Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Lists of high-profile domain names

105 views
Skip to first unread message

Kathleen Wilson

unread,
Sep 13, 2011, 7:19:54 PM9/13/11
to mozilla-dev-s...@lists.mozilla.org
From the recent CA Communication:
4) Confirm that you have automatic blocks in place for high-profile
domain names (including those targeted in the DigiNotar and Comodo
attacks this year). Please further confirm your process for manually
verifying such requests, when blocked.

Some CAs already have this in place, and have been adding to their own
list of "high-profile" domains for a while.

Some CAs are using lists that were disclosed from the DigiNotar and
Comodo incidents, such as the one listed here:
http://www.f-secure.com/weblog/archives/00002228.html

Other CAs are creating their own lists by starting with (for example)
the Alexa top 300 to 500 domain names, and adding government sites and
other domains as they deemed high-profile.

Would anyone be willing to post their recommendations about which
high-profile domain names should be checked?

Should I start a wiki page containing a list of high-profile domain
names that should be included in the automatic checks?

Kathleen

David E. Ross

unread,
Sep 13, 2011, 10:38:51 PM9/13/11
to mozilla-dev-s...@lists.mozilla.org

As I responded some time ago to a question posed by someone else (Eddy
Nigg??), I believe that any Web site where I want to do a financial
transaction, where I must provide a credit card or my Social Security
number, or where I must input my home address or phone number is
high-profile to me. This includes not only the Vanguard Group (one of
the world's largest mutual fund groups) but also the small community
bank where I have an account. On the other hand, Bank of America, Wells
Fargo, and the Fidelity Group are below low-profile for me; I have no
accounts there.

--

David E. Ross
<http://www.rossde.com/>

On occasion, I might filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam from that source.

Varga Viktor

unread,
Sep 14, 2011, 9:15:45 AM9/14/11
to David E. Ross, mozilla-dev-s...@lists.mozilla.org
I think a popuplarity check for this can be a good approach.
Yes, of-course, for you, these are not high-profile domain names.

I try to compile some kind of list.

Üdvözlettel/Regards,

Varga Viktor
Üzemeltetési és Vevőszolgálati Vezető
IT Service and Customer Service Executive
Netlock Kft.



> -----Original Message-----
> From: dev-security-policy-
> bounces+varga.viktor=netlo...@lists.mozilla.org [mailto:dev-security-
> policy-bounces+varga.viktor=netlo...@lists.mozilla.org] On Behalf Of
> David E. Ross
> Sent: Wednesday, September 14, 2011 4:39 AM
> To: mozilla-dev-s...@lists.mozilla.org
> Subject: Re: Lists of high-profile domain names
>
> On 9/13/11 4:19 PM, Kathleen Wilson wrote:
> As I responded some time ago to a question posed by someone else (Eddy
> Nigg??), I believe that any Web site where I want to do a financial
> transaction, where I must provide a credit card or my Social Security
> number, or where I must input my home address or phone number is
> high-profile to me. This includes not only the Vanguard Group (one of
> the world's largest mutual fund groups) but also the small community
> bank where I have an account. On the other hand, Bank of America,
> Wells
> Fargo, and the Fidelity Group are below low-profile for me; I have no
> accounts there.
>
> --
>
> David E. Ross
> <http://www.rossde.com/>
>
> On occasion, I might filter and ignore all newsgroup messages
> posted through GoogleGroups via Google's G2/1.0 user agent
> because of spam from that source.
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
> _______________________________________________________________________
> Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail
> MessageLabs rendszerrel. Tovabbi informacio: http://www.filtermax.hu
>
> This email has been scanned for viruses and SPAM by the filter:mail
> MessageLabs System. More information: http://www.filtermax.hu
> _______________________________________________________________________
> _

_______________________________________________________________________
Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail MessageLabs rendszerrel. Tovabbi informacio: http://www.filtermax.hu

This email has been scanned for viruses and SPAM by the filter:mail MessageLabs System. More information: http://www.filtermax.hu ________________________________________________________________________________________

Pace Willisson

unread,
Sep 14, 2011, 9:22:23 AM9/14/11
to mozilla-dev-s...@lists.mozilla.org
I wonder about requiring CA's to mark for manual review a request for
example.com if https://example.com already has a certificate from
another authority that's not about to expire.

