In the past few days, a lot of people started complaining about Let’s Encrypt and how it has issued TLS Certificates for PayPal. Various posts like this were written to complain about that, and some people even went as far as writing blog posts for Let’s Encrypt to stop issuing certificates with the word “PayPal”.
Apparently, a lot of people agree with this. That last blog post even mentions that Certificate Authorities performed checks and still do, to try and avoid issuing certificates with this word. Luckily, some people are still reasonable.
About a month ago, I wrote a blog post on abuse e-mails and what I believe they should be used for. The gist of it is that a lot of companies, even “security” companies, keep sending large amounts of e-mails to ISPs because one of their IP Addresses attempted to login to their website with a wrong password, or even had a funny User Agent.
At this point you will ask how these two events are related.
The connection between the two is that, in both cases, someone does not want to spend money or time securing their product or service and wants others to work for them for free.
In the case of abuse e-mails and “security” companies, they don’t want to invest money and put some effort into securing their websites, so they e-mail the ISP of everyone who did something even remotely out of line according to them and ask them to either ban the users completely or stop these “attacks”.
This makes no sense to me.
If you want your service to be secure, make it secure. Don’t complain to other people and expect them to work for you and police their users to satisfy your needs.
In the case of Let’s Encrypt issuing certificates for phishing domains, although it’s not PayPal complaining directly, they can do something to make sure their customers aren’t getting phished. They can, for example, make Two Factor Authentication mandatory. In that case, even if someone successfully poses as, even, paypal.com and they even have a valid certificate for that domain, and the user even enters their credentials, they can’t be used. A second factor of authentication is required, such as an SMS, or even better Google Authenticator (TOTP), or even even better U2F.
Sure, it’s not perfect, but it’s still much much better than now and it increases the cost of an attack exponentially for a malicious actor.
And sure, PayPal has not complained about that, to the best of my knowledge, but if a lot of people suddenly have a problem with PayPal accounts getting hacked, then there must be something the service can do or should do.
However, the two examples above are just that: examples. I’ve seen countless other situations where people don’t want to fix something and instead blame someone else and expect them to do it for them. From one time I was asked to use Internet Explorer on my iPhone by an airline because that part of their website didn’t work with anything else to something like the above, this always happens.
In my mind, when you provide a service, such as a website, or access to the Internet, or certificates, you have to serve your users. You, and only you, are responsible for achieving that. If you want to maintain a certain level of security in your service, it’s up to you to do it. You shouldn’t expect every single person or system in the world to comply with your needs. If you do, then you already failed.
In our society, there are laws that prevent a lot of things and try to establish a common framework for all people. But in your everyday life, do you take these laws as assumptions? Do you assume nobody will steal something from you because it’s illegal? Of course not. In cases such as the above, you don’t only do that, but in some cases you even come up with your own rules and laws that should only apply to you, and then you try to force everyone interacting with you to follow these.
I am not saying this is bad. It’s not bad to try and create such bylaws. I’ve seen places that did, in the past, and I was okay with that since they did not violate my rights. However, you should never assume each and every one will follow these. In some cases, you can’t even assume the majority will follow your rules. You need to plan for that. You are responsible for handling these cases gracefully.
Of course, that doesn’t mean you should spend more time or money than it’s worth, and you’re not forced to serve all these people, but whatever you decide, it must be something that depends on you. If your solution involves everyone else to agree not to do or always do something, then this idea is likely to fail.