<div dir="ltr">It was in the follow-up message sent. Because it's same origin, it provides no technical security value at present.</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 7, 2017 at 8:49 AM, Bruce Morton <span dir="ltr"><<a href="mailto:Bruce.Morton@entrustdatacard.com" target="_blank">Bruce.Morton@entrustdatacard.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div class="m_6257542558148356088WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Hi Ryan, thanks for the feedback.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Can you elaborate on how EV only has value with pinning?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thanks, Bruce.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Ryan Sleevi [mailto:<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>]
<br>
<b>Sent:</b> Thursday, April 6, 2017 10:09 PM<span class=""><br>
<b>To:</b> CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br>
</span><b>Cc:</b> Bruce Morton <<a href="mailto:Bruce.Morton@entrustdatacard.com" target="_blank">Bruce.Morton@entrustdatacard.<wbr>com</a>><br>
<b>Subject:</b> Re: [cabfpub] [EXTERNAL] Brazilian bank DNS heist<u></u><u></u></span></p><div><div class="h5">
<div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Thu, Apr 6, 2017 at 7:52 PM, Bruce Morton via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">What if the bank used EV and there was an error if there was no EV certificate?</span><span style="color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Could this be done by using something like an HSTS header which also stated EV-only? When the Subscriber
receives a DV certificate, but has stored a header for EV-only, then there would be a browser error.</span><u></u><u></u></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">That exists already. It's called pinning. It's the only reason EV has any value, and doesn't need any UI.<span style="color:#1f497d"><u></u><u></u></span></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Sounds like a great argument for a bank to require identity and authorization, rather than just domain
control.</span><span style="color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Bruce.</span><span style="color:#1f497d"><u></u><u></u></span></p>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Public [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@<wbr>cabforum.org</a>]
<b>On Behalf Of </b>philliph--- via Public<br>
<b>Sent:</b> Thursday, April 6, 2017 1:46 PM<br>
<b>To:</b> CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br>
<b>Cc:</b> <a href="mailto:philliph@comodo.com" target="_blank">philliph@comodo.com</a><br>
<b>Subject:</b> [EXTERNAL][cabfpub] Brazilian bank DNS heist</span><span style="color:#1f497d"><u></u><u></u></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Several folk have asked me to take a look at this:<span style="color:#1f497d"><u></u><u></u></span></p>
<div>
<p class="MsoNormal"><a href="http://www.darkreading.com/attacks-breaches/cybercriminals-seized-control-of-brazilian-bank-for-5-hours/d/d-id/1328549?_mc=NL_DR_EDT_DR_weekly_20170406&cid=NL_DR_EDT_DR_weekly_20170406&elqTrackId=ebd6c41927c24e3099907130009f169c&elq=4cc869335a354df394b4e640ef369950&elqaid=77725&elqat=1&elqCampaignId=26175" target="_blank">http://www.darkreading.com/<wbr>attacks-breaches/<wbr>cybercriminals-seized-control-<wbr>of-brazilian-bank-for-5-hours/<wbr>d/d-id/1328549?_mc=NL_DR_EDT_<wbr>DR_weekly_20170406&cid=NL_DR_<wbr>EDT_DR_weekly_20170406&<wbr>elqTrackId=<wbr>ebd6c41927c24e3099907130009f16<wbr>9c&elq=<wbr>4cc869335a354df394b4e640ef3699<wbr>50&elqaid=77725&elqat=1&<wbr>elqCampaignId=26175</a><span style="color:#1f497d"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal">What happened here was that a hacker took over a banks DNS settings for 5 hours and performed an extended phishing attack. They then acquired certs for the domain while they had
control of it. So accepting that this is one incident, albeit one likely very typical of things to come, could CAA have helped?<span style="color:#1f497d"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal">As it stands, the answer is no because CAA is signaled through the DNS and so the attackers could control those as well. DNSSEC doesn’t help either and nor does CT as presently
specified. Pinning does solve this one specific problem but only on TOFU terms.<span style="color:#1f497d"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal">Some observations:<span style="color:#1f497d"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal">* Any solution is going to have to involve some form of forward acting statement ‘do this for the next X hours’.<span style="color:#1f497d"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal">* We now have two mechanisms that are viable as publication infrastructures - DNS and CT.<span style="color:#1f497d"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal">* The problems with pinning are real, very few companies can risk shutting themselves down for an extended period if they goof. The problem with pinning is that the time period
really does need to be fairly long if it is to be any use. I do not visit my bank every day. I probably don’t visit for a month at times.<span style="color:#1f497d"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal">* A weaker criteria such as ‘must get an EV cert’ or a much shorter time period than is needed for pinning (24 hours) is much more likely to be acceptable<span style="color:#1f497d"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal">Ideas?<u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><u></u><u></u></p>
</blockquote>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div></div></div>
</div>
</blockquote></div><br></div>