Tuesday, January 3, 2017

Why DV ssl certifcates are frown upon

The Domain Validate  ( DV ) ssl certificates are typically looked at as a less security and a weaker validation process.

The DV base ssl certificates that are regularly  issued  does nothing to ensure the domain contact is  the proper contact to begin with.

Because of  this, a rogue site could be craft  and ultimately trusted by the "trusting"  web end-user.  These site are also  wrongly labeled as  the "evil twin" ,  as in a site that  portray a legit site and with a trusted webserver certificate installed.

The best analogy I can come up.

" As a kid we are  taught to trust the police office  who has the badge , uniform and gun. We most likely will not question a person holding badge, gun, has a uniform on,  and car that looks like a police car  "

**Just like the city of  troy trusted a wooden horse, we should  always be skeptical of what we see**


The same holds true when we access a site with HTTPS,  and  see the secured "lock" button in the web-browser input box.




So again, when you access a web site https://www.paypal.com are you  really secured? Do you know for a fact that the site has no MiTM device ( aka forward or a reverse proxy ) in your path ?

Because our browsers and the human element  have been wean in thinking that with HTTPand the S means secure , that we are  actually secured. This is a big lie, fraud, misleading,   etc....

 here's a clue .


Image result for clue

 

!!!! Nothing is 100% ( when we are on the internet and HTTPS )  secured and we have no ready means to id if a MiTM appliance is actually between you and the  webserver !!!!



 







Add on the  DV certificate process , and the fact it's not as stringent upon issuance , &  you now have a situation that is just bad advertisement from a "security aspect"



The folks at anti-phishing  consortium & ssl pulse have been  tracking  rogue sites for a while https://apwg.org/ and  https://www.trustworthyinternet.org/ssl-pulse/ . The data collected  should be studied by all in the IT security arena. imho


Enjoy and be safe ;)


 
Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
 

No comments:

Post a Comment