Thanks Ben,
I’ve only had half a cup of coffee this am, so it’s possible I’m not yet awake
:)
I have a question about reasons 2 and 3 as they’re closely related to the
attack vector.
According to Google, spear phishing attacks have a shelf life of 7 minutes
while bulk campaigns have a shelf
Hopefully I'm reporting this OK, it is my first issue that I idly noticed.
Have a look at this search:
https://censys.io/certificates?q=parsed.subject.province%3A+Surrey+and+parsed.subject.locality%3A+Richmond
Richmond in the UK has not been part of Surrey from an administrative point of
view
All,
This is just to let everyone know that I posted a new Mozilla Security blog
post this morning. Here is the link>
https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/
As I note at the end of the blog post, we continue to seek safeguarding
secure browsing
Good question. And I can see why you might ask that question.
The community lead of PhishTank mistakenly said that submissions should only be
made for URLs that are used to steal' credentials. This helps to demonstrate a
misconception. While this might have been ok in the past, it’s not today.
Thanks, Paul, for your comments and concerns regarding our reasons 2 and 3,
and the costs vs. benefits of going to a 398-day certificate lifetime.
We'll keep those in mind as we move forward. In response, the security of
our users is the primary concern for Mozilla. So while we recognize there
On Thu, Jul 9, 2020 at 1:04 PM Paul Walsh via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> According to Google, spear phishing
I didn't see phishing mentioned in Mozilla's post, which is unsurprising,
since certificates have nothing to do with phishing. Did I overlook
Ugh, some poor language/typos but I”m sure people can navigate them. Sorry
about that.
> On Jul 9, 2020, at 10:04 AM, Paul Walsh wrote:
>
> Thanks Ben,
>
> I’ve only had half a cup of coffee this am, so it’s possible I’m not yet
> awake :)
>
> I have a question about reasons 2 and 3 as
I’m not sure how that answered my question? Nothing about the post seems to
be about phishing, which is not surprising, since certificates have nothing
to do with phishing, but your response just talks more about phishing.
It seems you may be misinterpreting “security risks” as “phishing“, since
On Thu, 9 Jul 2020 00:33:35 -0700 (PDT)
David Shah via dev-security-policy
wrote:
> Richmond in the UK has not been part of Surrey from an administrative
> point of view since 1965. It is now part of Greater London.
If a model of how places work requires that the UK be split into
counties then
Ryan,
If you said “Mozilla is making this change and there’s nothing you can say or
do to change that” I would accept those words, as I did with Ben’s response.
But you engaged after Ben’s response, so I’d like to respond to your comments.
Here’s some common ground… we both believe that there
As someone who worked in Richmond and lived in Surrey while registering more
than one UK company, I can testify to this. I’d only add that the post code is
what’s most helpful when establishing a location.
> On Jul 9, 2020, at 5:24 PM, Nick Lamb via dev-security-policy
> wrote:
>
> On
>
> Now that I have proven beyond a shadow of a doubt that we are talking
> about phishing, feel free to debate the merits of my points raised in my
> original email.
>
Thanks Paul. I think you're the only person I've encountered who refers to
key compromise as phishing, but I don't think we'll
Just to depersonalize it a bit so it's not only Ryan responding - what Ryan
is saying is correct. Mozilla's blog post uses the phrase "impersonating a
website" to describe non-phishing attacks, such as performing active MITM
attacks that modify or replace (or surveil) data in flight, or relying on
13 matches
Mail list logo
