@yacc143 FYI: #Passkeys and #FIDO2 (= "device-bound #passkey" which can be divided into "platform-" and "roaming-authenticators") are identical except the #cloud-sync mechanism (as of my current understanding).

So unfortunately, they get mixed up or are considered as totally different things. Both is wrong.

In reality, they are very similar except that FIDO2 hardware tokens ("device-bound passkeys" only in their "roaming-authenticator" variant) are designed that way, that Passkeys are not being able to extracted from the device (at least for the moment).

Therefore, users of HW tokens can't be tricked into transferring their passkey to a rogue third party, which is possible with all other Passkey variants. Therefore: passkeys are NOT #phishing-resistant in the general case.

@mensrea : if you visit a shop (or a bank) in the center of the city, chances are near zero that it's run by impostors.

However, if you go to some vague second hand market, chances are the you will be deceived.

Possibly worse, if there's an ATM on the outside wall of a shack where Hells Angels meet, would you insert your bank card and enter your PIN?

On the web, most people do not know WHERE they are.

Big Tech is DELIBERATELY withholding essential information from people, required to determine the amount of trust that a website deserves.

DELIBERATELY, because big tech can rent much more (cheap) hosting and (meaningless) domain names to whomever if website vistors cannot distinguish between authentic and fake websites.

You are right that some people will never understand why they need to know who owns a website.

However, most people (including @troyhunt ) would enormously benefit.

Like all the other deaf and blind trolls, you trash a proposal because it may be useless for SOME, you provide zero solutions and you keep bashing me.

What part of "get lost" do you not understand?

@aral @EUCommission @letsencrypt @nlnet

#Authentication #Impersonation #Spoofing #Phishing #DV #GoogleIsEvil #BigTechIsEvil #Certificates #httpsVShttp #AitM #MitM #FakeWebsites #CloudflareIsEvil #bond #dotBond #Spam #Infosec #Ransomware #Banks

@mensrea : it is not the UI/UX that is the problem. It is missing reliable info in the certs.

Image from https://infosec.exchange/@ErikvanStraten/114224682101772569

@aral @EUCommission @letsencrypt @nlnet

#Authentication #Impersonation #Spoofing #Phishing #DV #GoogleIsEvil #BigTechIsEvil #Certificates #httpsVShttp #AitM #MitM #FakeWebsites #CloudflareIsEvil #bond #dotBond #Spam #Infosec #Ransomware #Banks #CloudflareIsEvil #FakeWebsites

@aral :

I don't want to pay a cent. Neither donate, nor via taxes.

https://infosec.exchange/@ErikvanStraten/114227977082449887

@TheDutchChief @EUCommission @letsencrypt @nlnet

#Authentication #Impersonation #Spoofing #Phishing #DV #GoogleIsEvil #BigTechIsEvil #Certificates #httpsVShttp #AitM #MitM #FakeWebsites #CloudflareIsEvil #bond #dotBond #Spam #Infosec #Ransomware #Banks #CloudflareIsEvil #FakeWebsites

@aral : most Let's Encrypt (and other Domain Validated) certificates are issued to junk- or plain criminal websites.

They're the ultimate manifestation of evil big tech.

They were introduced to encrypt the "last mile" because Internet Service Providers were replacing ads in webpages and, in the other direction, inserting fake clicks.

DV has destroyed the internet. People loose their ebank savings and companies get ransomwared; phishing is dead simple. EDIW/EUDIW will become an identity fraud disaster (because of AitM phishing atracks).

Even the name "Let's Encrypt" is wrong for a CSP: nobody needs a certificate to encrypt a connection. The primary purpose of a certificate is AUTHENTICATION (of the owner of the private key, in this case the website).

However, for human beings, just a domain name simply does not provide reliable identification information. It renders impersonation a peace of cake.

Decent online authentication is HARD. Get used to it instead of denying it.

REASONS/EXAMPLES

Troy Hunt fell in the DV trap: https://infosec.exchange/@ErikvanStraten/114222237036021070

Google (and Troy Hunt!) killed non-DV certs (for profit) because of the stripe.com PoC. Now Chrome does not give you any more info than what Google argumented: https://infosec.exchange/@ErikvanStraten/114224682101772569

https:⧸⧸cancel-google.com/captcha was live yesterday: https://infosec.exchange/@ErikvanStraten/114224264440704546

Stop phishing proposal: https://infosec.exchange/@ErikvanStraten/113079966331873386

Lots of reasons why LE sucks:
https://infosec.exchange/@ErikvanStraten/112914047006977222 (corrected link 09:20 UTC)

This website stopped registering junk .bond domain names, probably because there were too many every day (the last page I found): https://newly-registered-domains.abtdomain.com/2024-08-15-bond-newly-registered-domains-part-1/. However, this gang is still active, open the RELATIONS tab in https://www.virustotal.com/gui/ip-address/13.248.197.209/relations. You have to multiply the number of LE certs by approx. 5 because they also register subdomains and don't use wildcard certs. Source: https://www.bleepingcomputer.com/news/security/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/

@EUCommission @letsencrypt @nlnet

@BjornW :

I've stopped doing that after a lot of people called me an idiot and a liar if I kindly notified them. I stopped, I'll get scolded anyway.

