Re: Intent to Ship: Move Extended Validation Information out of the URL bar
On Fri, 23 Aug 2019 15:53:21 -0700 (PDT), Daniel Marschall wrote: > Can you proove that your assumption "very few phishing sites use EV (only) > because DV is sufficient" is correct? I do think the truth is "very few > phishing sites use EV, because EV is hard to get". Before browsers started showing dire warnings on non-secure pages, basically no phishing site bothered with SSL at all, since their target audience simply didn't notice anything wrong. -- begin .sig < Jernej Simončič ><>◊<>< jernej|s-ng at eternallybored.org > end ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Useful Heuristics
On Tue, 31 Jan 2017 09:27:30 -0800, Peter Bowen wrote: > Does this imply that addresses in the Czech Republic do not use a > state or province? I don't know about Czech Republic, but they definitely don't in Slovenia, and it's always annoying when forms force you to put something there (and then reject - or --). -- begin .sig < Jernej Simončič ><>◊<>< jernej|s-ng at eternallybored.org > end ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Remediation Plan for WoSign and StartCom
On Sat, 22 Oct 2016 16:26:51 +0200, Jakob Bohm wrote: > Thus the need for those who obtaind OV code > signing certificates from StartCom to start looking for alternatives, > and my suggestion, as a public service, that someone here might chime > in with the names of small/individual developer friendly issuers of > code signing certificates. I'm currently using a Comodo-issued codesigning certificate for my projects. While the reseller I bought it from (http://www.ksoftware.net/) discouraged me from getting the certificate issued to me as an individual (due to supposedly complicated checks required), the process wasn't really that hard - it involved getting a notary-validated signature of Comodo's document and notary-validated copies of a bank statement of mine and a phone bill (while the requirements say you can use other utility bills, you should use a phone bill if you don't have your phone number published in a directory, since they use it for validation). It took about a week from applying for the certificate to getting it issued. When I was buying the certificate, I found a 25% discount code on some 3rd party website. -- begin .sig < Jernej Simončič ><>◊<>< jernej|s-ng at eternallybored.org > end ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Compromised certificate that the owner didn't wish to revoke (signed by GeoTrust)
On Wed, 7 Sep 2016 03:55:02 -0700 (PDT), Nick Lamb wrote: > If you DIY, the rate limits obviously aren't a problem, and lots of DIY > devices have Let's Encrypt issued certificates today. Home "routers" built > out of a Raspberry Pi or a Mini PC are fairly popular with hobbyists. So rate > limits (which exist for a perfectly sensible reason) are the only reason you > can't buy a device that does this off the shelf. Wouldn't Let's Encrypt's 3-month certificate validity time also pose a problem for such devices? I'm pretty sure I've bought routers that sat in some warehouse far longer than 3 months in the past. -- begin .sig < Jernej Simončič ><>◊<>< jernej|s-ng at eternallybored.org > end ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: SSL Certs for Malicious Websites
On Tue, 17 May 2016 12:51:53 +0200, Hubert Kario wrote: > problem is, that this is a slippery slope. What's malware for one person > is a research subject for another. What's inflammatory or misleading > information for one person is parody and joke material to other. What's > illegal in one jurisdiction is completely legal and normal or at least > socially acceptable behaviour in another. I've had problems in the past because files that I host consistently trigger antivirus warnings, despite being harmless (examples: GIMP installer for Windows, debug data for GIMP and wget, netcat for Windows). Luckily, the worst that came from it were some e-mail exchanges and a lengthy phonecall with my ISP, but I know of people who lost their hosting thanks to having files that were similarly triggering false antivirus alerts. -- begin .sig < Jernej Simončič ><>◊<>< jernej|s-ng at eternallybored.org > end ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Proposal: Switch generic icon to negative feedback for non-https sites
on Tue, 22 Jul 2014 12:24:30 -0700, Brian Smith wrote: Having said all of that, I remember that Mozilla did some user research ~3 years ago that showed that when we show a negative security indicator like the broken lock icon, a significant percentage of users interpreted the problem to lie in the browser, not in the website--i.e. the security problem is Firefox's fault, not their favorite website. It would be important to do research to confirm or (hopefully) refute this finding. How about showing a red border around the webpage, possibly with a banner at the top (but inside the page area)? -- begin .sig Jernej Simončič ◊ jernej|s-ng at eternallybored.org end ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
