Half of all Phishing Sites Now Have the Padlock (krebsonsecurity.com) 141
You may have heard you should look for the padlock symbol at the top of a website before entering your password or credit card information into an online form. It's well-meaning advice, but new data shows it isn't enough to keep your sensitive information secure. From a report: Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar. That's up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018. This alarming shift is notable because a majority of Internet users have taken the age-old "look for the lock" advice to heart, and still associate the lock icon with legitimate sites. A PhishLabs survey conducted last year found more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe. In reality, the https:// part of the address (also called "Secure Sockets Layer" or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and can't be read by third parties. The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.
SSL (Score:1)
In reality, the https:// part of the address (also called "Secure Sockets Layer" or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and can't be read by third parties. The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.
Really? What's the thing underneath me that's approaching me really fast, here up in the sky? I think I'll call it ground. I wonder if it'll be friends with me. When writing or excerpting for Slashdot, please assume at least some minimal technical knowledge.
Also, of course people believe SSL is more than it is; companies have been pointing it out for years as proof they're secure.
Re: (Score:3, Funny)
I guess if they use SSL, then at least you can be sure only the phisher can read your data while you are submitting it...
Re: (Score:1)
Blame "Encrypt Everywhere" and Google's obsession with ruining the performance of sites everywhere by making it so that sites become hard to find in their search engine.
The EFF and Cloudflare brought this upon us all.
What needs to happen is that the browsers need to explicitly recognize three classes of SSL certificates:
- Free certificates (eg Encrypt Anywhere, Cloudflare, and any other service that provides VPN service,) which make the site about as credible as any non-SSL site, only that data transmitted
Re: (Score:2)
The problem is that Google's own Chrome browser no longer displays "Extended Validation" sites with a green block in the address bar. Try going to a DV SSL website and an EV SSL website and you'll see a green padlock with the word "Secure" before the actual URL.
Same thing in Safari, in my old Safari version 9 I see a big green rectangle but in the latest versions that has also disappeared.
So while EV certificates are more secure, it's like the companies behind the browsers don't really care about helping th
Re: SSL (Score:2)
you're right; SSL certs are not ironclad proof of identity. For a while though, they *were* a barrier. Sure, $20 a domain wasn't the biggest hurdle, but spinning up 10,000 variations of googkle.com *and* giving them all $20 SSL certs got costly...and also involved a paper trail. The padlock was never a barrier to a spear phishing attempt, but it made playing with big numbers far less profitable, meaning a site with a cert was generally more trustworthy than HTTP. Aunt Google wanted to de facto mandate SSL,
It's also WRONG (Score:3)
> In reality, the https:/// [https] part of the address (also called "Secure Sockets Layer" or SSL)
SSL was a protocol used by Netscape in the 1990s.
For ten last decade or two we've been using TLS.
Re: (Score:2)
Try using a modern cert for SSL (Score:2)
Try using a modern certificate in an SSL server, such as Apache 1.2.
Some people mistakenly call it SSL. That doesn't make it SSL.
For example, you can call OpenVPN an SSL connection, but the fact is, it doesn't support SSL and it never has. It speaks TLS.
Good job web browsers! (Score:5, Insightful)
And this is what we get for browsers forcing websites to adopt HTTPS or else they try to scare people with warnings about pages not being secure. I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc. Just the display of information. I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.
Now users have a misguided trust that since a browser didn't warn them about a site, and since it has a secure padlock, it must be safe. Sounds like the type of solutions politicians end up creating to fix one minor problem yet causing several more severe ones. It's not the job of web browsers to force websites to be secure. Just because they can wield such power because of the technical aspects doesn't mean they should.
Re:Good job web browsers! (Score:4, Interesting)
Pervasive surveillance v.s. censorship (Score:1)
The purpose of HTTPS everywhere is to force everyone to register. This is Orwellian, not a good thing.
Re: (Score:2)
Huh? Who has to register what now?
Re: (Score:2)
In reality, the https:/// [https] part of the address (also called "Secure Sockets Layer" or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted
A false statement, the primary purpose of SSL/TLS is authentication not "merely" encryption. Now, how that authentication (of the site) is performed, via a list of browser approved CAs, has a lot of problems. But what it is supposed to do is assure you you Citibank.com site is actually Citibank and not a fake citibank.com hosted on some thief's server.