Big tech and most admins want everyone to believe that "Let's Encrypt" is the only goal. Nearly 100% of tech people believe that.

And admins WANT to believe that, because reliable authentication of website owners is a PITA. They just love ACME and tell their website visitors to GFY.

People like you tooting nonsense get a lot of boosts. It's called fake news or big tech propaganda. If you know better, why don't you WRITE BETTER?

It has ruined the internet. Not for phun but purely for profit. And it is what ruins people's lives and lets employees open the vdoor for ransomware and data-theft.

See also https://infosec.exchange/@ErikvanStraten/112914047006977222 (and, in Dutch, https://security.nl/posting/881296).

@troyhunt @letsencrypt

#DV #Impersonation #AnonymousCertificates #Authentication #LetsAuthenticate #BigTechIsEvil #GoogleIsEvil #CloudflareIsEvil #LetsEncrypt #Identity #Authenticity #Phishing #Spoofing #CyberCrime #InfoSec #AitM #MitM #Weak2FA #WeakMFA #DVcerts #Certificates #ACME #USdependencies #USdependency #USdependent #USAdependencies #USAdependency #USAdependent

@troyhunt : if we open a website that we've never visited before, we need browsers to show us all available details about that website, and warn us if such details are not available.

We also need better (readable) certificates identifying the responsible / accountable party for a website.

We have been lied to that anonymous DV certificates are a good idea *also* for websites we need to trust. It's a hoax.

Important: certificates never directly warrant the trustworthyness of a website. They're about authenticity, which includes knowing who the owner is and in which country they are located. This helps ensuring that you can sue them (or not, if in e.g. Russia) which *indirectly* makes better identifiable websites more reliable.

More info in https://infosec.exchange/@ErikvanStraten/113079966331873386 (see also https://crt.sh/?Identity=mailchimp-sso.com).

Note: most people do not understand certificates, like @BjornW in https://mastodon.social/@BjornW/114064065891034415:
❝
@letsencrypt offers certificates to encrypt the traffic between a website & your browser.
❞
2x wrong.

A TLS v1.3 connection is encrypted before the website sends their certificate, which is used only for *authentication* of the website (using a digital signature over unguessable secret TLS connection parameters). A cert binds the domain name to a public key, and the website proves possession of the associated private key.

However, for people a domain name simply does not suffice for reliable identification. People need more info in the certificate and it should be shown to them when it changes.

Will you please help me get this topic seriously on the public agenda?

Edited 09:15 UTC to add: tap "Alt" in the images for details.

@Linux : you're definitely not fearmongering.

Eugene Kaspersky warned many times for fragmentation of the internet, like in https://www.smh.com.au/technology/cyber-spying-risks-the-future-of-the-internet-eugene-kaspersky-20131107-hv2g1.html more than 11 years ago:
❝
Mr Kaspersky said he feared governments would withdraw to their own parallel networks away from the prying eyes of others, and would cease investing in the development of the public internet, products and services.
❞

(An IMO nice read on internet history: https://eugene.kaspersky.com/2017/02/07/internet-archaeology/).

Personally I predicted many years ago that online identity fraud would cause too much damage soon.

Fortunately both predictions have not fully materialized, but we're definitely heading in the wrong direction.

Here's one example from many, severly undermining trust in the internet: https://www.bleepingcomputer.com/news/security/microsoft-trust-signing-service-abused-to-code-sign-malware/.

It's not just TLD's: by far most digital certificates are issued by Big Tech with pompous names like "Google Trust Services" - most of them to criminal websites.

See also https://gist.githubusercontent.com/qbourgue/071c333ff5182f031da3ba55cc7da1ec/raw/ec4ba396c0d1052cc8b0a69c1bad1e0e5aef2ab6/malicious_domains_impersonating_reddit_wetransfer_selfau3_dropper_lumma_stealer_20012025.txt (src: @_r_netsec in https://infosec.exchange/@_r_netsec/114211978370291738).

#Kaspersky #Fragmentation #Impersonation #Authentication #AitM #MitM #BigTechIsEvil #GoogleIsEvil #DVcerts