Re: [TLS] HTTPS Phishing sites
Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 26 May 2017 19:20 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A4821204DA for <tls@ietfa.amsl.com>; Fri, 26 May 2017 12:20:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OO4CRPFUI_Q9 for <tls@ietfa.amsl.com>; Fri, 26 May 2017 12:20:10 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id BA68A126CF6 for <tls@ietf.org>; Fri, 26 May 2017 12:20:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id 2FF0C2568E; Fri, 26 May 2017 22:20:07 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id vA-1Dgs_B1Qb; Fri, 26 May 2017 22:20:06 +0300 (EEST)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id A63172313; Fri, 26 May 2017 22:20:06 +0300 (EEST)
Date: Fri, 26 May 2017 22:20:04 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Sankalp Bagaria <sankalp.nitt@gmail.com>
Cc: tls@ietf.org, Balaji Rajendran <balajirajendran@gmail.com>, sankalp <sankalp@cdac.in>
Message-ID: <20170526192004.GA16526@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAPZZOTgfu9K3umjuCb=4DeRWOEKGvOJ4xBAeefudpdE=NJo9sQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAPZZOTgfu9K3umjuCb=4DeRWOEKGvOJ4xBAeefudpdE=NJo9sQ@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/417_jd9eAp4-Xk6FvI36C26-Dco>
Subject: Re: [TLS] HTTPS Phishing sites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 May 2017 19:20:13 -0000
On Fri, May 26, 2017 at 10:46:05AM +0530, Sankalp Bagaria wrote: > > http://securityaffairs.co/wordpress/59238/cyber-crime/ > https-phishing-sites.html claims > that phishing websites using HTTPS are increasing in number. If malicious > sites can get certificates, it defeats the purpose of TLS. In my opinion, > tougher measures are required to prevent malicious sites getting legitimate > certificates. What can we do about it ? As EKR said, this isn't within scope of TLS Working Group. And I don't think it is even in the scope of the entiere IETF as whole (considering the scope of work IETF does). My opinion is that the problem isn't maliscous sites getting security certificates (so what if paypal.com.foobar.za gets certificate saying it is paypal.com.foobar.za? That is completely true claim). The issue is the completely screwed up handling of security indications in browsers. That is certainly not the sort of work the IETF is doing. Judging by resonable interpretation of browser indications: - Unencrypted http:// is safe (apart from passwords/CC numbers). - DV certificates are extra trustworthy. Neither of these interpretations is correct. But both are still in my opinion reasonable. TLS with DV certificates is not above expected security, it is the closest to expected security, so it in my opinion should get the neutral indicators (so no lock). And http:// certainly is much below expected, so it should get negative indications. EV is above expected, so it could get positive indications. -Ilari
- [TLS] HTTPS Phishing sites Sankalp Bagaria
- Re: [TLS] HTTPS Phishing sites David Woodhouse
- Re: [TLS] HTTPS Phishing sites Eric Rescorla
- Re: [TLS] HTTPS Phishing sites Yngve N. Pettersen
- Re: [TLS] HTTPS Phishing sites Ilari Liusvaara