On Fri, Dec 15, 2017 at 02:40:30PM -0800, Matthew Hardeman via
dev-security-policy wrote:
> On Friday, December 15, 2017 at 3:51:48 PM UTC-6, Ryan Sleevi wrote:
> > Yes, we can say correlated variables are correlated.
> > No, we cannot imply or infer from correlated variables that there is a
> >
On Fri, Dec 15, 2017 at 10:30:41PM +, Tim Shirley via dev-security-policy
wrote:
> I’m saying “can” be spoofed is different than “is” being spoofed.
How do you know your bank's EV UI element has never been spoofed? Have you,
every single time you've made an HTTPS request to your bank's
On Friday, December 15, 2017 at 5:39:37 PM UTC-6, Ryan Sleevi wrote:
> That is not what is required. There is no special enrollment dance - that
> is simply straight up misrepresenting it. Your vision is not aligned with
> the reality of it.
I've never been to a banking website where there
On Fri, Dec 15, 2017 at 5:38 PM Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Friday, December 15, 2017 at 4:06:02 PM UTC-6, Ryan Sleevi wrote:
>
> > It also perpetuates the myopic and flawed view as a phishing mitigation,
> > whose reliance is upon
On 15/12/17 16:02, Ryan Hurst wrote:
> So I have read this thread in its entirety now and I think it makes sense for
> it to reset to first principles, specifically:
>
> What are the technological and business goals trying to be achieved,
> What are the requirements derived from those goals,
>
On Friday, December 15, 2017 at 3:51:48 PM UTC-6, Ryan Sleevi wrote:
> Yes, we can say correlated variables are correlated.
> No, we cannot imply or infer from correlated variables that there is a
> causal relationship.
>
There exists a not insignificant school of actuarial thought that there
On Friday, December 15, 2017 at 4:06:02 PM UTC-6, Ryan Sleevi wrote:
> It also perpetuates the myopic and flawed view as a phishing mitigation,
> whose reliance is upon users checking it (again, user hostile), and
> misleading both users and site operators into EV as a phishing mitigation,
> when
I agree. Just like "could" repel tigers is different than "does" repel
tigers.
On Fri, Dec 15, 2017 at 5:30 PM, Tim Shirley wrote:
> I’m saying “can” be spoofed is different than “is” being spoofed.
>
>
>
> *From: *Ryan Sleevi
> *Reply-To:
I’m saying “can” be spoofed is different than “is” being spoofed.
From: Ryan Sleevi
Reply-To: "r...@sleevi.com"
Date: Friday, December 15, 2017 at 5:23 PM
To: Tim Shirley
Cc: "r...@sleevi.com" , Matthew Hardeman
Absolutely.. The lack of EV when I expect it doesn’t automatically mean to me
that something is bad. It just puts me on high alert that something *might* be
wrong. And I have never logged into a bank website from a mobile device, but
my motivations for that go far beyond EV. (
On 12/15/17,
If the signal can be spoofed, it does not actually help keep you safe.
On Fri, Dec 15, 2017 at 5:21 PM, Tim Shirley wrote:
> Yeah we’re definitely talking past each other. I’m not claiming the extra
> signal CAN’T be spoofed, nor am I claiming that EV prevents phishing
Yeah we’re definitely talking past each other. I’m not claiming the extra
signal CAN’T be spoofed, nor am I claiming that EV prevents phishing or that
the UI is providing me a guarantee. I’m saying it’s giving me a signal to pay
closer attention, and I’m describing a scenario where that
On Fri, Dec 15, 2017 at 5:05 PM, Jan Schaumann via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hello,
>
> I'm seeking clarification on the meaning of the CAA records:
>
> RFC6844 notes that the 'issue' property entry "authorizes the holder of
> the domain name *or a
On Friday, December 15, 2017 at 7:10:11 AM UTC-8, Quirin Scheitle wrote:
> Dear all,
>
> some colleagues and I want to share an academic study on CAA we have been
> working on in the past months.
> We hope that our findings can provide quantitative data to assist further
> discussion, such as
Hello,
I'm seeking clarification on the meaning of the CAA records:
RFC6844 notes that the 'issue' property entry "authorizes the holder of
the domain name *or a party acting under the
explicit authority of the holder of that domain name* to issue
certificates for the domain in which the
On Fri, Dec 15, 2017 at 4:50 PM, Tim Shirley wrote:
> I don’t see how you can argue that the EV “seatbelt” breaks 100% of the
> time. I know my bank uses an EV cert. Any time I come across a site
> claiming to be my bank but lacking an EV cert, and my browser shows me
On Friday, December 15, 2017 at 1:34:30 PM UTC-8, Matthew Hardeman wrote:
> On Friday, December 15, 2017 at 3:21:54 PM UTC-6, Ryan Hurst wrote:
>
> > Unfortunately, the PKCS#12 format, as supported by UAs and Operating
> > Systems is not a great candidate for the role of carrying keys anymore.
