[pokemon-trainer]

It's very unfortunate there isn't a way to force more responsibility/accountability onto CAs who issue phishing certificates.

Of course, the non-internet version of a CA, credit rating agencies, do not behave any better with the trust given to them by the public.

Maybe the creators of the Bitcoin alt coin "namecoin" had the right idea.

[n0w]

I don't believe it's reasonable to expect a CA to police the content of a domain that they have issued a certificate for.

As the original article points out, you can perform these kinds of attacks with any address by setting up sub domains ("https://www.paypal.com.safe.com" looks pretty similar to "https://www.paypal.com" to most users).

I personally think this is an issue with the browser UI/UX as it currently stands. "Secure" sends the wrong message to your average user. I would like to see something like the prominent display of the second/third level domain at the top of every browser tab (depending on the TLD). i.e. "ycombinator.com", "paypal.com", etc.

[gcp]

It's very unfortunate there isn't a way to force more responsibility/accountability onto CAs who issue phishing certificates.

It's very easy: get the browser vendors to remove them from the root store. It's exceedingly effective. The "problem" is that the browser vendors seem to agree that CAs shouldn't be content watchdogs.

Did you read the linked position paper from LetsEncrypt?

[caf]

I think they're right - the CAs job (which they're not exactly nailing either) is to ensure that the browser is connected to the site it thinks it is. After that, it's the browser's job to ensure that the site it thinks it's connecting to and the site that the user thinks they're connecting to are the same.

[pokemon-trainer]

That's very much a libertarian style nuclear option to remove a CA from the root store. Why can't the industry work out a fine to pay an ICANN-like org for root CAs when it happens?

[Buge]

A large percent of phishing sites are hacked wordpress sites.

So if a CA offers a certificate to a legitimate wordpress site, which then proceeds to let itself get hacked and host a phishing page, that CA now has to pay a fine?