[cabfpub] Brazilian bank DNS heist

Ryan Sleevi sleevi at google.com
Thu Apr 6 19:48:35 UTC 2017 

Reposting for Richard.

On Thu, Apr 6, 2017 at 3:44 PM, Richard Moore <rich at kde.org> wrote:

> I'm including Ryan since he's said before he's willing to forward things
> to the CAB list. Comments inline.
>
> On 6 April 2017 at 18:46, philliph--- via Public <public at cabforum.org>
> wrote:
>
>> Some observations:
>>
>> * Any solution is going to have to involve some form of forward acting
>> statement ‘do this for the next X hours’.
>>
>>
> ​Yes​
>
>
>
>> * We now have two mechanisms that are viable as publication
>> infrastructures - DNS and CT
>>
>
> ​Since accessing the CT logs involves DNS, we have approximately one but
> two formats to represent the data.
>
>
>
>> * The problems with pinning are real, very few companies can risk
>> shutting themselves down for an extended period if they goof. The problem
>> with pinning is that the time period really does need to be fairly long if
>> it is to be any use. I do not visit my bank every day. I probably don’t
>> visit for a month at times.
>>
>>
> ​While I agree about the risk of error I think your analysis is wrong. If
> a bunch of people all have the forward looking statement then any one of
> them visiting the site and triggering the error can inform the others. An
> example of this in practice is the use of certificate pinning for google
> properties which have successfully notified people other than the victim of
> an attack that an attack was taking place. Having a solution that offered
> protection to the majority would be an improvement when considering the
> case of an individual (who might not visit a site very often).
>
> For this specific situation I t​hink expecting the endpoint to refresh
> their pinning information regularly would be entirely reasonable.
>
>
>
>> * A weaker criteria such as ‘must get an EV cert’ or a much shorter time
>> period than is needed for pinning (24 hours) is much more likely to be
>> acceptable
>>
>>
>>
> ​This is only a consideration if you agree with the preceding comment.
>
> Regards
>
> Rich.​
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170406/fbb74952/attachment-0003.html>

More information about the Public mailing list