Re: (Score:3)
All a certificate does is to verify that traffic that you think originated from www.whateverserver.com actually does originate from www.whateverserver.com.
And for this you needn't register any personally identifiable information with anyone.
Re:Good job web browsers! (Score:5, Informative)
I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.
There was something wrong. Anybody could man-in-the-middle attack your site. Now they can't.
Re: (Score:1)
Parent AC gets it right. There WAS a problem that HTTPS addressed. That problem needed to be fixed. Miseducation around the fix is another problem, but does not imply the first problem wasn't a problem or didn't need a fix. It did.
Re: (Score:1)
Anybody could man-in-the-middle attack your site. Now they can't.
Anybody? And what could they achieve by doing so? Please elaborate.
Malware injection, misinformation, asking your users to submit information that your site doesn't actually need or use. If you can't see any scenario where delivering content other than what you served up with your own web server is wrong, then you shouldn't be on the fucking internet.
Re: (Score:3)
Re: (Score:3)
Perhaps a different icon, a padlock says 'secure', need something to suggest protected/confidential link rather than a secure link.
Re: (Score:2)
That's why Chrome is getting rid of the padlock icon (it's already tiny and grey and they removed the extra verification bit where it used to say the company name, because that was useless as well). I think I read that Mozilla are planning the same.
The new scheme is flag sites which don't have HTTPS, with encrypted being the new normal. For trust we are basically screwed, we have nothing right now that can reliably identify a public web site or its owner.
Re: (Score:2)
The padlock does not say "safe", it says "secure connection".
To my grandmother, the padlock doesn't "say" anything. It's an icon that is designed to indicate security. You and I know that it means "secure connection", not "safe site". I love the fact that letsencrypt allows me to get a signed certificate for my personal sites. I hate the fact that it has lowered the barrier of entry for nefarious people. Like it or not, the little padlock adds credibility to a site. And the removal of the "This site isn't secure, are you sure you want to send your credit card in
HTTPS deters tampering (Score:5, Informative)
I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc. Just the display of information. I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.
In the case of a static website, the primary reason for HTTPS is to ensure that your viewers' ISPs cannot falsify the "100% publicly available information" on its way from your server to the browser. Xfinity by Comcast has been caught inserting ads into HTML documents transmitted through cleartext HTTP on multiple occasions.
Re: (Score:3)
With HTTPS being prevalent, it's not difficult for ISPs to have an install disk that sets up your computer for optimal browsing (i.e. installs a root certificate that tricks browsers into accepting intercepted HTTPS content.)
It probably already happened with SuperFish and Lenovo.
Re: (Score:2)
Re: (Score:2)
How do I insert the install disk into my phone? Many laptops don't even have an optical drive these days.
I haven't seen an ISP install disc for at least a decade. People expect to plug the modem in, use the default wifi password printed on it and start surfing. The days of ISP crapware are long gone, at least around here.
HTTPS has other benefits. (Score:1)
But centrally managed certificates are definitely not a help.
What should have been done was make SSC(Self Signed Cert)s give the yellow warning icon, improper authoritative certs give the red/broken lock symbol, sites with matching authoritative info getting the green lock, and then add a pinning option that pops up certificate information only for certified+pinned websites, allowing the user to have visual notice if it is a site they normally visit or a possible phishing site.
Honestly cert pinning needs to
Re: (Score:3)
Now users have a misguided trust that since a browser didn't warn them about a site, and since it has a secure padlock, it must be safe.
But now your site is safer. Your site visitors are much less at risk of being man in the middled than they previously were.
Re: (Score:2)
So... you wouldn't consider it a problem that someone MITMs the connection from the one seeking information on your page and feeds this person with garbage, while at the same time pretending that garbage comes from your page?
Re: (Score:2)
And this is what we get for browsers forcing websites to adopt HTTPS
No. This is what we get for attempting to educate people that an encrypted connection between two computers where the controling parties at either end are unknown is considered "safe".
