Groups
Sign in
Groups
mozilla.dev.security.policy
Conversations
About
Send feedback
Help
Sort By Relevance
Sort By Date
1–30 of many
nathali...@ins.hsr.ch
, …
Ronald Crane
33
8/25/20
Concerns with Let's Encrpyt repeated issuing for known fraudulent sites
such a
phishing
site is given by the DV certificate issued. The basis for issuing is that the ownership of the domain is confirmed. So, any user on the Internet is suggested to trust that
unread,
Concerns with Let's Encrpyt repeated issuing for known fraudulent sites
such a
phishing
site is given by the DV certificate issued. The basis for issuing is that the ownership of the domain is confirmed. So, any user on the Internet is suggested to trust that
8/25/20
Ben Wilson
, …
None Of
19
8/25/20
New Blog Post on 398-Day Certificate Lifetimes
non-
phishing
attacks, such as performing active MITM attacks that modify or replace (or surveil) data in flight, or relying on cached DNS data from a domain which recently changed
unread,
New Blog Post on 398-Day Certificate Lifetimes
non-
phishing
attacks, such as performing active MITM attacks that modify or replace (or surveil) data in flight, or relying on cached DNS data from a domain which recently changed
8/25/20
Paul Walsh
, …
Nick Lamb
37
10/30/19
Firefox removes UI for site identity
forward that
phishing
attacks would take a nose dive. All the data points in my article bring me to this conclusion. In future I hope people can debate people's conclusions with
unread,
Firefox removes UI for site identity
forward that
phishing
attacks would take a nose dive. All the data points in my article bring me to this conclusion. In future I hope people can debate people's conclusions with
10/30/19
Wayne Thayer
, …
carsten.m...@gmail.com
239
11/4/19
Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar
form of
phishing
, known as “man in the middle ” (MITM), is hard to detect when an embedded browser framework (eg, Chromium Embedded Framework - CEF) or another automation platform is
unread,
Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar
form of
phishing
, known as “man in the middle ” (MITM), is hard to detect when an embedded browser framework (eg, Chromium Embedded Framework - CEF) or another automation platform is
11/4/19
Paul Wouters
, …
Wayne Thayer
80
8/21/19
Nation State MITM CA's ?
case bank
phishing
could occur since the user cannot verify the certificate via the browser. > Hence my breakdown and suggestions below, which seem to agree with yours in most cases
unread,
Nation State MITM CA's ?
case bank
phishing
could occur since the user cannot verify the certificate via the browser. > Hence my breakdown and suggestions below, which seem to agree with yours in most cases
8/21/19
Jeremy Rowley
, …
Phillip Hallam-Baker
34
7/19/19
Logotype extensions
for stopping
phishing
and taken it to an extreme. This is the idea of a limited Web browser that is only used for the important parts of a bank or brokerage site. Confirming trades or bill
unread,
Logotype extensions
for stopping
phishing
and taken it to an extreme. This is the idea of a limited Web browser that is only used for the important parts of a bank or brokerage site. Confirming trades or bill
7/19/19
michel.le...@gmail.com
, …
Matt Palmer
8
3/25/19
CFCA certificate with invalid domain
invitation to
phishing
). As "not found" is a permissive CAA check result, CAA checking may be perfectly fine in this case. Domain control validation however obviously
unread,
CFCA certificate with invalid domain
invitation to
phishing
). As "not found" is a permissive CAA check result, CAA checking may be perfectly fine in this case. Domain control validation however obviously
3/25/19
Wayne Thayer
, …
Ronald Crane
211
12/23/19
DarkMatter Concerns
, and
phishing
- which have a host of economic concerns just as much as technical. >From that longer message in [1], I omitted a much longer discussion about the goals of a root program
unread,
DarkMatter Concerns
, and
phishing
- which have a host of economic concerns just as much as technical. >From that longer message in [1], I omitted a much longer discussion about the goals of a root program
12/23/19
Jakob Bohm
, …
Nick Lamb
13
1/2/19
When should honest subscribers expect sudden (24 hours / 120 hours) revocations?
such as
phishing
>>> attacks, fraud, or the distribution of malware or other illegal or >>> fraudulent purposes, >> >> These were covered in the list
unread,
When should honest subscribers expect sudden (24 hours / 120 hours) revocations?
such as
phishing
>>> attacks, fraud, or the distribution of malware or other illegal or >>> fraudulent purposes, >> >> These were covered in the list
1/2/19
Enrico Entschew
, …
westm...@gmail.com
28
12/10/18
Incident report D-TRUST: syntax error in one tls certificate
not a
phishing
attempt. > > See above, this works today for lots of ACME validated domains. > >> Some ACME protocols may contain specific authenticated ways for the
unread,
Incident report D-TRUST: syntax error in one tls certificate
not a
phishing
attempt. > > See above, this works today for lots of ACME validated domains. > >> Some ACME protocols may contain specific authenticated ways for the
12/10/18
a...@mozilla.com
, …
Wayne Thayer
29
11/1/18
Certigna Root Renewal Request
organization "
phishing
initiative". If a URL goes back at risk by these databases, the certificate request is automatically rejected and the applicant is notified by
unread,
Certigna Root Renewal Request
organization "
phishing
initiative". If a URL goes back at risk by these databases, the certificate request is automatically rejected and the applicant is notified by
11/1/18
Adrian R.