On Fri, Dec 15, 2017 at 4:26 PM, Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Friday, December 15, 2017 at 3:08:32 PM UTC-6, Ryan Sleevi wrote:
>
> > Respectfully, this is the tiger-repelling rock. We can't show that any
> > tigers attacked,
On Friday, December 15, 2017 at 3:21:54 PM UTC-6, Ryan Hurst wrote:
> Unfortunately, the PKCS#12 format, as supported by UAs and Operating Systems
> is not a great candidate for the role of carrying keys anymore. You can see
> my blog post on this topic here: http://unmitigatedrisk.com/?p=543
On Tuesday, December 12, 2017 at 1:08:24 PM UTC-8, Jakob Bohm wrote:
> On 12/12/2017 21:39, Wayne Thayer wrote:
> > On Tue, Dec 12, 2017 at 7:45 PM, Jakob Bohm via dev-security-policy <
> > dev-security-policy@lists.mozilla.org> wrote:
> >
> >> On 12/12/2017 19:39, Wayne Thayer wrote:
> >>
> >>>
On Friday, December 15, 2017 at 3:08:32 PM UTC-6, Ryan Sleevi wrote:
> Respectfully, this is the tiger-repelling rock. We can't show that any
> tigers attacked, therefore, we should keep telling users they need
> tiger-repelling rocks. And oh, by the way, they take away attention from
> solutions
On Tuesday, December 12, 2017 at 11:31:18 AM UTC-8, Tim Hollebeek wrote:
> > A policy allowing CAs to generate key pairs should also include provisions
> > for:
> > - The CA must generate the key in accordance with technical best practices
> > - While in possession of the private key, the CA must
On Friday, December 15, 2017 at 1:50:38 PM UTC-6, Ryan Sleevi wrote:
> I'm not sure I made those statements, but would be happy to clarify the
> confusion. Indeed, as I tried to call out, there are a subset of users who
> are looking at it and relying on it - although it cannot be relied upon -
>
On Fri, Dec 15, 2017 at 2:34 PM, Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Friday, December 15, 2017 at 8:08:44 AM UTC-6, Ryan Sleevi wrote:
>
> > James’ research has showed the ease at which it is possible to use the UI
> > afforded EV to
(reposting as I originally accidentally sent to Tom Ritter only)
Both are great questions.
My short answers on those are
#1 - yes, but as a courtesy with the implication being that those who don't
take the time or trouble might catch a sideways glare if a certificate
issuance is later
Dear all,
some colleagues and I want to share an academic study on CAA we have been
working on in the past months.
We hope that our findings can provide quantitative data to assist further
discussion, such as the “CAA-simplification” draft at IETF and work at the
validation-wg at CABF.
We
This is an extremely good point. I wonder:
1. If Mozilla should ask/require CAs to perform this check.
2. If Mozilla should ask/require CAs to invest in the capability to
make this check for future requests in the future (where we would
require responses within a certain time period.)
-tom
On
On Fri, Dec 15, 2017 at 2:34 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 15/12/2017 02:30, Ryan Sleevi wrote:
> > Some participants have pointed out correlation is not causation - that
> you
> > can’t infer that never being attacked by a tiger while
On Fri, Dec 15, 2017 at 08:34:37AM +0100, Jakob Bohm via dev-security-policy
wrote:
> YOU in particularly have kept insisting that it is a "myth" that
> phishing sites don't use EV certificates, yet keep pointing to articles
> about non-EV failures.
As the Wikipedians say, "Citation Needed". I
On Thu, 14 Dec 2017 16:33:29 -0800 (PST)
Matthew Hardeman via dev-security-policy
wrote:
> That attack was by hacking the target's domain registrar account.
> Others have done that as well, including against a Brazilian bank.
>
> The right attacker would
On 15/12/17 00:18, Matthew Hardeman via dev-security-policy wrote:
On Thursday, December 14, 2017 at 5:50:40 PM UTC-6, Matthew Hardeman wrote:
Route hijacking your way to what would appear as a proper domain validation is
practical for even a modestly resourceful adversary. I suspect that
31 matches
Mail list logo