[cryptography] Paypal phish using EV certificate

I recently got a another of the standard phishing emails for Paypal, directing me to https://email-edg.paypal.com, which redirects to https://view.paypal-communication.com, which has a PayPal EV certificate from Verisign. According to this post http://www.onelogin.com/a-paypal-phishing-attack/

Re: [cryptography] Paypal phish using EV certificate

On Tue, Aug 13, 2013 at 5:10 AM, Peter Gutmann wrote: > I recently got a another of the standard phishing emails for Paypal, directing > me to https://email-edg.paypal.com, which redirects to > https://view.paypal-communication.com, which has a PayPal EV certificate from > Verisign. According to

Re: [cryptography] Paypal phish using EV certificate

given the images seen on the links, both certs are signed by the same entity (i cannot see the pubKey ID but issuer names match), yet have the same serial number 3014267. Isn't the (serial number + issuer pub key identifier) supposed to be unique and identify a cert uniquely? is it common practice

Re: [cryptography] Paypal phish using EV certificate

The serial number you find in the subject of an EV certificate is the registration number of the company (Paypal Inc, in Delaware). There's absolutely no problem in having different certificates with this repeating serial number (in the subject), as long as they are delivered to the right company.

Re: [cryptography] Paypal phish using EV certificate

Erwann Abalea writes: >Looks like paypal-communication.com is a legit domain owned by "Paypal, Inc". Even though, according to the second article I referenced, Paypal said it was a phishing site and said they'd take it down? Peter. ___ cryptography ma

Re: [cryptography] Paypal phish using EV certificate

On 13 August 2013 07:00, Peter Gutmann wrote: > Erwann Abalea writes: > >>Looks like paypal-communication.com is a legit domain owned by "Paypal, Inc". > > Even though, according to the second article I referenced, Paypal said it was > a phishing site and said they'd take it down? When sites hav

Re: [cryptography] Paypal phish using EV certificate

That's trademarks, not copyright, and they get it transfered IF they request it and the original owner did not have a valid reason to use that domain with the trademarked name/phrase. And either way, reusing previously malicious domains for legit purposes is probably THE WORST method ever of accid

Re: [cryptography] not a Paypal phish using EV certificate

In article you write: >I recently got a another of the standard phishing emails for Paypal, directing >me to https://email-edg.paypal.com, which redirects to >https://view.paypal-communication.com, which has a PayPal EV certificate from >Verisign. According to this post >http://www.onelogin.c

[cryptography] Certificate Transparency Hack Day

The Certificate Transparency hack day will take place at Google’s London offices on Wednesday, the 28th of August, 2013. Please sign up on this form by August 22nd, to let us know you plan to attend

[cryptography] LeastAuthority.com announces PRISM-proof storage service

Dear people of the cryptography@randombit.net mailing list: For obvious reasons, the time has come to push hard on *verifiable* end-to-end encryption. Here's our first attempt. We intend to bring more! We welcome criticism, suggestions, and requests. Regards, Zooko Wilcox-O'Hearn Founder, CEO,

Re: [cryptography] not a Paypal phish using EV certificate

On Tue, Aug 13, 2013 at 6:25 AM, John Levine wrote: > In article you write: > >I recently got a another of the standard phishing emails for Paypal, > directing > >me to https://email-edg.paypal.com, which redirects to > >https://view.paypal-communication.com, which has a PayPal EV certificate >

Re: [cryptography] not a Paypal phish using EV certificate

On Tue, August 13, 2013 6:25 am, John Levine wrote: > I agree that it was not a great idea for Paypal to invent > paypal-communication.com rather than a subdomain of one of their > existing well-known domains such as communication.paypal.com. Using a different second-level domain is generally a s

Re: [cryptography] not a Paypal phish using EV certificate

On Tue, Aug 13, 2013 at 9:25 AM, Ben Lincoln (F70C92E3) < f70c9...@beneaththewaves.net> wrote: > > Unfortunately, it does look somewhat suspicious from a phishing > perspective, especially if a link to a paypal.com subdomain redirects to > it, which (to an end user) looks a lot like what happens w

Re: [cryptography] LeastAuthority.com announces PRISM-proof storage service

Super! I think a commercial operator is an essential step forward. Q: do you have some sense of how long the accesses take? E.g., I'm at the end of a long ping, will I expect the actions to take ms, s, or ks? iang On 13/08/13 18:56 PM, Zooko Wilcox-OHearn wrote: Dear people of the cryptog

