[cabfpub] [cabfman] Improving the security of EV Certificates
Adam Langley
agl at google.com
Thu Dec 19 11:14:29 MST 2013
On Thu, Dec 19, 2013 at 12:57 PM, kirk_hall at trendmicro.com
<kirk_hall at trendmicro.com> wrote:
> Among other things, I think there will be lots of new business plans that will constantly scan and scrape all the CT logs in the world and then send out spammy emails saying "Your domain's issued certificates have changed! You might be the target of fraud! Get a free checkup here" like all the spammy "Your credit report has changed!" emails, and I imagine a fair number of those folks may get surprised or alarmed and open the messages. Some enterprising folks may even include a link in these messages that say "If this is not your cert, or for more information, click here" and include a URL to the issuing CA's help/support desk (where certs complaints are supposed to go).
>
> Or some new companies might say "Pay us $29 per year and we will guard your domains against new certs" and automatically submit queries to any CA that issues a new cert.
>
> Like you, I am only brainstorming, but I'm sure entrepreneurs will try to productize the great, easy to copy CT logs and make a new business from the data, so I would expect a number of pointless inquiries based on this new data source. If CT is that good, maybe this is an (additional) burden that CAs should be willing to take up.
The CT logs are already public and filled with information from
crawling so, if this is going to happen, it should already be
underway. But it would seem that spammers directing users to the CA
would be contrary to the aim of making money.
Cheers
AGL
More information about the Public
mailing list