It's not. It never was. We developed a whole new concept of EV certificates because of that gap. That doesn't make the idea to push sites to use HTTPS bad in the slightest.
I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner.
It's not up to you to decide if I may be persecuted for your "read only" information. It's not up to you to declare that information you send in plain text
Re:Good job web browsers! (Score:4, Interesting)
That is exceptionally worrying...
First:
I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc.
Then you contradict that:
I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.
Browsers only warn on non-ssl sites if you are submitting data back to them. Not a single one warns if you don't do that.
The terrifying part is you honestly believe your site actually doesn't require data being submitted back, when clearly it does.
You really *really* need to look your website over page by page and through the html files.
They no longer contain what you think they do, they have been changed, and changed to require your visitors to submit form field data back to your server.
If you didn't set that up, your site has been hacked.
Re: (Score:2)
Re: (Score:3)
> Browsers only warn on non-ssl sites if you are submitting data back to
> them. Not a single one warns if you don't do that.
WRONG. Go to an HTTP site in Chrome and it says (i) Not Secure in the URL bar starting with the very first visit.
Re: (Score:2)
The difference is that the warning for a site with a certificate from an unknown issuer is displayed as an interstitial, whereas the warning for a cleartext site is not. This makes it less practical for someone who doesn't own a domain to run HTTPS on a server on the home LAN, such as a router, printer, or NAS.
Re: (Score:2)
Browsers only warn on non-ssl sites if you are submitting data back to them. Not a single one warns if you don't do that.
Several JavaScript APIs are restricted to secure contexts only [mozilla.org], even if they do not submit data back to the site. One is Service Workers, needed for offline use. Others include Bluetooth, MIDI, and Presentation.
Re: (Score:1)
But if you are a good security consultant, you would realize that HTTP is necessary. If your potential client uses ShadyISP Inc. and you aren't using HTTPS, then ShadyISP can alter your webpage in transit and can inject Ads into your "info-only webpage", and that also won't look good for you, and this isn't even your fault, this is ShadyISP doing it. HTTPS also protects your info only page by not letting others alter it. You are foolish to think this won't affect you because some rather large ISPs such a
Browsers are awful in explaining X509 (Score:2)
For example, when navigating to
Re: (Score:2)
I would argue that making those details more prominent wouldn't really improve the situation. The problem is that users may barely glance for a padlock, but otherwise focus on the content area to see if it 'looks right' despite the fact the content area is totally under the control of the site operator.
User has to look at the location bar (which the operator can't control) and putting *more* information in it is going to probably make people even more likely to not bother.
Re: (Score:2)
Well, one step toward addressing this problem is to not just blindly showing a padlock, but also showing identifier on the certificate (i.e. slashdot.org in this case). Additionally, highlighting domain in the address bar (i.e. https://it.slashdot.org/comments.pl?sid....). This way if there are shenanigans (i.e. if I navigate to a site that I think is slashdot.org, but end up at totallylegitsite.ru instead and they have Let's Encrypt certificate), it will be more obvious.
Re: (Score:2)
Incidentally, at least in firefox, the 'slashdot.org' is in bold already.
Re: (Score:2)
No one ever told me to look at the padlock
No, but when you either get a padlock or "Not Secure" (Chrome), it still gives a misleading impression. Most people are not computer savvy and do not understand (or know) there is a difference between secure and safe.
Re: (Score:2)
I don't have to look at the padlock, but when I do, I've often seen the word "Secure" right next to it, even when I know it is not the case. Browsers blindly plopped that word on any HTTPS page, giving a false user impression for anyone who randomly glances in that general direction.
The "https" system was basically announced as secure since ~1995, originally via popups. This implied that it's secure in that you aren't
Did HTTPS upgrade popups mention phishing? (Score:2)
[Early notices about navigating to an HTTPS site] implied that it's secure in that you aren't going to get phished, have content tampered, etc.
I seem to remember the notices being phrased to the effect "Information you submit cannot be seen or changed by others while in transit". That covers the case of tampering and MITM phishing but not typosquat phishing.
Badly aimed education? (Score:1)
more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe
Really? Is that level of misunderstanding so pervasive?
