[cabfpub] Obtaining an EV cert for phishing

Gervase Markham gerv at mozilla.org
Thu Sep 14 06:07:39 MST 2017


As noted in the Paypal/Let's Encrypt meeting yesterday, James Burton has
published a blog post claiming that it's not difficult to get a
fraudulent EV certificate:
https://0.me.uk/ev-phishing/

Now, they didn't actually get a fraudulent one, and it did take them a
few days and a reasonable amount of manual work, but if we accept for
the sake of argument their claim that valid stolen personal ID can be
obtained online easily, it does seem that the other steps are not too
onerous.

As someone noted at the meeting, fraudsters often don't pay for things
with their own money. To my mind, the "cost" of EV is in the requirement
to either reveal your true identity, or to spend prohibitive time on a
successful effort to fool the checks.

I hope we can use this as a learning experience. Because a certificate
was not misissued, there is no obligation on them to do so, but I hope
that in the cause of making EV better, Symantec would be willing to
discuss their EV verification steps and what happened in this case, so
we can look and see if the EV process needs improving.

Some areas I'd particularly like to consider:

11.4: Verification of Applicant’s Physical Existence. How was that done
in this case, and what was the address which was verified?

11.6: Verification of Applicant’s Operational Existence. How was that
done in this case? Which clause of 11.6.2 was used? What were the results?

Gerv




More information about the Public mailing list