Computer Software > Security
LetsEncrypt issuing over 100 SSL certificates per day to phishing sites.
kitz:
Chrome/mozilla are forcing sites running forums to get SSL certificates or their sites get marked as unsecure by the browser.
This week it was announced that many thousands of SSL certificates have been issued to phishing sites by Let's Encrypt - over 15,000 to paypal phishing sites alone - but others include the likes of Apple, Google, Bank of America etc.
So now we have 100's of thousands of phishing sites that because they are https, the average joe blogs could be literally lulled into a false sense of security because their browser displays the secure padlock. :(
--- Quote ---Kolochenko believes that web browsers marking any HTTPS website as secure is more responsible for increasing problem with phishing.
"Web browsers encourage users to blindly trust the HTTPS websites' security without any justifiable reason, failing to mention that it's only about channel encryption and almost nothing about website trustworthiness or web application security," he said, emphasising that it was now difficult to determine whose carelessness contributed more to the increase of phishing campaigns.
Kolochenko also questions whether it is reasonable to encrypt all web traffic, as he believes it allows malware to easily bypass various security mechanisms more efficiently, causing huge damage to end users and companies.
"I am quite sure that if we will see how many of Let's Encrypt SSL certificates are used by malware to exfiltrate stolen data - results will be pretty scary. Therefore, it's difficult to predict how Let's Encrypt will shape its growth strategy in the future to preclude cybercriminals from abusing its desire to make the web safer,"
--- End quote ---
http://www.theinquirer.net/inquirer/news/3007326/lets-encrypt-has-issued-15-000-ssl-certificates-to-paypal-phishing-sites
burakkucat:
Hmm . . . :hmm:
:wall:
Chrysalis:
Is there actual evidence tho that encrypted phishing sites fool more people than unecrypted ones?
We cannot handhold 100% of the way, human stupidity will always play a part. Pushing for a encrypted web is a good thing, letsencrypt is a good thing.
The only valid points I see are that virus scanners have a hard time dealing with https traffic for their protocol scans since https is designed to avoid MITM.
The solution is probably to try and educate users that the padlock simply ensures the end to end connection is private but not the legitimacy of the site. I expect what may happen in the future is only EV verified sites get a green padlock and others using cheaper validation will use something like yellow or amber, but even that would not be 100% as phishing sites can still be EV validated, its just a more expensive and slower process.
Remember also that letsencrypt has lost commercial certificate providers a lot of money as those providers charge fees for automated processes essentially ripping people off. This alone will draw bad press to lets encrypt to try and drop public confidence in it.
Weaver:
I have spent years educating staff belonging to my customers about what the padlock doesn't mean. I pretended to set up a domain name called barclays-secure.co.uk and explained to customers that just because the name looked impressive it didn't mean anything and showed them that I personally was the owner. That certainly worked, as they never believed in urls or email addresses any more after that. (I also showed them how even a young child could send an email with a spoofed from address.)
kitz:
I'm not sure about any actual numbers, but I could imagine certain people would. There are plenty of people who fall for scams as it is, nvm what they would think if they saw the padlock.
I always used to impress on my dad that if he was making any purchases to ensure he looked for a padlock. Those type of people would need re-educating that secure site does not mean secure although I'd like to think he wouldn't have fallen for a fake url. With us being a technical forum users here are far more likely to be astute than the majority of people.
---
I think he makes a valid point too in why do we need to encrypt all web traffic. I can fully understand if you are making purchases and passing sensitive data... but forums, blogs etc?
It forces a lot of work for some site owners and there's still the problem to overcome re any images that are in forum posts, which will trigger the unsecure message anyhow.
>> Remember also that letsencrypt has lost commercial certificate providers a lot of money as those providers charge fees for automated processes essentially ripping people off.
A fair enough point. But Ive looked at letsencrypt - theres a lot of reading to do and Im still not sure how I'd go about remembering to renew every 90 days.
Also I think I may be a bit trapped. Although my hosts allow letsencrypt for free on their shared cloud platform. Theres a £19+VAT fee for 3rd party installation fee on my server.
I have WHM and Cpanel but am also scared that I will break something. I'm not in a position right now to read through loads of jargon. Theres also a reason why I pay for managed hosting.. normal admin takes up most of my time and Im best leaving that side of thing to people who know what they are doing. It would probably be easiest for me to pay my hosts for the full lot. Even so Im waiting to see what happens with SMF 2.1 which is supposed to make https configuration more straight forward.
I've also said before, a concern I also have about SSL and that is protecting myself. I have a very valid reason for doing so and thats not because Im hiding anything but because of the very few people who have been banned they turned out to be problematic. One wrote to my ISP demanding my personal details after I banned him for pretending to be something he wasnt and spamming members in PMs... and in another case veiled threats suggesting my daughter could end up as kebab meat. I was deliberately reported to Nominet that very same week as a trading site in an attempt to publicly disclose my address.
The relevant authorities know how to contact me - indeed they have done turning up unannounced trying to track someone down. I'm not selling anything, its not a company, its a non profit making community help site. Its the later category which are finding these changes the most difficult.
Navigation
[0] Message Index
[#] Next page
Go to full version