How do we fix that? Can our schools start to teach things like this, instead of "how to use javascript 101" for people who'll never in their life need to write a line of javascript? Those same people WILL need to know how the internet works, so let's teach that instead.
Re: (Score:2)
more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe
Really? Is that level of misunderstanding so pervasive?
As with everything, it depends on the demographic. Probably gets closer to 100% when you start asking 50+ year olds.
Can our schools start to teach things like this, instead of "how to use javascript 101" for people who'll never in their life need to write a line of javascript?
I took probably 10+ semesters of math (and various "life skills" classes) throughout my educational career, but I still had to teach myself how to do my taxes.
Online college; K-12 students with poor parents (Score:2)
Oh, and to do the work they also have to receive an encrypted email too, so they basically have to have a key exchange with the instructor, unless they know someone who has already done that and instead, use a trusted introducer.
In the case of face-to-face instruction, a key signing party at freshman orientation is practical. But in the case of an online university, how would trusted introduction be accomplished?
So, it really would be a good test for whether or not someone is ready to graduate middle school.
Now you mention that you meant middle school, not college. In the case of middle school, how would a student with underprivileged parents afford a computer and Internet access in the first place with which to complete and submit homework? I don't see how it would be practical to expect every student to work to afford his or
Web users need to be aware (Score:1)
I think we are expecting web browsers to be our net nanny these days. It has been my experience that the informed and educated user is the one who can use the web safely because they know how to do so. No feature or safety implementation in a browser can protect you when you can't recognize the obvious.
Re: (Score:1)
No feature or safety implementation in a browser can protect you when you can't recognize the obvious.
^ So much this.
The way to a safer internet is for people to engage and use their brains. There's no way you can ever nanny it into safety, because (1) that creates yet a dumber breed of user, who (2) can be exploited in even more ways, because they aren't thinking about what they are doing.
Consider the clusterfuck of Android malware and spyware, vs the relative safety of Linux. There is no technical reason the Linux ecosystem couldn't run malware and spyware. However it is a relatively safe ecosystem bec
lock AND the url (Score:4, Insightful)
I give the "lock & URL" advice to people all the time - isn't that enough? You do need to be sure that its gmail.com and not gmale.com, part of being an adult netizen.
Re: (Score:2)
Per the example in the article, evidently there are people that don't look at the location bar at all if they see the lock. This means users need to understand that the padlock just means the identity is verified, but they have to decide if that identity matches what they were expecting.
Re: (Score:2)
In fairness, the location bar often has very meaningless information. My credit union's login domain is (sometimes) different than their name, and is only used for login. (They appear to outsource their website and a number of other functions to some credit union pool/provider.) I complained to them about it, and they slowly improved one aspect-- but it isn't easy.
Extended Validation is about the only thing that you can try to trust now, as who the heck can keep track of which CAs they should trust and w
Re: (Score:2)
Re: (Score:2)
Of course in an outsourcing SSO situation, the EV SSL would similarly indicate the provider, *not* the financial institution...
Re: (Score:2)
They actually outsource all of the e-banking, but the login-failed page and one other one I would hit periodically (could have been related to the trusted computer setup) were not properly configured.
No, it doesn't bode well for their security either...
Re: (Score:2)
It is easy to tell a site that may have problems. Just hit the refresh button over and over and you maybe get a 500 error.
That might be on purpose, as a means of conserving resources for legitimate visitors in the face of a denial of service attack.
Using something other than .NET or Java indicates something may not be right.
Yet you're posting on a site that "may not be right". Slashdot is written in Perl, and Wikipedia is written in PHP.
Re: (Score:2)
U xpect ppl to b abl to reed?
Re: (Score:2)
omgwtfbbq reed alert
l4rn 2 wr1t3 dud3
Re: (Score:2)
NO!!! You're part of the problem. The lock only certifies that the machine on the other end is the correct destination typed in the URL bar and that no one else is listening. It DOES NOT AND NEVER HAS certified who owns that machine.
You do need to be sure that its gmail.com and not gmale.com, part of being an adult netizen.
