Phishing strategies and counter-strategies


#1

[Moderator’s note: Split off from older thread to avoid confusion].

Well, if I were to setup a phishing scam, I’d get my certificate “upfront” before sending out the first phishing mail (which could result in a Google-Safebrowsing-blacklisting). So after the certificate has been issued, it’ll be valid for 90 days - more time than necessary.

However, the situation were slightly different, if CAs like Let’s Encrypt could subscribe to a feed of domains recently added to the safebrowsing blacklist, and revoke their certificates automatically.

Or, from the other side: Google could check the certificate transparency logs, match them with records recently added to the safebrowsing blacklist and specifically report those domains to the CAs who did issue a certificate for any of those domains. The CA then would perform a check if the domain is still blacklisted and could immediately revoke certificates rather than merely preventing a new certificate from getting issued.

Just some ideas :slight_smile:


The CA's Role in Fighting Phishing and Malware
#2

Safe Browsing & co are far more effective at blocking this kind of thing in a timely fashion. Thanks to OCSP stapling, phishing site operators can continue to use revoked certificates for up to 7 days (in Let’s Encrypt’s case; the allowed maximum OCSP lifetime for CAs is 10 days), not to mention that some browsers don’t check OCSP at all.

The update frequency for Safe Browsing is < 1h in Firefox/Chrome; not sure about others.


#3

Or just stop associating a certificate with “malware-free”, because this is not what it certifies. The world could be much easier if people used their brains more.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.