Pace Willisson
pa...@alum.mit.edu

Paul Tiemann

unread,
Sep 14, 2011, 9:25:21 AM9/14/11
to Pace Willisson, mozilla-dev-s...@lists.mozilla.org

On Sep 14, 2011, at 7:22 AM, Pace Willisson wrote:

> I wonder about requiring CA's to mark for manual review a request for
> example.com if https://example.com already has a certificate from
> another authority that's not about to expire.

I think that's a great idea!

Eddy Nigg

unread,
Sep 14, 2011, 10:20:33 AM9/14/11
to mozilla-dev-s...@lists.mozilla.org
On 09/14/2011 04:25 PM, From Paul Tiemann:
> I think that's a great idea!
>

I'm not sure - there are many different aspects of certificates that are
already installed at a certain site, starting from temporary self-signed
to those issued by other CAs. But which CAs do you consider to be really
from CAs? And then a certificate might be not chaining correctly to a
root considered trusted (depending on what you would consider as such)
leading to wrong decisions and so forth...

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

Ian G

unread,
Sep 14, 2011, 4:06:43 PM9/14/11
to Kathleen Wilson, mozilla-dev-s...@lists.mozilla.org


On 14/09/2011, at 9:19, Kathleen Wilson <kathle...@yahoo.com> wrote:

> Would anyone be willing to post their recommendations about which high-profile domain names should be checked?
>
> Should I start a wiki page containing a list of high-profile domain names that should be included in the automatic checks?



Some ramblings. I guess we're all agreed that there is a thing such as
a high profile site. But maybe we haven't agreed what that means.

David says it is any site where he banks. I'm inclined to agree, I
care not for BankOfAmerica, but I do care about the community bank I
use. Which means from an individual perspective, high profile means "I
use that site." Which simply won't be tractable at a CA or meta-CA
level. At its theoretical purest, this is yet another call to give
the client/user the ability to mark and manage own certificates in a
more flexible way. WebTrust, Petnames, etc. I wonder how long these
calls for user-led pinning can go on for?

That's one focus. Another focus is the CA. Each CA can simply select
their own list. According to whatever mechanism they come up with.
Now, technically this is good because it introduces more competition
in security, thus leading to innovation; and also allows the CA to
more closely align its security to its subscriber base. But this is
completely misaligned to the real security risk analysis here: A
Chinese issuer of certs is uninterested in protecting BankOfAmerica,
but BankOfAmerica is rather interested in stopping the Chinese issuer
ship a cert.

So we all lack interest in this concept. For CAs, not only in
choosing the list, but in doing the work. For the rest of us, it
doesn't actually help us because of the reversed interest.

Which means the list has to come from outside the CA, in some sense or other.

Maybe the meta-CA level. Something in principle like Mozilla,
CABForum, the EU's working group on QC, ICANN, the UN (extremely
hypothetical here).

Leaving aside the manager, again we face problems of who should be on
the list. Sure, Mozilla will likely add BankOfAmerica, but who here
knows the name of 100 biggest banks in China? Didn't think so... and
thus we're left with a "meta-CA cannot decide" problem. Which means
someone has to tell the meta-CA to add our favourite victim.

There are something like order of 10,000 banks in the world. If they
all decide they want "ON" and ask for it, can we cope with that? How
does a bank in Uganda ask? Does the meta-CA have to then essentially
verify & validate the requestor? Isn't that taking over the CA's
job?! We seem to be making a habit of that...

So that takes us back to the CA. It knows the customer. The customer
has to ask the CA, as part of its verification process. "Make me
high-profile." Which leads to ... an additional charge (of course)
and the CA then going to the meta-CA and adding the name to the
no-copy list.

Or, if you didn't want the CA to ask an additional charge, why not
couple it to EV? Any site that has an EV certificate has already
self-selected itself on first order discrimination (the green t-shirt,
not the blue one). So bundle it in, each CA then submits the name(s)
directly into the list. This would also solve the banks-versus-google
dilemma.

Another aspect to think about is liability. If a false cert gets
issued by MalloryCA for BankOfAmerica, where AliceCA already had that
subscriber, what's the liability? Does BoA sue AliceCA or MalloryCA?
Or both? Does it make a difference if BoA is on the high-profile list
or not? Is the high profile list worth a hill of beans in court?

