Phishing strategies and counter-strategies

[Moderator’s note: Split off from older thread to avoid confusion].

Well, if I were to setup a phishing scam, I’d get my certificate “upfront” before sending out the first phishing mail (which could result in a Google-Safebrowsing-blacklisting). So after the certificate has been issued, it’ll be valid for 90 days - more time than necessary.

However, the situation were slightly different, if CAs like Let’s Encrypt could subscribe to a feed of domains recently added to the safebrowsing blacklist, and revoke their certificates automatically.

Or, from the other side: Google could check the certificate transparency logs, match them with records recently added to the safebrowsing blacklist and specifically report those domains to the CAs who did issue a certificate for any of those domains. The CA then would perform a check if the domain is still blacklisted and could immediately revoke certificates rather than merely preventing a new certificate from getting issued.

Just some ideas :slight_smile:

Safe Browsing & co are far more effective at blocking this kind of thing in a timely fashion. Thanks to OCSP stapling, phishing site operators can continue to use revoked certificates for up to 7 days (in Let’s Encrypt’s case; the allowed maximum OCSP lifetime for CAs is 10 days), not to mention that some browsers don’t check OCSP at all.

The update frequency for Safe Browsing is < 1h in Firefox/Chrome; not sure about others.

2 Likes

Or just stop associating a certificate with “malware-free”, because this is not what it certifies. The world could be much easier if people used their brains more.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.