On Fri, May 26, 2017 at 10:46:05AM +0530, Sankalp Bagaria wrote: > > http://securityaffairs.co/wordpress/59238/cyber-crime/ > https-phishing-sites.html claims > that phishing websites using HTTPS are increasing in number. If malicious > sites can get certificates, it defeats the purpose of TLS. In my opinion, > tougher measures are required to prevent malicious sites getting legitimate > certificates. What can we do about it ?
As EKR said, this isn't within scope of TLS Working Group. And I don't think it is even in the scope of the entiere IETF as whole (considering the scope of work IETF does). My opinion is that the problem isn't maliscous sites getting security certificates (so what if paypal.com.foobar.za gets certificate saying it is paypal.com.foobar.za? That is completely true claim). The issue is the completely screwed up handling of security indications in browsers. That is certainly not the sort of work the IETF is doing. Judging by resonable interpretation of browser indications: - Unencrypted http:// is safe (apart from passwords/CC numbers). - DV certificates are extra trustworthy. Neither of these interpretations is correct. But both are still in my opinion reasonable. TLS with DV certificates is not above expected security, it is the closest to expected security, so it in my opinion should get the neutral indicators (so no lock). And http:// certainly is much below expected, so it should get negative indications. EV is above expected, so it could get positive indications. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
