PUP: Browsers should make & implement a phase-out plan for commercial CAs. Now that clueful ppl all get free automated certs, the CA market is just scams targeting the uninformed.
-
-
For $100 or so you can incorporate a same-name entity in a different jurisdiction and get an EV cert that looks like it belongs to a well-known company.
-
Could do much better than the current DV but not like that. DV is as good as it gets right now. DV is terrible because the weak link *isn't even unauthenticated DNS*, it permits all kinds of verification schemes including insecure email to a list of addresses considered admins.
-
CAA does move it closer to being sane by requiring that CAs check a DNS record to see if they're allowed to issue a certificate, but it's still unauthenticated and it seems like it doesn't even need to be respected if they receive authorization to ignore it... (not 100% clear)
-
Can at least opt-out of a bunch of insecure authentication mechanisms via using CAA to limit issuance to Let's Encrypt but it does nothing to reduce *trust* in all those other essentially useless CAs... :\
-
We're using HPKP to limit trust to Let's Encrypt intermediates, their root, and the IdenTrust root cross-singing them + 5 of our backup pins... which is nice, but Chromium is removing HPKP and no longer accepting applications for static pins so... that's the end of that.
-
But doesn't the need to find a jurisdiction where you can register yourself as Google, reduces the number of fake Googles *in* *practice*. PS, I bet in most countries, registering a business named Google is TM infringement and sueable
-
If you're doing organized crime phishing passwords, you really don't care if you're infringing TM, and you're probably not. See how easy it is: https://stripe.ian.sh/
-
Wouldn't it make it possible to get a court order to close the website, minimizing the time the attack can occur? I also imagine that for a well known international name (e.g., Google, not stripe), most registrar would refuse to register another Google inc, making attack >$$$
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.