Indeed, one of the issues with the high-profile list is that it lays
bare the deception in court -- a CA can certify the name, but it
doesn't have any ability to stop anyone else certifying the name as
well. So, MalloryCA can say it BankOfAmerica belongs to phishers this
week, for the lolz. So, in selling "protection", a CA relies on
nothing going wrong. The high-profile list becomes evidence that the
"protection racket" is just a hope & dreams scam. It's a vanity
magazine, not a protection racket! Without some agreement that
MalloryCA is going to be cough up damages, AliceCA is in a sticky
position in court, because she can't actually establish what she did
to protect her subscriber.

At this point, the lawyers might be saying "hey, you probably want to
make it compulsory for all green certs," so as to solve the decision
dilemma. Given a few calculations on the nature of the ratio of EV
cost to predictable downsides, and a few discussions of the claimed
beauty properties of wearing the green t-shirt (bullets slide off, the
must-have accessory to enhance your individuality and charisma,
doppelgangers need not apply). And, etc etc. The problem with this
idea is how to get that idea across to whoever wields the green pen at
CABForum; the more sales-savvy CAs will remember that rule #1 of
sales is "keep your customer list a secret :P" and that's just the
beginning.

In sum.

Mozilla might not be the right place for this. CABForum seems more
appropriate, but they are more a follower than a leader; it might
take the vendors to decide, and others to implement.

EV might be the right tool, as all the heavy up-front decisions are
already made.

The after-event decisions however still are cop-outs, and the
no-doppelgangers list lays that bare: Establish the liability
position for players, and have a very good idea what it means to be ON
as well as OFF. Be prepared to have that discussion in court. And,
consider how to bring MalloryCA to account ...

iang



Some random other questions, without apparent thought or answer or
impact on the above:

* Is there a potential attack in BobCA asking to add BoA before AliceCA?
* Can I or a crowd copy of me place BoA on the list? Perspectives?
Convergence?
* Can my client download the list and use it in an innovative fashion?
* How do we get a name off?
* Does it become like the USA's famous no-fly list? Some Star
Chamber process where any disgruntled federale can put the neighbour
on the list for looking askance at the spouse? And you never get
off...
* Does the existance of the list as probably managed in USA mean that
Cuban and Iranian banks can't get on? Or is this managed by a UN
committee? Or is it managed out of China, so the banks in Taiwan
aren't protected?

Lucas Adamski

unread,
Sep 15, 2011, 2:15:19 PM9/15/11
to Ian G, mozilla-dev-s...@lists.mozilla.org, Kathleen Wilson
It seems like we may be mixing the concept of public profile vs individual importance. There is a significant number of sites that are very important to a large number of people (high profile). There is a much larger number of sites that are each very important only to a much smaller set of people.

Its not that the latter group is not important, but it seems like focusing on some sort of site opt-in mechanisms (ie. pinning) may make more sense.
Lucas.

Paul Tiemann

unread,
Sep 15, 2011, 2:45:45 PM9/15/11
to Eddy Nigg, mozilla-dev-s...@lists.mozilla.org
On Sep 14, 2011, at 8:20 AM, Eddy Nigg wrote:

> On 09/14/2011 04:25 PM, From Paul Tiemann:
>> I think that's a great idea!
>>
>
> I'm not sure - there are many different aspects of certificates that are already installed at a certain site, starting from temporary self-signed to those issued by other CAs. But which CAs do you consider to be really from CAs? And then a certificate might be not chaining correctly to a root considered trusted (depending on what you would consider as such) leading to wrong decisions and so forth...


I don't know if it'll become a requirement for CAs to do this, but we're going to add it to our risk scoring systems because I think it makes a lot of sense, and doesn't seem too hard to automate parts of it.

Paul

Gervase Markham

unread,
Sep 16, 2011, 12:37:35 PM9/16/11
to mozilla-dev-s...@lists.mozilla.org
On 14/09/11 13:06, Ian G wrote:
> Some ramblings. I guess we're all agreed that there is a thing such as
> a high profile site. But maybe we haven't agreed what that means.

You are over-engineering this, IMO :-) 90% of the value of a "high
profile sites list" can be gained if the list is precisely the list of
sites that the DigiNotar attacker went after. You can get another 5% of
the value with an hour's thinking about other sites in similar
categories and of similar sizes and worldwide importances. The total
list will be > 100.