This however is good advice. Good advice is to not follow links. Good advice is to manually type in addresses. If you've manually typed and checked addresses AND see the lock you're in a pretty good place. Additionally good advice would be to look for EV certifications. Google d
Re: (Score:2)
> You do need to be sure that its gmail.com and not gmale.com,
> part of being an adult netizen.
Ah yes, blame the user. Because it's their fault if they don't have perfect eyesight and can't spot the flaw in https://www.grnail.com/ [grnail.com] or https://www.googIe.com [googie.com]. I can't wait to hear you blame your parents for being stupid when they get scammed.
SCAMMERS ARE ASSHOLES. We need a strong, MULTI-LAYERED DEFENSE against them. Not just "you'd better know what you're doing."
Re: (Score:2)
www.13g17-b4nk.com
Certificate Authorites are not giving us value. (Score:3)
These Certificates are often expensive, relatively complex to setup rarely ever give any real value. A self Signed Cert will offer the same level of encryption (sometimes more, because the Cert Authorities may pay more for automatically generating more bits). The original value of these Cert Authorities was so we would be sure that the site we went to was an authentic business, where you could prove you are who you say you are. But they have been giving certs to anyone without any research just as long as you pay the bill you are good to go, so you are not getting value out of these Certs except for the artificial browser scary error that you are a horrible person for using a unauthorized Cert.
Re: (Score:3)
There may be flaws in the CA system, but this article isn't really related.
The problem is that users aren't even bothering to see *what* the authority validated. A CA can't reasonably out that serveirc.com is going to try to impersonate paypal.com. They can revoke that certificate upon reporting abuse and such. The CA and DNS can do things to prevent sheningans like paypa1.com or more clever unicode things, but at some point the user *has* to validate some part of the UI that *isn't* totally controlled b
Re: (Score:2)
In practice, registrar and CAs and the most prominent companies are doing things so that visual inspection of the name part of the url+padlock is enough to feel somewhat good, seeing the legal entity name (EV SSL) is even better. It's unlikely that a phishing site can have a domain that visibly resembles a well-known site's name with a trusted cert in this day and age.
Yes, places bouncing around through third party servers exist. If that third party is obviously a well known payment processor (paypal, vis
Re: (Score:2)
A self Signed Cert will offer the same level of encryption (sometimes more, because the Cert Authorities may pay more for automatically generating more bits). The original value of these Cert Authorities was so we would be sure that the site we went to was an authentic business
I see three different levels of assurance.
1. A self-signed certificate assures to a repeat visitor that the operator of this server now is the same as the operator of this server on the previous visit. It says nothing to a first-time visitor unless the site provides a means to verify the key fingerprint out of band.
2. A domain-validated certificate assures the above plus that the operator of this server controls its domain name. It says nothing about the identity of the owner of the domain name.
3. An organi
Re: (Score:2)
The same level of encryption but not the same level of authenticity. What a CA issued cert says is that the server that you're connecting to is actually the server you're connected to and that no MITM is happening.
That doesn't make www.bankofmurrica.com any more a page that you should enter your BA-credentials at, but it certifies that you're really talking with www.bankofmurrica.com and not www.bankofmurrica.com.wallawalla.thingamajig.hackmeimcute.cn.
Re: (Score:2)
These Certificates are often expensive, relatively complex to setup rarely ever give any real value.
Certifications are neither complex to setup nor do they not provide value. The people who claim they don't are those who do not understand what these certificates actually certify. Hint: It wasn't about the person on the other end, it was about the computer and the computer alone. Incidentally all these certifications are now able to be had for free.
On the other hand extended validation certifications are "expensive". I use quotes because frankly paying a few thousand dollars for the privilage of securing v
Re: (Score:2)
At best certs verify that the owner of the domain name is also the owner of the server. So why not just publish cert details in dns, secured by dnssec?
Sure, if your dns records get "hacked" somehow, you're screwed. But with how easy it is to get a cert from lets encrypt, that's already true now.
Re: Certificate Authorites are not giving us value (Score:2)
Actually they are the problem. The majority, and yes I mean that, of these phishing sites are using letâ(TM)s encrypt certs.
