Re: On the value of EV

On Fri, Dec 15, 2017 at 02:40:30PM -0800, Matthew Hardeman via dev-security-policy wrote: > On Friday, December 15, 2017 at 3:51:48 PM UTC-6, Ryan Sleevi wrote: > > Yes, we can say correlated variables are correlated. > > No, we cannot imply or infer from correlated variables that there is a > >

Re: On the value of EV

On Fri, Dec 15, 2017 at 10:30:41PM +, Tim Shirley via dev-security-policy wrote: > I’m saying “can” be spoofed is different than “is” being spoofed. How do you know your bank's EV UI element has never been spoofed? Have you, every single time you've made an HTTPS request to your bank's

Re: On the value of EV

On Friday, December 15, 2017 at 5:39:37 PM UTC-6, Ryan Sleevi wrote: > That is not what is required. There is no special enrollment dance - that > is simply straight up misrepresenting it. Your vision is not aligned with > the reality of it. I've never been to a banking website where there

Re: On the value of EV

On Fri, Dec 15, 2017 at 5:38 PM Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Friday, December 15, 2017 at 4:06:02 PM UTC-6, Ryan Sleevi wrote: > > > It also perpetuates the myopic and flawed view as a phishing mitigation, > > whose reliance is upon

Re: CA generated keys

On 15/12/17 16:02, Ryan Hurst wrote: > So I have read this thread in its entirety now and I think it makes sense for > it to reset to first principles, specifically: > > What are the technological and business goals trying to be achieved, > What are the requirements derived from those goals, >

Re: On the value of EV

On Friday, December 15, 2017 at 3:51:48 PM UTC-6, Ryan Sleevi wrote: > Yes, we can say correlated variables are correlated. > No, we cannot imply or infer from correlated variables that there is a > causal relationship. > There exists a not insignificant school of actuarial thought that there

Re: On the value of EV

On Friday, December 15, 2017 at 4:06:02 PM UTC-6, Ryan Sleevi wrote: > It also perpetuates the myopic and flawed view as a phishing mitigation, > whose reliance is upon users checking it (again, user hostile), and > misleading both users and site operators into EV as a phishing mitigation, > when

Re: On the value of EV

I agree. Just like "could" repel tigers is different than "does" repel tigers. On Fri, Dec 15, 2017 at 5:30 PM, Tim Shirley wrote: > I’m saying “can” be spoofed is different than “is” being spoofed. > > > > *From: *Ryan Sleevi > *Reply-To:

Re: On the value of EV

I’m saying “can” be spoofed is different than “is” being spoofed. From: Ryan Sleevi Reply-To: "r...@sleevi.com" Date: Friday, December 15, 2017 at 5:23 PM To: Tim Shirley Cc: "r...@sleevi.com" , Matthew Hardeman

Re: On the value of EV

Absolutely.. The lack of EV when I expect it doesn’t automatically mean to me that something is bad. It just puts me on high alert that something *might* be wrong. And I have never logged into a bank website from a mobile device, but my motivations for that go far beyond EV. ( On 12/15/17,

Re: On the value of EV

If the signal can be spoofed, it does not actually help keep you safe. On Fri, Dec 15, 2017 at 5:21 PM, Tim Shirley wrote: > Yeah we’re definitely talking past each other. I’m not claiming the extra > signal CAN’T be spoofed, nor am I claiming that EV prevents phishing

Re: On the value of EV

Yeah we’re definitely talking past each other. I’m not claiming the extra signal CAN’T be spoofed, nor am I claiming that EV prevents phishing or that the UI is providing me a guarantee. I’m saying it’s giving me a signal to pay closer attention, and I’m describing a scenario where that

Re: CAA records checked against immediate issuer or root?

On Fri, Dec 15, 2017 at 5:05 PM, Jan Schaumann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hello, > > I'm seeking clarification on the meaning of the CAA records: > > RFC6844 notes that the 'issue' property entry "authorizes the holder of > the domain name *or a

Re: Dashboard and Study on CAA Adoption

On Friday, December 15, 2017 at 7:10:11 AM UTC-8, Quirin Scheitle wrote: > Dear all, > > some colleagues and I want to share an academic study on CAA we have been > working on in the past months. > We hope that our findings can provide quantitative data to assist further > discussion, such as

CAA records checked against immediate issuer or root?

Hello, I'm seeking clarification on the meaning of the CAA records: RFC6844 notes that the 'issue' property entry "authorizes the holder of the domain name *or a party acting under the explicit authority of the holder of that domain name* to issue certificates for the domain in which the

Re: On the value of EV

On Fri, Dec 15, 2017 at 4:50 PM, Tim Shirley wrote: > I don’t see how you can argue that the EV “seatbelt” breaks 100% of the > time. I know my bank uses an EV cert. Any time I come across a site > claiming to be my bank but lacking an EV cert, and my browser shows me

Re: CA generated keys

On Friday, December 15, 2017 at 1:34:30 PM UTC-8, Matthew Hardeman wrote: > On Friday, December 15, 2017 at 3:21:54 PM UTC-6, Ryan Hurst wrote: > > > Unfortunately, the PKCS#12 format, as supported by UAs and Operating > > Systems is not a great candidate for the role of carrying keys anymore.