Discriminatory? We can argue that until the cows come home. Useful and
effective? Undoubtedly.

Gerv

Florian Weimer

unread,
Sep 17, 2011, 5:27:25 PM9/17/11
to Gervase Markham, mozilla-dev-s...@lists.mozilla.org
* Gervase Markham:

> On 14/09/11 13:06, Ian G wrote:
>> Some ramblings. I guess we're all agreed that there is a thing such as
>> a high profile site. But maybe we haven't agreed what that means.
>
> You are over-engineering this, IMO :-) 90% of the value of a "high
> profile sites list" can be gained if the list is precisely the list
> of sites that the DigiNotar attacker went after. You can get another
> 5% of the value with an hour's thinking about other sites in similar
> categories and of similar sizes and worldwide importances. The total
> list will be > 100.

Do you mean less than 100?

But in order to be effective, you also need to include domains from
which those sites load scripts (perhaps even in a geo-located
fashion), so I'm sure the actual list is a bit unwieldy.

David Illsley

unread,
Sep 18, 2011, 12:18:17 PM9/18/11
to mozilla-dev-s...@lists.mozilla.org
On Sep 14, 3:20 pm, Eddy Nigg <eddy_n...@startcom.org> wrote:
> On 09/14/2011 04:25 PM, From Paul Tiemann:
>
> > I think that's a great idea!
>
> I'm not sure - there are many different aspects of certificates that are
> already installed at a certain site, starting from temporary self-signed
> to those issued by other CAs. But which CAs do you consider to be really
> from CAs? And then a certificate might be not chaining correctly to a
> root considered trusted (depending on what you would consider as such)
> leading to wrong decisions and so forth...

Is there already a check for issuing a DV cert for a domain which is
publicly running with an EV cert? If not, is there a reason not to
require special processing in that case?
David

Ian G

unread,
Sep 18, 2011, 11:37:49 PM9/18/11
to mozilla-dev-s...@lists.mozilla.org
On 17/09/11 2:37 AM, Gervase Markham wrote:
> On 14/09/11 13:06, Ian G wrote:
>> Some ramblings. I guess we're all agreed that there is a thing such as
>> a high profile site. But maybe we haven't agreed what that means.
>
> You are over-engineering this, IMO :-)

OK, thanks for correcting my over-imaginative mind :-)


> 90% of the value of a "high
> profile sites list" can be gained if the list is precisely the list of
> sites that the DigiNotar attacker went after. You can get another 5% of

> the value with an hour's thinking about other sites in similar


> categories and of similar sizes and worldwide importances. The total
> list will be> 100.

I guess that means <100. Now, one question. How many sensitive sites
operated by the US Government are in that list?

Hmmm... well, probably the Iranian chap [0] included cia.gov. And
dhs.gov. But DHS alone probably counts for 100 sites. And the Pentagon
is probably up in the 1000 mark.

Perhaps we could pin all of .gov? *.gov pinned to 3 or 4 CAs that
happen to headquarter near .gov.

Wait! I'm over-engineering things again :)


> Discriminatory? We can argue that until the cows come home.

It took me a while to work that comment out, now I see it ;)

> Useful and
> effective? Undoubtedly.


thanks, iang


[0] I don't like using his claimed name. OTOH, does anyone not
understand the power of brand now? :P

Michał Proszkiewicz

unread,
Sep 19, 2011, 6:14:06 AM9/19/11
to mozilla-dev-s...@lists.mozilla.org
Bu how one would know that the certificate is EV or not? Is there any
consistent "base" of all current EV OID's?

Michal

Rob Stradling

unread,
Sep 19, 2011, 6:38:04 AM9/19/11
to dev-secur...@lists.mozilla.org
On Monday 19 Sep 2011 11:14:06 Michał Proszkiewicz wrote:
> On 2011-09-18 18:18, David Illsley wrote:
> Bu how one would know that the certificate is EV or not? Is there any
> consistent "base" of all current EV OID's?

The EV OIDs trusted by Firefox, Chrome and IE can all be discovered by looking
at the relevant source code / automatic update files.

But it would be significantly more convenient to have this information listed
in a single, easily parseable file, published at a well-known URL. Doesn't
sound like a hard problem. Perhaps the CABForum should do this.

> Michal
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
0 new messages