Erik van Straten<p><span class="h-card" translate="no"><a href="https://social.wildeboer.net/@jwildeboer" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>jwildeboer</span></a></span> wrote:<br>"Dear <a href="https://infosec.exchange/tags/Letsencrypt" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Letsencrypt</span></a>, you helped secure millions and millions of servers"</p><p>They never did. Since Forward Secrecy is used (which is good), the one and only purpose of an X.509 certificate is to authenticate an entity, based on unique and *useful* identification of said entity.</p><p>Have a look at <a href="https://crt.sh/?q=968717.com" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">crt.sh/?q=968717.com</span><span class="invisible"></span></a> for the "usefulness" of identification (and waste of resouces).</p><p>Or what about <a href="https://crt.sh/?q=localbit.com" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">crt.sh/?q=localbit.com</span><span class="invisible"></span></a> which includes certificates for <a href="https://ww25.ww38.ww38.ww38.ww16.ww25.ww25.ww38.localbit.com" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">ww25.ww38.ww38.ww38.ww16.ww25.</span><span class="invisible">ww25.ww38.localbit.com</span></a>? (I can give you zillions of examples like this).</p><p>Although a DV-cert may suffice for server to server communication (*), a domain name simply does not suffice for useful identification by humans.</p><p>Fix: <a href="https://infosec.exchange/@ErikvanStraten/113079966331873386" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113079966331873386</span></a>.</p><p>(*) Certificate misissuances: <a href="https://infosec.exchange/@ErikvanStraten/112914050216821746" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/112914050216821746</span></a>.</p><p><a href="https://infosec.exchange/tags/DVcerts" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DVcerts</span></a> <a href="https://infosec.exchange/tags/DomainValidation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DomainValidation</span></a> <a href="https://infosec.exchange/tags/BrowsersSuck" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BrowsersSuck</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/LetsEncrypt" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LetsEncrypt</span></a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GoogleIsEvil</span></a> <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BigTechIsEvil</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudflareIsEvil</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.
Administered by:
Server stats:
243active users
shakedown.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.7
#bigtechisevil
0 posts · 0 participants · 0 posts today
Erik van Straten<p>Public key cryptografie voor leken</p><p>Het is een beetje behelpen met "ASCII graphics", maar in <a href="https://www.security.nl/posting/884482/Public+keys+voor+leken" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">security.nl/posting/884482/Pub</span><span class="invisible">lic+keys+voor+leken</span></a> probeer ik, ook aan minder digitaal vaardigen, uit te leggen hoe asymmetrische cryptografie werkt.</p><p>Doe er uw voordeel mee, want deze techniek is een belangrijk fundament van de steeds verder digtaliserende maatschappij.</p><p>U leert hoe een digitale handtekening werkt en wat een digitaal certificaat is.</p><p>Veel te weinig mensen begrijpen dat goed, en dat bemoeilijkt een fatsoenlijke discussie over deze technieken enorm.</p><p>Big tech is de lachende derde: zij maximaliseren hun winsten terwijl alle risico's voor uw rekening komen.</p><p><a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BigTechIsEvil</span></a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GoogleIsEvil</span></a> <a href="https://infosec.exchange/tags/DVcerts" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DVcerts</span></a> <a href="https://infosec.exchange/tags/EchtVanNepKunnenOnderscheiden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EchtVanNepKunnenOnderscheiden</span></a> <a href="https://infosec.exchange/tags/NepVanEchtKunnenOnderscheiden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NepVanEchtKunnenOnderscheiden</span></a> <a href="https://infosec.exchange/tags/NepWebsites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NepWebsites</span></a> <a href="https://infosec.exchange/tags/BankHelpdeskFraude" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BankHelpdeskFraude</span></a> <a href="https://infosec.exchange/tags/OnlineOplichting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OnlineOplichting</span></a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/BasisKennis" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BasisKennis</span></a> <a href="https://infosec.exchange/tags/Encryptie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Encryptie</span></a> <a href="https://infosec.exchange/tags/Cryptografie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cryptografie</span></a> <a href="https://infosec.exchange/tags/DigitaleVaardigheden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DigitaleVaardigheden</span></a> <a href="https://infosec.exchange/tags/PublicKeyCryptografie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PublicKeyCryptografie</span></a> <a href="https://infosec.exchange/tags/AsymmetrischeCryptografie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AsymmetrischeCryptografie</span></a> <a href="https://infosec.exchange/tags/PrivateKey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PrivateKey</span></a> <a href="https://infosec.exchange/tags/PubliekeSleutel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PubliekeSleutel</span></a> <a href="https://infosec.exchange/tags/PrivateSleutel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PrivateSleutel</span></a></p>