Re: [cryptography] LeastAuthority.com announces PRISM-proof storage service

On 8/13/13 11:02 AM, ianG wrote: > Super! I think a commercial operator is an essential step forward. How so? Centralization via commercial operators doesn't seem to have helped in the email space lately. Peter -- Peter Saint-Andre https://stpeter.im/

Re: [cryptography] LeastAuthority.com announces PRISM-proof storage service

On Tue, Aug 13, 2013 at 5:16 PM, Peter Saint-Andre wrote: > On 8/13/13 11:02 AM, ianG wrote: >> Super! I think a commercial operator is an essential step forward. > > How so? Centralization via commercial operators doesn't seem to have helped > in the email space lately. It helps because we at

Re: [cryptography] LeastAuthority.com announces PRISM-proof storage service

On 13/08/13 20:16 PM, Peter Saint-Andre wrote: On 8/13/13 11:02 AM, ianG wrote: Super! I think a commercial operator is an essential step forward. How so? Centralization via commercial operators doesn't seem to have helped in the email space lately. Centralisation works when the server doe

Re: [cryptography] LeastAuthority.com announces PRISM-proof storage service

On Tue, Aug 13, 2013 at 11:16:58AM -0600, Peter Saint-Andre wrote: > On 8/13/13 11:02 AM, ianG wrote: > > Super! I think a commercial operator is an essential step forward. > > How so? Centralization via commercial operators doesn't seem to have > helped in the email space lately. Previously: Mo

Re: [cryptography] LeastAuthority.com announces PRISM-proof storage service

On 8/13/13 12:53 PM, ianG wrote: > On 13/08/13 20:16 PM, Peter Saint-Andre wrote: >> On 8/13/13 11:02 AM, ianG wrote: >>> Super! I think a commercial operator is an essential step forward. >> >> How so? Centralization via commercial operators doesn't seem to have >> helped in the email space latel

Re: [cryptography] LeastAuthority.com announces PRISM-proof storage service

On Tue, Aug 13, 2013 at 12:02 PM, ianG wrote: > Super! I think a commercial operator is an essential step forward. A few points: - if only you access your own files then there's much less interest for a government in your files: they might contain evidence of crimes and conspiracies, but you c

Re: [cryptography] not a Paypal phish using EV certificate

Hi Guys, if you love crypto-currency, I would be glad if you check out our new startup at http://bitblu.com. I would love for feedbacks of anykind. Thanks a lot! On Tue, Aug 13, 2013 at 7:40 PM, Andy Steingruebl wrote: > On Tue, Aug 13, 2013 at 9:25 AM, Ben Lincoln (F70C92E3) < > f70c9...@bene

Re: [cryptography] LeastAuthority.com announces PRISM-proof storage service

On Tue, Aug 13, 2013 at 2:09 PM, Peter Saint-Andre wrote: > Although presumably there would be value in shutting down a > privacy-protecting service just so that people can't benefit from it any > longer. When the assumption is that everything must be public, any > service that keeps some informat

Re: [cryptography] LeastAuthority.com announces PRISM-proof storage service

On Tue, Aug 13, 2013 at 01:09:15PM -0600, Peter Saint-Andre wrote: > On 8/13/13 12:53 PM, ianG wrote: > > On 13/08/13 20:16 PM, Peter Saint-Andre wrote: > >> On 8/13/13 11:02 AM, ianG wrote: > >>> Super! I think a commercial operator is an essential step forward. > >> > >> How so? Centralization v

Re: [cryptography] not a Paypal phish using EV certificate

On 2013-08-14 2:25 AM, Ben Lincoln (F70C92E3) wrote: On Tue, August 13, 2013 6:25 am, John Levine wrote: I agree that it was not a great idea for Paypal to invent paypal-communication.com rather than a subdomain of one of their existing well-known domains such as communication.paypal.com. Usin

Re: [cryptography] LeastAuthority.com announces PRISM-proof storage service

On 2013-08-14 6:10 AM, Nico Williams wrote: - it's really not easy to defeat the PRISMs. the problem is *political* more than technological. For a human to read all communications would be an impossible burden. Instead, apply the following algorithm. Identify people of interest. Read com

Re: [cryptography] Paypal phish using EV certificate

> "PG" == Peter Gutmann writes: PG> Even though, according to the second article I referenced, Paypal said it was PG> a phishing site and said they'd take it down? It looks like paypal aquired it around the date of that article, and registered it with Markmonitor: Domain Name: PAYPAL-CO

Re: [cryptography] not a Paypal phish using EV certificate

James A. Donald writes: > Although websites often use huge numbers of huge cookies, one can > easily optimize one's cookie use. I can see no reason why anyone > would ever need more than a single 96 bit cookie that is a random > number. They might want to make the content and purpose of the cook