Re: On the value of EV

On Fri, Dec 15, 2017 at 4:26 PM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Friday, December 15, 2017 at 3:08:32 PM UTC-6, Ryan Sleevi wrote: > > > Respectfully, this is the tiger-repelling rock. We can't show that any > > tigers attacked,

Re: CA generated keys

On Friday, December 15, 2017 at 3:21:54 PM UTC-6, Ryan Hurst wrote: > Unfortunately, the PKCS#12 format, as supported by UAs and Operating Systems > is not a great candidate for the role of carrying keys anymore. You can see > my blog post on this topic here: http://unmitigatedrisk.com/?p=543

Re: CA generated keys

On Tuesday, December 12, 2017 at 1:08:24 PM UTC-8, Jakob Bohm wrote: > On 12/12/2017 21:39, Wayne Thayer wrote: > > On Tue, Dec 12, 2017 at 7:45 PM, Jakob Bohm via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > >> On 12/12/2017 19:39, Wayne Thayer wrote: > >> > >>>

Re: On the value of EV

On Friday, December 15, 2017 at 3:08:32 PM UTC-6, Ryan Sleevi wrote: > Respectfully, this is the tiger-repelling rock. We can't show that any > tigers attacked, therefore, we should keep telling users they need > tiger-repelling rocks. And oh, by the way, they take away attention from > solutions

Re: CA generated keys

On Tuesday, December 12, 2017 at 11:31:18 AM UTC-8, Tim Hollebeek wrote: > > A policy allowing CAs to generate key pairs should also include provisions > > for: > > - The CA must generate the key in accordance with technical best practices > > - While in possession of the private key, the CA must

Re: On the value of EV

On Friday, December 15, 2017 at 1:50:38 PM UTC-6, Ryan Sleevi wrote: > I'm not sure I made those statements, but would be happy to clarify the > confusion. Indeed, as I tried to call out, there are a subset of users who > are looking at it and relying on it - although it cannot be relied upon - >

Re: On the value of EV

On Fri, Dec 15, 2017 at 2:34 PM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Friday, December 15, 2017 at 8:08:44 AM UTC-6, Ryan Sleevi wrote: > > > James’ research has showed the ease at which it is possible to use the UI > > afforded EV to

Re: Investigating validations & issuances - The high value IP space BGP Hijacks on 2017-12-12

(reposting as I originally accidentally sent to Tom Ritter only) Both are great questions. My short answers on those are #1 - yes, but as a courtesy with the implication being that those who don't take the time or trouble might catch a sideways glare if a certificate issuance is later

Dashboard and Study on CAA Adoption

Dear all, some colleagues and I want to share an academic study on CAA we have been working on in the past months. We hope that our findings can provide quantitative data to assist further discussion, such as the “CAA-simplification” draft at IETF and work at the validation-wg at CABF. We

Re: Investigating validations & issuances - The high value IP space BGP Hijacks on 2017-12-12

This is an extremely good point. I wonder: 1. If Mozilla should ask/require CAs to perform this check. 2. If Mozilla should ask/require CAs to invest in the capability to make this check for future requests in the future (where we would require responses within a certain time period.) -tom On

Re: On the value of EV

On Fri, Dec 15, 2017 at 2:34 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 15/12/2017 02:30, Ryan Sleevi wrote: > > Some participants have pointed out correlation is not causation - that > you > > can’t infer that never being attacked by a tiger while

Re: On the value of EV

On Fri, Dec 15, 2017 at 08:34:37AM +0100, Jakob Bohm via dev-security-policy wrote: > YOU in particularly have kept insisting that it is a "myth" that > phishing sites don't use EV certificates, yet keep pointing to articles > about non-EV failures. As the Wikipedians say, "Citation Needed". I

Re: On the value of EV

On Thu, 14 Dec 2017 16:33:29 -0800 (PST) Matthew Hardeman via dev-security-policy wrote: > That attack was by hacking the target's domain registrar account. > Others have done that as well, including against a Brazilian bank. > > The right attacker would

Fox-IT hack (was Re: On the value of EV)

On 15/12/17 00:18, Matthew Hardeman via dev-security-policy wrote: On Thursday, December 14, 2017 at 5:50:40 PM UTC-6, Matthew Hardeman wrote: Route hijacking your way to what would appear as a proper domain validation is practical for even a modestly resourceful adversary. I suspect that