Erik van Straten<p>Virussen en phishing</p><p>(Een late reactie op een discussie tussen <span class="h-card" translate="no"><a href="https://mastodon.nl/@EllyvA" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>EllyvA</span></a></span> en <span class="h-card" translate="no"><a href="https://mastodon.nl/@ximaar" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>ximaar</span></a></span> eindigend met <a href="https://mastodon.nl/@EllyvA/114064535418745561" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">mastodon.nl/@EllyvA/1140645354</span><span class="invisible">18745561</span></a>).</p><p>Computervirussen, in de zin van malware (malicious software) die zichzelf verspreidt, zie ik nauwelijks nog - omdat mensen geen floppies meer gebruiken om gegevens uit te wisselen.</p><p>Cybercriminelen gebruiken nu vooral social engineering om mensen te bestelen, of om aan vertrouwelijke gegevens te komen waarmee zij vervolgens mensen overtuigen dat zij een betrouwbare partij zijn.</p><p>Als zij malware maken bestaat de kwaadaardige component uit een programma (of script in het een of andere document) dat zij bij elke verspreiding wijzigen, en eerst testen op alle gangbare virusscanners (waardoor de meeste scanners aanvankelijk kansloos zijn).</p><p>In een steeds groter deel van de gevallen maakt malware misbruik van standaard onder Windows geïnstalleerde software ("lolbins" - Living Of the Land binaries) of installeert een legitieme driver waarmee verhoogde rechten (administrator privileges) worden verkregen.</p><p>Ook zeer populair zijn RAT's, Remote Access Tools zoals Teamviewer en Anydesk (steeds vaker misbruikt ook op Android en iPhones). Mensen wordt vaak voorgelogen dat zij een virusscanner zouden moeten installeren - en dat is dus zo'n RAT, zie <a href="https://infosec.exchange/@ErikvanStraten/113987804370380156" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113987804370380156</span></a>.</p><p>En inderdaad is phishing een gigantisch probleem - waar virusscanners nauwelijks of niet tegen helpen, omdat criminelen steeds nieuwe domeinnamen gebruiken (vb: <a href="https://security.nl/posting/879531" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">security.nl/posting/879531</span><span class="invisible"></span></a>) voor hun websites, en vaak captcha's inzetten waar virusscanners niet "doorheen komen".</p><p>Het komt ook voor dat automatisch door browsers verzonden gegevens, en/of IP-adressen, en/of tijdstip van de dag vaak aan specifieke criteria moeten voldoen wil de kwaadaardige versie van een website worden getoond (zie screenshot, druk Alt voor meer info).</p><p>Het beste dat je kunt doen, na het openen van een webpagina, is niet op de inhoud letten maar op de DOMEINNAAM (in de adresbalk van de browser). Voor veel te veel mensen is het echter (nagenoeg) onmogelijk om vast te stellen dat een gegeven domeinnaam *niet* van de gesuggereerde organisatie is - en hier bestaat helaas geen SIMPEL en betrouwbaar recept voor.</p><p><a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/Virusscanners" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Virusscanners</span></a> <a href="https://infosec.exchange/tags/SocialEngineering" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SocialEngineering</span></a> <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BigTechIsEvil</span></a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GoogleIsEvil</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudflareIsEvil</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://mastodon.ar.al/@aral" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>aral</span></a></span> :</p><p>I don't want to pay a cent. Neither donate, nor via taxes.</p><p><a href="https://infosec.exchange/@ErikvanStraten/114227977082449887" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/114227977082449887</span></a></p><p><span class="h-card" translate="no"><a href="https://mstdn.social/@TheDutchChief" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>TheDutchChief</span></a></span> <span class="h-card" translate="no"><a href="https://ec.social-network.europa.eu/@EUCommission" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>EUCommission</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@letsencrypt" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>letsencrypt</span></a></span> <span class="h-card" translate="no"><a href="https://social.nlnet.nl/@nlnet" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>nlnet</span></a></span> </p><p><a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Spoofing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Spoofing</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GoogleIsEvil</span></a> <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BigTechIsEvil</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/httpsVShttp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpsVShttp</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeWebsites</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudflareIsEvil</span></a> <a href="https://infosec.exchange/tags/bond" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bond</span></a> <a href="https://infosec.exchange/tags/dotBond" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dotBond</span></a> <a href="https://infosec.exchange/tags/Spam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Spam</span></a> <a href="https://infosec.exchange/tags/Infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Infosec</span></a> <a href="https://infosec.exchange/tags/Ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Ransomware</span></a> <a href="https://infosec.exchange/tags/Banks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Banks</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudflareIsEvil</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeWebsites</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://mastodon.ar.al/@aral" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>aral</span></a></span> : most Let's Encrypt (and other Domain Validated) certificates are issued to junk- or plain criminal websites.</p><p>They're the ultimate manifestation of evil big tech.