<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:665940403;
mso-list-template-ids:995155470;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks for the additional information, James. In the end, the EV Guidelines did exactly what they were designed to do – they provided a way for the public to
find you (as the company owner) if you used your EV certificate and domain to do something wrong. And again, if someone goes to all this effort and lies in any part of the process, they are subject to potential criminal liability from the UK government –
not a trivial matter for the ordinary hacker. Even if you use a Registered Agent’s address as the registered address for your company, you will leave fingerprints…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">In contrast, a DV certificate for your same domain would leave no ability to find you if you use the certificate for evil purposes… And can be obtained quickly,
anonymously, and for free. That’s a big difference. And a DV phisher can be very successful using a cert for a domain it owns like
<i><u>login.paypal.com.phishingsite.com</u></i> – by now, I think there are over 20,000 such DV certs for fake phishing PayPal login pages, all anonymous.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Recent studies show that OV and EV websites are much less likely to be used for phishing than DV sites, and so are much safer for users – see attached pdf. This
study will be updated with additional data soon. If you are interested in other information about the value of website identity on the internet, there are resources here:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><a href="https://casecurity.org/identity/website-identity-documents/">https://casecurity.org/identity/website-identity-documents/</a>
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Public [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>James Burton via Public<br>
<b>Sent:</b> Tuesday, November 28, 2017 8:49 AM<br>
<b>To:</b> Gervase Markham <gerv@mozilla.org>; CA/Browser Forum Public Discussion List <public@cabforum.org><br>
<b>Subject:</b> [EXTERNAL]Re: [cabfpub] Obtaining an EV cert for phishing<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">This company was incorporated as a limited company by guarantee with exemption from using the word limited at the end. This type of company differs from a normal share company and
cannot be incorporated through the official Companies House site. You can learn more here:
<a href="https://www.rapidformations.co.uk/blog/exemption-from-using-the-word-limited-in-a-company-name/">
https://www.rapidformations.co.uk/blog/exemption-from-using-the-word-limited-in-a-company-name/</a>.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">To incorporate a limited company guarantee with a limited exemption in the UK, you'll need the following information:</span><o:p></o:p></p>
</div>
<div>
<ul type="disc">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
Director's address, nationality, date of birth and three pieces of identifiable information (see attached info.png).<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
Company address<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
Special type of articles of association<o:p></o:p></li></ul>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">First, an attacker needs to get hold of someone's address, date of birth, three pieces of identifiable information and the person's nationality. This can be completed through social
media profiles, previous phishing attacks and from the so-called "Dark web" for few pounds. Second, an attacker needs a company address which could be the same as the director address or a service address. These service addresses can be bought online for less
than £30. Finally, the special type of articles of association can be bought when incorporating the limited company by guarantee from a 3rd party. </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">When I incorporated "Identity Verified", I never went through any ID checks from the 3rd party. Companies House probably does check the information but I've never been asked to provide
a passport photo or etc. The three pieces of identifiable information, DOB, and name are enough to identify the director and the Royal Mail database is enough to identify the addresses of both the director and company.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">Overall, the amount of work required to get the company incorporated is massive but it's achievable.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">Kirk, just to clarify that I didn't do this experiment to gain fame or pull off some amazing coup (in your own words). I did this experiment because I got an idea and wanted to see
if it worked. When writing this article I never thought that this article would become so successful and gain upwards of 2000+ views but it did. If you look at the dates of the incorporation and certificate issue can see that this article wasn't written up
straight after the experiment. I wrote this article on the 13th September 2017 which was over a month later. The article took me about an hour or two to complete and checked for spelling and grammar by a fellow mathmo. </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">Also, you're right that no one now can re-incorporate the company "Identity Verified" in the UK. Eventually, I will dissolve this company in the near future and then it will become
available to incorporate again. I'm not sure if this company will be incorporated again because I might have been lucky that day. </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">Anyway, I wouldn't dismiss this article out of hand as it does contain some interesting points.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">James</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Tue, Nov 28, 2017 at 1:54 PM, Gervase Markham via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal">On 27/11/17 19:52, Jeremy Rowley wrote:<br>
> Basically, Symantec verified the organization using the UK companies<br>
> house, which qualifies as a QGIS. Because it's a QGIS, the data<br>
> source can be used to validate most of the requirements under the EV<br>
> Guidelines, including address and legal existence. The phone number<br>
> was verified using QIIS and a call to the number, answered, of<br>
> course, by the applicant. The result is James ended up forming a real<br>
> company with fake address information.<br>
<br>
As I read his blog post, he formed it with real address information, but<br>
his assertion is that it would have been just as easy to form it with<br>
fake address information, as the address information is not validated by<br>
Companies House in any way.<br>
<br>
James: is that correct?<br>
<br>
(BTW, as others have said, I'm not convinced that either rejecting<br>
"suspicious" names, or requiring a landline, is the way forward here.)<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><br>
Gerv<br>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>