The CA's Role in Fighting Phishing and Malware

As I already said that’s going to happen. :smiley:

where? I am curious. AT least it is not in this topic, I just ran a search through it.

Just a few posts before yours:

oh I thought you meant the DNSSec thing.

but the firefox simplification has one thing. since now normal and EV have a green lock there’s no way to distinguish normal and EV on mobile on first sight, and who actually taps the lock to check whether it’s EV or not. I personally liked the grey lock.

and the marking HTTP as insecure wants to go up to the point where all HTTPS sites are marked as inseucre which goes a bit too far, there are still too many hosters that dont offer HTTPS by default (which does make sense because yet certs are something that costs money) and pure info pages should therefore not be warned, just because they have no HTTPS but nothing to enter there…

It’s not that pressing there but In the long run it should. Someone surveiling you can still get much more information if it’s plaintext and the information could be altered completely unnoticeable by the user. Keep in mind that we live in a Wold where ISPs exist who inject ads into websites or do other nasty stuff (e.g. compressing images unasked).
Sure in the meantime until everyone is easily able to deploy HTTPS there should only be a clear but not that annoying indication that it’s a plain text connection. The annoyance level can then be gradually increased by asking for confirmation for certain things and finally using something similar to the current unknown/expired/broken certificate warnings.

1 Like

REALLY? WTF is that?

well it's unasked, true but on mobile when yoou get slowed after like 500MB then it's something I personally like.

This definitely happens:
http://webpolicy.org/2015/08/25/att-hotspots-now-with-advertising-injection/


google for “isp ad injection” or similar to get many more examples.

No i don’t like this, they should sell me enough volume at a reasonable price. And yes in some countries this is actually the case already which shows that this ridiculously low data caps are mostly there to drive profit margins.

1 Like

Oh, no no no – this is one of the most common misunderstandings of the fundamental value of HTTPS.

Without HTTPS, it is effectively impossible to tell if content was modified on its way to your computer. Tracking code can be injected. Your network activities can be collected and mined by government and corporate agencies. Both users and site owners are subject to attack.

A site that only serves login submissions over HTTPS is subject to attack, for instance, if an attacker changes the POST action of a login form or the links to the login page to redirect to the attacker’s server, and you’d have no idea.

So yes, plaintext HTTP pages are insecure and users should be warned about that.

4 Likes

(okay this software needs to stop messing with my keyboard, I probably accidentially pressed ctrl and enter or whatever and it just got sent)

well if some womain just builds together a site for showing off her massage service using some builder (so essentially no technical knowledge) then I cant assume that that person is smart enough to throw together a webserver let alone use LE for HTTPS.

That’s why website builder services should use Let’s Encrypt to support HTTPS on their customers’ sites.

1 Like

but I dont think that’ll happen so fast, “never change a running system”

That’s why browsers are going to break them.

3 Likes

But wait. Isn’t one of the LE goals to make encryption easy enough and fool prove for anyone to set up with just two simple commands in less than a minute?

well assuming you understand a webserver. if you just have a generic hoster with a website builder there are almost no options, and even if they are, they come with a price…

Even if i can understand that LE will not guarantee for the quality of an website. I think it would be good the make an blacklist or list of ciritical domains that can not be registered the same way as normal domains because there is an high risk of phishing. For example:

I know that it is not the fault of an CA that user does not check for EV-Cert on Important domains.
But it is always bad for the name of an CA if there are news site that tell user CA-XY is supporting
some criminal with certificates for fake domains.

but there are important domains without EV cert, like Google, or facebook, or spotify, for example so can you blame the user?

I think there should be a rule against IDN homoglyph attacks which is enforced and another list which might require human intervention.

I mean just because a domain is listed as malware doesnt mean it still does, it might be someone bought it without the knowledge of that and well…

That’s already part of standard CA practices and is already implemented.

That there is an blacklist is nice to hear. But let me guess for security reasons this blacklist is not public.

well they use the google malware domain list or whatever it’s called so it’s probably public, or else LE couldnt access it.

If you mean an list like http://www.malware-domains.com/ it is not what i have in mind.
What i have in mind is:

  1. an list of all EV domains.
  2. remove the public suffix (https://publicsuffix.org/list/public_suffix_list.dat)
  3. Replace homoglyph with default char for the homoglyph (http://www.irongeek.com/homoglyph-attack-generator.php)
  4. If you get an new domain do step 3+4 with the domain and check it with the list
    If it is in the list flag it as critical.