</p><p>They were introduced to encrypt the "last mile" because Internet Service Providers were replacing ads in webpages and, in the other direction, inserting fake clicks.</p><p>DV has destroyed the internet. People loose their ebank savings and companies get ransomwared; phishing is dead simple. EDIW/EUDIW will become an identity fraud disaster (because of AitM phishing atracks).</p><p>Even the name "Let's Encrypt" is wrong for a CSP: nobody needs a certificate to encrypt a connection. The primary purpose of a certificate is AUTHENTICATION (of the owner of the private key, in this case the website).</p><p>However, for human beings, just a domain name simply does not provide reliable identification information. It renders impersonation a peace of cake.</p><p>Decent online authentication is HARD. Get used to it instead of denying it.</p><p>REASONS/EXAMPLES</p><p>🔹 Troy Hunt fell in the DV trap: <a href="https://infosec.exchange/@ErikvanStraten/114222237036021070" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/114222237036021070</span></a></p><p>🔹 Google (and Troy Hunt!) killed non-DV certs (for profit) because of the stripe.com PoC. Now Chrome does not give you any more info than what Google argumented: <a href="https://infosec.exchange/@ErikvanStraten/114224682101772569" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/114224682101772569</span></a></p><p>🔹 https:⧸⧸cancel-google.com/captcha was live yesterday: <a href="https://infosec.exchange/@ErikvanStraten/114224264440704546" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/114224264440704546</span></a></p><p>🔹 Stop phishing proposal: <a href="https://infosec.exchange/@ErikvanStraten/113079966331873386" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113079966331873386</span></a></p><p>🔹 Lots of reasons why LE sucks:<br><a href="https://infosec.exchange/@ErikvanStraten/112914047006977222" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/112914047006977222</span></a> (corrected link 09:20 UTC)</p><p>🔹 This website stopped registering junk .bond domain names, probably because there were too many every day (the last page I found): <a href="https://newly-registered-domains.abtdomain.com/2024-08-15-bond-newly-registered-domains-part-1/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">newly-registered-domains.abtdo</span><span class="invisible">main.com/2024-08-15-bond-newly-registered-domains-part-1/</span></a>. However, this gang is still active, open the RELATIONS tab in <a href="https://www.virustotal.com/gui/ip-address/13.248.197.209/relations" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">virustotal.com/gui/ip-address/</span><span class="invisible">13.248.197.209/relations</span></a>. You have to multiply the number of LE certs by approx. 5 because they also register subdomains and don't use wildcard certs. Source: <a href="https://www.bleepingcomputer.com/news/security/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/</span></a></p><p><span class="h-card" translate="no"><a href="https://ec.social-network.europa.eu/@EUCommission" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>EUCommission</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@letsencrypt" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>letsencrypt</span></a></span> <span class="h-card" translate="no"><a href="https://social.nlnet.nl/@nlnet" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>nlnet</span></a></span> </p><p><a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Spoofing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Spoofing</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GoogleIsEvil</span></a> <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BigTechIsEvil</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/httpsVShttp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpsVShttp</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeWebsites</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudflareIsEvil</span></a> <a href="https://infosec.exchange/tags/bond" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bond</span></a> <a href="https://infosec.exchange/tags/dotBond" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dotBond</span></a> <a href="https://infosec.exchange/tags/Spam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Spam</span></a> <a href="https://infosec.exchange/tags/Infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Infosec</span></a> <a href="https://infosec.exchange/tags/Ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Ransomware</span></a> <a href="https://infosec.exchange/tags/Banks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Banks</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudflareIsEvil</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeWebsites</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://troet.cafe/@rohare" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>rohare</span></a></span> : phishing can and should be mitigated.</p><p>See <a href="https://infosec.exchange/@ErikvanStraten/114222237036021070" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/114222237036021070</span></a>.</p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@haveibeenpwned" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>haveibeenpwned</span></a></span> </p><p><a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/Browsers" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Browsers</span></a> <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BigTechIsEvil</span></a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GoogleIsEvil</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudflareIsEvil</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@troyhunt" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>troyhunt</span></a></span> : if we open a website that we've never visited before, we need browsers to show us all available details about that website, and warn us if such details are not available.</p><p>We also need better (readable) certificates identifying the responsible / accountable party for a website.