<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"><meta name="Generator" content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang="EN-US" link="blue" vlink="purple"><div class="WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Yes,</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">This is a problem; in our environment we audit for these issues in subcas; we are automating those audits with investments around CT at this time.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Just because a CA is technically constrained doesn’t mean the CA no longer has responsibility for keeping an eye on their practices.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">As for the homograph examples, in our new platform in particular we fraud analytics which considers many things including problems in this space.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">We will be applying those same checks to our auditing regime we apply to constrained CAs via automation mentioned above.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Ryan</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Ryan Sleevi<br>
<b>Sent:</b> Tuesday, September 10, 2013 12:58 PM<br><b>To:</b> Eddy Nigg (StartCom Ltd.)<br><b>Cc:</b> <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> Re: [cabfpub] [cabfman] Deceptive SSL cert issued for fake Chase domain</span></p>
<p class="MsoNormal"> </p><div><p class="MsoNormal">Eddy,</p><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">I'm not sure whether CAs either can really be effective here in mitigating this, at least in the scope of subdomains. I think this is especially true when considering Mozilla's policy to allow technically constrained sub-CAs to issue certificates that are not audited to the BRs.</p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">If I were to obtain a technically constrained sub-CA for <a href="http://mydomain.com">mydomain.com</a>, in which the CA fully vetted that ownership for <a href="http://mydomain.com">mydomain.com</a>, then I would be able to issue certificates for <a href="http://anydomain.com.mydomain.com">anydomain.com.mydomain.com</a>. That is, a technically constrained sub-CA behaves like a multi-level wildcard certificate.</p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">Likewise, given a wildcard certificate for *.<a href="http://mydomain.com">mydomain.com</a>, I could create any degree of spoofables for <a href="http://anydomaincom.mydomain.com">anydomaincom.mydomain.com</a>. I suspect (but I'm not intimately familiar with) the possibility of Punycoding some degree there. I know this has been a point that Brad Hill has raised in the past.</p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">I think when it comes to anti-phishing, this is something that may be better handled by the UAs, at least with respect to subdomains. You can already see this in UAs that highlight things like the "effective TLD+1" in their address bar, scrolling in particular to that location (eg: see Chrome on mobile platforms). That's not to say it's a perfect solution, by far, but it's a much more scalable solution that recognizes where the strengths and weaknesses are - and I think having CAs try to validate subdomains on the eTLD+1 is realistically a weakness that won't be solved effectively.</p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">I think we still need to have the BRs concerned about spoofables at the eTLD+1 level, and still need to be concerned about high-risk requests, but when it comes to subdomains, I don't lose much sleep on this matter, at least when it comes to certificate issuance.</p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">Put differently, I do not think the lock icon can be reasonably be considered an anti-phishing mitigation. It merely is an indication of the connection/encryption to the domain in question.</p>
</div></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"> </p><div><p class="MsoNormal">On Tue, Sep 10, 2013 at 12:39 PM, Eddy Nigg (StartCom Ltd.) <<a href="mailto:eddy_nigg@startcom.org" target="_blank">eddy_nigg@startcom.org</a>> wrote:</p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in"><div><div><p class="MsoNormal"><br>On 09/10/2013 08:13 PM, From Jeremy Rowley: </p></div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div><p class="MsoNormal" style><span style="color:#1f497d">I know we’ve performed similar (non-malicious) experiments with DV certs to see how easy it would be to phish a banking domain. It’s pretty easy. I think this is a good launching point to discuss how we can improve the BRs in a manner that prevents these types of phishing attacks.</span></p>
<p class="MsoNormal" style><span style="color:#1f497d"> </span></p></div></blockquote><p class="MsoNormal"> </p><div><p class="MsoNormal" style="margin-bottom:12.0pt">In this respect I have a hot topic I'm supposed to check with the CAB Forum, this comes convenient....<br>
<br>From time to time we get requests for certificates that contain possible domains within the host name, for example:<br><br><i><a href="http://domain.com.dom.net" target="_blank">domain.com.dom.net</a></i><br><br>Now we have made an effort to disallow this practice as much as possible recently because it could be easily abused:<br>
<br><i><a href="http://paypal.com.dom.net" target="_blank">paypal.com.dom.net</a></i><br><br>Or to make it more obvious:<br><br><i><a href="https://www.paypal.com.some.net/us/cgi-bin/webscr?cmd=_flow&SESSION=KKIncv649JDbg" target="_blank">https://www.paypal.com.some.net/us/cgi-bin/webscr?cmd=_flow&SESSION=KKIncv649JDbg</a></i><br>
<br>As it happens, some CAs issue such potentially confusing certificates and we ourselves get every while requests for them. In particular also from companies that provide or want proxy services and in order to mask the names as much as possible it looks something like this (this is from a real request):<br>
<br>*.<a href="http://sharepoint.com.some.com" target="_blank">sharepoint.com.some.com</a> *.<a href="http://microsoftonline.com.some.com" target="_blank">microsoftonline.com.some.com</a><br>*.<a href="http://outlook.com.shamir.adallom.com" target="_blank">outlook.com.shamir.adallom.com</a> *.<a href="http://office365.com.some.com" target="_blank">office365.com.some.com</a><br>
<br>Which again could easily confuse a relying party which might or might not know about the MITM going on. <br><br>I would like to know what the stance of the membership here is on this topic, in particular software vendors. And if there is room to clarify this via regulation by the BR. Otherwise there is probably no point in punishing our clients when others or they can get it easily elsewhere.<br>
<br></p><div><table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0"><tr><td colspan="2" style="padding:0in 0in 0in 0in"><p class="MsoNormal">Regards </p></td></tr><tr><td colspan="2" style="padding:0in 0in 0in 0in">
<p class="MsoNormal"> </p></td></tr><tr><td style="padding:0in 0in 0in 0in"><p class="MsoNormal">Signer: </p></td><td style="padding:0in 0in 0in 0in"><p class="MsoNormal">Eddy Nigg, COO/CTO</p></td></tr><tr><td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"> </p></td><td style="padding:0in 0in 0in 0in"><p class="MsoNormal"><a href="http://www.startcom.org" target="_blank">StartCom Ltd.</a></p></td></tr><tr><td style="padding:0in 0in 0in 0in"><p class="MsoNormal">
XMPP: </p></td><td style="padding:0in 0in 0in 0in"><p class="MsoNormal"><a href="mailto:startcom@startcom.org">startcom@startcom.org</a></p></td></tr><tr><td style="padding:0in 0in 0in 0in"><p class="MsoNormal">Blog: </p>
</td><td style="padding:0in 0in 0in 0in"><p class="MsoNormal"><a href="http://blog.startcom.org" target="_blank">Join the Revolution!</a></p></td></tr><tr><td style="padding:0in 0in 0in 0in"><p class="MsoNormal">Twitter: </p>
</td><td style="padding:0in 0in 0in 0in"><p class="MsoNormal"><a href="http://twitter.com/eddy_nigg" target="_blank">Follow Me</a></p></td></tr><tr><td colspan="2" style="padding:0in 0in 0in 0in"><p class="MsoNormal"> </p>
</td></tr></table></div><p class="MsoNormal" style="margin-bottom:12.0pt"> </p></div></div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a></p></blockquote></div><p class="MsoNormal"> </p></div></div></body></html>