Re: (Score:2)
And how should it? Who'd know what you WANT to connect to but you yourself? Maybe you do want to connect to https://www.comparethemeerkat.... [comparethemeerkat.com] and not https://www.comparethemarket.c... [comparethemarket.com]
(and yes, they both exist and the former is an advertising gimmick for the latter)
"Their job" according to DV and OV CAs (Score:2)
If issuer is obviously not doing their job properly prior to issuing the certificate, then their certificates should not be trusted by the OS and the browser
I think it has something to do with a misconception of what "their job" means. Let's Encrypt, SSLS.com, and other CAs specializing in "domain validation" think the job of a TLS certificate authority is to ensure that only the entity that controls a hostname can act as that hostname. The "organization validation" camp, which includes the "Extended Validation" camp, thinks a certificate also ought to identify the real-world business behind a particular hostname. They use as an example bankofarnerica.com belon
Re: (Score:2)
Of course, other than financial companies themselves, not a whole lot of EV SSL sites. For example, not even Amazon bothers to do EVSSL.
Re: (Score:2)
Well they are called Twitter, after all.
Totally flawed system really only for $$$ (Score:2)
Governments issue corporation documents and reasonably track that information. I remember needing a state ID along with paperwork to incorporate.
The government can relatively CHEAPLY use open source tools and some existing servers to digitally sign things.... SSL should be using MULTIPLE signing parties with the government incorporation data and it's "stamp of approval" for the corporation behind the site existing. At least then you can trace it back to the government and then to the business owners.
3rd p
Re: (Score:2)
Under your proposal, how would it be practical for an individual writer to sell subscriptions to read her writing on her website? Or would you prefer that all subscriptions go through a single point of failure such as Patreon?
Re: (Score:2)
The issuer is doing its job. The job of the issuer is to verify that the domain name is properly pointed at the right IP-Address. What else would you consider the issuer's job?
That you think www.mybank.com.cn is www.mybank.com is YOUR problem. Not the CA's.
Re: (Score:2)
Some of these CAs have been caught giving out certs to non-owners of websites and when those CAs are big enough they won't get removed from the list.
You mean like WoSign and Symantec, whose roots browser publishers have phased out?
Chrome (Score:2)
There are indeed people who would think the way the article describes.
Hmm, maybe Chrome making the lock gray now wasn't as dumb as I thought. While the absence of https (at least according to Google) is baaaaad, the mere presence of it doesn't mean all that much.
Proxy (Score:2)
Re: (Score:2)
How's this relevant?
Not a new problem (Score:2)
HTTPS was never designed to verify if a website is trustworthy or validate that they will do good things with the data you send to them. The only thing is does is ensure that you can be sure you're talking to the actual website you asked for based on the URL and that nobody else read or changed the data sent by the server as it traversed over the network.
If we really want to protect things like user credit card numbers we should have a system where we don't have to send our credit card details to a website
Re: (Score:2)
Not even that. And even if, what does it help you that Mr. Ali Ben Gali from Generistan paid for the certificate of the server that just ripped you off? You can bet good money that Mr. Gali doesn't even know anything about the transaction, since it takes about a month for a credit card fraud to get detected and shady pages are up for maybe a few days.
be careful here! (Score:2)
DV allegedly enables typosquatting (Score:2)
The site REALLY IS the site it claims to be
I guess it depends on how you define "the site it claims to be". If you write "snadze" in Cyrillic,* it'll resemble "chase" except that the "h" will be a small capital. The Punycode form of this name part is xn--80akwp6h. If you then go register xn--80akwp6h.com [xn--80akwp6h.com], you then prove to a domain-validating certificate authority that you own xn--80akwp6h.com, which a browser will display as "{snadze}.com" except with the actual Cyrillic letters. At this point, you can fool people who don't check the URL bar very
Re: (Score:2)
All these problems could have been avoided if Let's Encrypt had know about RFC 3514.
Re: (Score:2)
Let's Encrypt does exactly what the certificate issued can do: Verify that the webpage the traffic originates at is the webpage in the URL line. Nothing more, nothing less.
And no CA can actually guarantee anything else.
Re: (Score:2)
Unfortunately it's been peddled in "computer magazines" where writers who, at the most, know that TCP ain't the abbreviation for the Chinese secret service hand out advice to their even less computer literate audience.