Europe. I am not just making this
up. Members of the CABF (who were in favour of site visits) did
investigations, contacted companies and obtained estimates.
If the real name is all useless, what do you put in the cert and display
to the user? The "trading as" name? (Sorry, havn't read the spec on
that.)
I believe we are doing either:
Foo Boot and Shoe Corp dba. Clark's Shoes
(with dba standing for Doing Business As)
or
Clark's Shoes, xxx Foo Boot and Shoe Corp.
(with xxx standing for some abbreviation which means the reverse of dba).
I'm not quite sure where we are with this. But the point is that both
are in there.
If so, how do you verify that it doesn't overlap with another
company? Company names and trademarks, potentially world-wide?
Your UI needs also to display the country. (The IE UI does.)
Gerv
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
