The DV base ssl certificates that are regularly issued does nothing to ensure the domain contact is the proper contact to begin with.
Because of this, a rogue site could be craft and ultimately trusted by the "trusting" web end-user. These site are also wrongly labeled as the "evil twin" , as in a site that portray a legit site and with a trusted webserver certificate installed.
The best analogy I can come up.
" As a kid we are taught to trust the police office who has the badge , uniform and gun. We most likely will not question a person holding badge, gun, has a uniform on, and car that looks like a police car "
**Just like the city of troy trusted a wooden horse, we should always be skeptical of what we see**
The same holds true when we access a site with HTTPS, and see the secured "lock" button in the web-browser input box.
So again, when you access a web site https://www.paypal.com are you really secured? Do you know for a fact that the site has no MiTM device ( aka forward or a reverse proxy ) in your path ?
Because our browsers and the human element have been wean in thinking that with HTTPS and the S means secure , that we are actually secured. This is a big lie, fraud, misleading, etc....
here's a clue .
!!!! Nothing is 100% ( when we are on the internet and HTTPS ) secured and we have no ready means to id if a MiTM appliance is actually between you and the webserver !!!!
Add on the DV certificate process , and the fact it's not as stringent upon issuance , & you now have a situation that is just bad advertisement from a "security aspect"
The folks at anti-phishing consortium & ssl pulse have been tracking rogue sites for a while https://apwg.org/ and https://www.trustworthyinternet.org/ssl-pulse/ . The data collected should be studied by all in the IT security arena. imho
Enjoy and be safe ;)
Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment