On Fri, 26 May 2017 07:16:05 +0200, Sankalp Bagaria
<sankalp.n...@gmail.com> wrote:
Hello,
http://securityaffairs.co/wordpress/59238/cyber-crime/
https-phishing-sites.html claims
that phishing websites using HTTPS are increasing in number. If malicious
sites can
get certificates, it defeats the purpose of TLS. In my opinion, tougher
measures are
required to prevent malicious sites getting legitimate certificates. What
can we do
about it ?
As EKR says separately, this is out of scope for the TLS WG.
It might be in scope for the CA/Browser Forum <https://cabforum.org>,
though.
However, you should not get your hopes up too high.
This is a very big problemspace, and I suspect that it is very difficult
to get anything beyond checks for lookalike names to work properly (which
could conceivably cause issues for legitimate sites, such as
"sucks"-sites), without causing problems for the overriding goal of
getting all internet traffic encrypted at an affordable cost.
Beyond this and the whack-a-mole system of lookup up lists of fraudulent
sites, I suspect the difficult task of educating people is the only
practical way of dealing with this issue; as mandating Extended Validation
certficates would create trouble for the affordable encrypted internet
goal.
--
Sincerely,
Yngve N. Pettersen
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