</p><p>We have been lied to that anonymous DV certificates are a good idea *also* for websites we need to trust. It's a hoax.</p><p>Important: certificates never directly warrant the trustworthyness of a website. They're about authenticity, which includes knowing who the owner is and in which country they are located. This helps ensuring that you can sue them (or not, if in e.g. Russia) which *indirectly* makes better identifiable websites more reliable.</p><p>More info in <a href="https://infosec.exchange/@ErikvanStraten/113079966331873386" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113079966331873386</span></a> (see also <a href="https://crt.sh/?Identity=mailchimp-sso.com" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">crt.sh/?Identity=mailchimp-sso</span><span class="invisible">.com</span></a>).</p><p>Note: most people do not understand certificates, like <span class="h-card" translate="no"><a href="https://mastodon.social/@BjornW" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>BjornW</span></a></span> in <a href="https://mastodon.social/@BjornW/114064065891034415" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">mastodon.social/@BjornW/114064</span><span class="invisible">065891034415</span></a>:<br>❝<br><span class="h-card" translate="no"><a href="https://infosec.exchange/@letsencrypt" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>letsencrypt</span></a></span> offers certificates to encrypt the traffic between a website & your browser.<br>❞<br>2x wrong.</p><p>A TLS v1.3 connection is encrypted before the website sends their certificate, which is used only for *authentication* of the website (using a digital signature over unguessable secret TLS connection parameters). A cert binds the domain name to a public key, and the website proves possession of the associated private key.</p><p>However, for people a domain name simply does not suffice for reliable identification. People need more info in the certificate and it should be shown to them when it changes.</p><p>Will you please help me get this topic seriously on the public agenda?</p><p>Edited 09:15 UTC to add: tap "Alt" in the images for details.</p><p><a href="https://infosec.exchange/tags/DVcerts" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DVcerts</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Spoofing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Spoofing</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GoogleIsEvil</span></a> <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BigTechIsEvil</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/httpsVShttp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpsVShttp</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeWebsites</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudflareIsEvil</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://mastodon.social/@dutchnewsnl" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>dutchnewsnl</span></a></span> :</p><p>I *never* boost toots that contain one or more "shortened URL's" (if a third party is involved). It would be great if erveryone did like me.</p><p>A "make internet safer" request: please stop using "URL shorteners".</p><p>They are not necessary, they invade the privacy of people who click such links (such services sell "visitor" behaviour"), "visitors" do not know to which website they will be sent AND NEITHER DO YOU (it may work for you today, but there are no guarantees - at all).</p><p>More info (in Dutch) in <a href="https://www.security.nl/posting/879514/rant+-+onveiliginternetten_nl" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">security.nl/posting/879514/ran</span><span class="invisible">t+-+onveiliginternetten_nl</span></a>.</p><p>Mastodon.social (like "my" instance) truncates the readable alternative of long URLs in a smart way, as can be seen in a toot from Dan Gillmor<br>(@dangillmor@mastodon.social) below (tap "Alt" for textual info "behind" the image).</p><p>There is NO REASON whatsoever (unless buff.ly pays you, which wil lead to even more Mastodonts hating you) to use *inherently risky* third party URL-shorteners.</p><p>As an alternative, you could set up a shortened URL service on your own website, like NOS.nl does. For example:</p><p>🔗 <a href="https://nos.nl/l/2558946" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">nos.nl/l/2558946</span><span class="invisible"></span></a></p><p>which actually is (readable but not clickable):</p><p>🔗 https:⧸⧸nos.nl/l/2558946</p><p>It opens:</p><p>🔗 https:⧸⧸nos.nl/liveblog/2558946-vs-en-israel-polsten-oost-afrikaanse-landen-over-gazaplan-trump</p><p>(I replaced https:// by https:⧸⧸ in the non-clickable links to prevent Mastodon from shortening those URL's).</p><p>@dangillmor@mastodon.social </p><p><a href="https://infosec.exchange/tags/MakeInternerSafer" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MakeInternerSafer</span></a> <a href="https://infosec.exchange/tags/URLShorteners" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>URLShorteners</span></a> <a href="https://infosec.exchange/tags/PrivacyInvasive" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PrivacyInvasive</span></a> <a href="https://infosec.exchange/tags/SecurityRisk" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityRisk</span></a> <a href="https://infosec.exchange/tags/Gambling" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Gambling</span></a> <a href="https://infosec.exchange/tags/DeadLinks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DeadLinks</span></a> <a href="https://infosec.exchange/tags/DTour" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DTour</span></a> <a href="https://infosec.exchange/tags/Dependency" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Dependency</span></a> <a href="https://infosec.exchange/tags/InternetIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InternetIsEvil</span></a> <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BigTechIsEvil</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload