Re: Obtaining an EV cert for phishing

Gervase Markham gerv at mozilla.org
Wed Nov 29 07:58:29 MST 2017

On 28/11/17 22:41, Kirk Hall via Public wrote:
> Sorry, but your #2 below is wrong – James did leave a trace, his name
> and address (and no, that’s not emotion talking, just facts).  To my
> knowledge, so has every EV cert holder – it’s way too much trouble to
> establish a corporation (that’s real) using fake and untraceable
> information,

You assert this, but it seems to me that James' blog post makes a good
case for it not being true. If the QGIS does no vetting on the submitted
identity details, I can use just about anyone's, from my grandmother's
to ones bought for pennies on the dark web, and no-one will be any the
wiser. All you need, as James says, is: "address, date of birth,
nationality and 'three pieces of identifiable information'", which
according to James' image are town of birth, mother's maiden name and
eye colour, although it's far from clear that these values are validated
so you probably don't need to find them out for the person whose
identity you are stealing, you can just make them up.

The fact that James did not go this route himself doesn't mean his
demonstration has no value. Do you deny that it's pretty simple to find
the name, address, DOB and nationality of a random person whose identity
you want to borrow?

> just to obtain and use a EV cert for that fake identity, which will then
> be unusable as soon as the website has been tagged for fraud or
> phishing. 

So you are saying it's OK to have a weak EV process, because Google Safe
Browsing exists?

> In contrast, anonymous, free, phishing DV certs 

Can we reduce or eliminate this focus on phishing? EV is, or should be,
about more the just "anti-phishing". If everyone agrees that
anti-phishing is all it's about, then perhaps I should file a bug to get
the EV UI removed from Firefox, because I'm not convinced the SSL
certificate level is the right place to be doing anti-phishing.

(If you want an alternative scenario to use mentally, how about the
scenario of a fly-by-night internet shop, set up with an EV certificate
in the run-up to Christmas, which spends a week taking people's money
and then disappears with it before people realise nothing is shipping.)