, …
Tim Hollebeek
51
5/16/18
question about DNS CAA and S/MIME certificates
out of
phishing
. > > But even with gmail, the only circumstance I could see where a mail service > provider like that would want to restrict cert issue to one CA would be if they
unread,
question about DNS CAA and S/MIME certificates
out of
phishing
. > > But even with gmail, the only circumstance I could see where a mail service > provider like that would want to restrict cert issue to one CA would be if they
5/16/18
Matthew Hardeman
, …
Ryan Sleevi
81
4/17/18
Sigh. stripe.ian.sh back with EV certificate for Stripe, Inc of Kentucky....
not a
phishing
mitigation, and treat "risk" as an operational risk category (or, to sate some of the frothing masses, a PR risk), since there fundamentally is not some enhanced
unread,
Sigh. stripe.ian.sh back with EV certificate for Stripe, Inc of Kentucky....
not a
phishing
mitigation, and treat "risk" as an operational risk category (or, to sate some of the frothing masses, a PR risk), since there fundamentally is not some enhanced
4/17/18
Kathleen Wilson
, …
Wayne Thayer
16
2/28/18
Japan GPKI Root Renewal Request
case of
phishing
on the websites such as the > > Council of Anti-
Phishing
Japan etc. and refer them to the examination > work. > > > > > > * There are separate
unread,
Japan GPKI Root Renewal Request
case of
phishing
on the websites such as the > > Council of Anti-
Phishing
Japan etc. and refer them to the examination > work. > > > > > > * There are separate
2/28/18
Ryan Sleevi
, …
Tim Hollebeek
153
12/20/17
On the value of EV
up other
phishing
-y avenues, like registering a California company that matches some Canadian company's name. So it's not clear that would be an improvement, and certainly
unread,
On the value of EV
up other
phishing
-y avenues, like registering a California company that matches some Canadian company's name. So it's not clear that would be an improvement, and certainly
12/20/17
Peter Kurrasch
,
Ryan Sleevi
2
12/18/17
CABF Recommendations (was: On the value of EV)
will prevent
phishing
attacks" as such claims are misleading. A
phishing
attack may take many forms, and setting up a fake website is but one of them. Likewise, my reasons for setting
unread,
CABF Recommendations (was: On the value of EV)
will prevent
phishing
attacks" as such claims are misleading. A
phishing
attack may take many forms, and setting up a fake website is but one of them. Likewise, my reasons for setting
12/18/17
Quirin Scheitle
, …
Jakob Bohm
17
11/28/17
Question on CAA processing for mixed wildcard and non-wildcard SAN DNS names
like spear
phishing
we can expect to see sophisticated > criminals targeting organisations through this sort of vulnerability, > so-to-say "casing the joint"
unread,
Question on CAA processing for mixed wildcard and non-wildcard SAN DNS names
like spear
phishing
we can expect to see sophisticated > criminals targeting organisations through this sort of vulnerability, > so-to-say "casing the joint"
11/28/17
谭晓生
,
joachim.ba...@gmail.com
2
11/17/17
Termination of the certificates business of Startcom
and then
phishing
them for their ideas with promise of equity which is never paid out. There were also a range of other issues such as racist coworkers (which I fired in my first week) and
unread,
Termination of the certificates business of Startcom
and then
phishing
them for their ideas with promise of equity which is never paid out. There were also a range of other issues such as racist coworkers (which I fired in my first week) and
11/17/17
Adam Shannon
8/9/17
Phishing detection from FQDN's as prefixes
.myblog.net.proxy.com?rev=2017-08-09 If a large percentage of hostnames with a FQDN prefix are
phishing
related it might be an initial pool for further research by agencies.
unread,
Phishing detection from FQDN's as prefixes
.myblog.net.proxy.com?rev=2017-08-09 If a large percentage of hostnames with a FQDN prefix are
phishing
related it might be an initial pool for further research by agencies.
8/9/17
Matthew Hardeman
, …
Ryan Sleevi
6
6/22/17
On GitHub, Leaked Keys, and getting practical about revocation
malware and
phishing
), apathetic server compromise (that is, they did not enable stapling. However, the root cause/risk is the apathy, for which revocation does not fix), or should
unread,
On GitHub, Leaked Keys, and getting practical about revocation
malware and
phishing
), apathetic server compromise (that is, they did not enable stapling. However, the root cause/risk is the apathy, for which revocation does not fix), or should
6/22/17
Gervase Markham
, …
Itzhak Daniel
28
5/4/17
Removing "Wildcard DV Certs" from Potentially Problematic Practices list
to police
phishing
CAs should police as long as the browser gives positive reinforcement to the end-users when they access a [
phishing
] site. There were suggestions in the past to remove
unread,
Removing "Wildcard DV Certs" from Potentially Problematic Practices list
to police
phishing
CAs should police as long as the browser gives positive reinforcement to the end-users when they access a [
phishing
] site. There were suggestions in the past to remove
5/4/17
Mike Pasarella
, …
Jeremy Rowley
34
5/9/17
CA Validation quality is failing
this bad validation and in my opinion failing to comply to the baseline requirements. Which could initiative encourage
phishing
and the de-trust in TLS in general. Kind Regards, Mike
unread,
CA Validation quality is failing
this bad validation and in my opinion failing to comply to the baseline requirements. Which could initiative encourage
phishing
and the de-trust in TLS in general. Kind Regards, Mike
5/9/17
Steve Medin
, …
Ryan Sleevi
4
4/11/17
Symantec Response T
> potential
phishing
(strings used in scam domains, high-profile brands), and > other potentially risky content such as "test". Potential failures are > flagged
unread,
Symantec Response T
> potential
phishing
(strings used in scam domains, high-profile brands), and > other potentially risky content such as "test". Potential failures are > flagged
4/11/17
David E. Ross
, …
Nick Lamb
18
3/30/17
Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites
those. So 14k becomes a measure not of criminal interest in TLS certificates but of the success of full automation in bulk hosting combined with the high turnover of
phishing
sites.
unread,
Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites
those. So 14k becomes a measure not of criminal interest in TLS certificates but of the success of full automation in bulk hosting combined with the high turnover of
phishing
sites.
3/30/17
Gervase Markham
, …
Doug Beattie
57
5/23/17
Next CA Communication
faked by
phishing
attacks. 2. Securely generating and deploying private keys for new certificates, and securely ensuring the right private key is used in a non-ACME certificate request
unread,
Next CA Communication
faked by
phishing
attacks. 2. Securely generating and deploying private keys for new certificates, and securely ensuring the right private key is used in a non-ACME certificate request
5/23/17
Peter Bowen
, …
Peter Kurrasch
111
4/25/17
Google Trust Services roots
launch a
phishing
campaign targeting GlobalSign subscribers with a message along the lines of "Did you know that GlobalSign has sold your certificate to Google? Click here to
unread,
Google Trust Services roots
launch a
phishing
campaign targeting GlobalSign subscribers with a message along the lines of "Did you know that GlobalSign has sold your certificate to Google? Click here to
4/25/17
Tony Zhaocheng Tan
, …
Peter Kurrasch
31
3/1/17
Let's Encrypt appears to issue a certificate for a domain that doesn't exist
issued to
phishing
sites to see Eric Mill's comment in this thread. He has provided a link to past discussion on this topic, and I can promise you that however displeasing and shocking
unread,
Let's Encrypt appears to issue a certificate for a domain that doesn't exist
issued to
phishing
sites to see Eric Mill's comment in this thread. He has provided a link to past discussion on this topic, and I can promise you that however displeasing and shocking
3/1/17
tde...@gmail.com
, …
Nick Lamb
14
1/24/17
Certificate validation phishing
sends a
phishing
mail to the victim claiming that > the token she computed (with her own key), pretending this to be a > value to be put in DNS/whateverelse for some convincing purpose
unread,
Certificate validation phishing
sends a
phishing
mail to the victim claiming that > the token she computed (with her own key), pretending this to be a > value to be put in DNS/whateverelse for some convincing purpose
1/24/17
Kathleen Wilson
, …
Jürgen Brauckmann
6
3/9/17
Include Additional D-TRUST root certificate
of known
phishing
domains. Domain names not subject to a registration obligation (no toplevel domains) are not permitted. E-mail The TSP sends an e-mail to the e-mail address to be
unread,
Include Additional D-TRUST root certificate
of known
phishing
domains. Domain names not subject to a registration obligation (no toplevel domains) are not permitted. E-mail The TSP sends an e-mail to the e-mail address to be
3/9/17
tde...@gmail.com
, …
Gervase Markham
17
12/23/16
wosign and letsencrypt.cn / letsencrypt.com.cn
23786 > > Other relevant thread: Comodo Legal
Phishing
attack against ISRG? > https://groups.google.com/d/msg/mozilla.dev.security.policy/n-8kcrSuhjg/WKj-PAI2BgAJ
unread,
wosign and letsencrypt.cn / letsencrypt.com.cn
23786 > > Other relevant thread: Comodo Legal
Phishing
attack against ISRG? > https://groups.google.com/d/msg/mozilla.dev.security.policy/n-8kcrSuhjg/WKj-PAI2BgAJ
12/23/16