Author Topic: Hackers mostly are using free comodo certificates?!  (Read 4427 times)

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5229
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #30 on: July 31, 2017, 02:11:19 PM »
again, if you answer the question we can progress the discussion.

How do you know the person who is trying to read/tamper with the data is not exactly the same guy who is receiving your data? Do you know?
I don’t know that, regardless of DV, OV or EV. There is no guarantee. Just like there is no guarantee that a piece of software with a valid digital signature – with the vendor’s name in it – be secure and safe to use.

So what is the real issue in the PayPal-case in your article?

Is it that the fraudulent site has a DV-certificate? No, a fraudster is as fraudulent if its site has an OV-certificate, or even EV.

Is the issue that the browser has the same indicator for DV and OV (while PayPal’s site has an EV-certificate, which looks different, at least on desktop browsers, which is what your screenshot shows)? Neither DV nor OV look like EV, so no, that is not an issue in this case, as it already looks different from the real site. But the fraudulent site in your article has a URL that is very different from paypal.com. If a person does not notice that fundamental difference, it will also not notice different indicators, unless you make it red and flashing or something like that.

To help that person to not fall for the fraud, the warning must look something like this (the way it looks in Chrome and Firefox): https://phishing.safebrowsingtest.com/ And that has nothing to do with the certificate.
Ubuntu 17.04, 64-bit | Chrome 62β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline w-e-v

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1498
  • BETA FORCE MEMBER
Re: Hackers mostly are using free comodo certificates?!
« Reply #31 on: July 31, 2017, 05:41:51 PM »
Ahhhh, thank you Melih. I see it pretty clearly now (crystal clear).

Guys, just read Melih's post slowly and try to understand the reality behind it:

Can you even call it "Encrypted"?

Because the definition of Encryption is:"encryption is the process of encoding a message or information in such a way that only authorized parties can access it"
https://en.wikipedia.org/wiki/Encryption

Because Encryption process is not complete, because you can't guarantee "only authorized parties can access it".....can it be called "Encrypted"?

or is it simply "enciphered"? "To encipher or encode is to convert information into cipher or code".

In simple terms, the definitions:
To Encrypt = your private information ciphered + authorized party you know/want deciphers (trusted)
To Encipher = your private information ciphered + ? (untrusted)

As you can see, the process of encryption involves something more than just merely encipher data. It also involves a process to ensure that an authorized party decode and read your data. Without the latter your ciphered data is insecure even if its ciphered because you don't know who really is the identity or person behind.

DV does only Encipher your data (period). DV doesn't provide Encryption (see meaning above), hence it doesn't deserve a "secure indicator" as Melih states.

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4212
  • Lurking
Re: Hackers mostly are using free comodo certificates?!
« Reply #32 on: July 31, 2017, 06:49:05 PM »
Ahhhh, thank you Melih. I see it pretty clearly now (crystal clear).

Guys, just read Melih's post slowly and try to understand the reality behind it:

In simple terms, the definitions:
To Encrypt = your private information ciphered + authorized party you know/want deciphers (trusted)
To Encipher = your private information ciphered + ? (untrusted)

As you can see, the process of encryption involves something more than just merely encipher data. It also involves a process to ensure that an authorized party decode and read your data. Without the latter your ciphered data is insecure even if its ciphered because you don't know who really is the identity or person behind.

DV does only Encipher your data (period). DV doesn't provide Encryption (see meaning above), hence it doesn't deserve a "secure indicator" as Melih states.

While I personally think making a point about encryption and enciphering is irrelevant, I still disagree with this. The authorised party in this case is whoever has proven that they are in control of that website via a DV certificate. An authorised party does not need to be a party that I know the identity of, if I visit domain.com and they're using a DV cert then I know I'm at domain.com and consequently I am giving the people in control of domain.com the status of "authorised party". One can of course go one step further with this and say that EV certs don't perform encryption either, you don't know that the people on the other end does with the data they receive, they could be sharing it with the NSA for example, and suddenly not ONLY the authorised source got the data. That is however irrelevant for the technological scope of encryption, which also applies to DV certs.

The confusion you seem to be having is that an authorised party needs to be identified with a name as well, no such identification is needed, the only thing you need to know is that they're in control of the website you're trying to visit, and that's what DV certs provide.

Beyond that I see no reason to differentiate between encryption and enciphering, looking beyond Wikipedia, what does Dictionaries say? Encrypt: "to encipher or encode", "to change electronic information or signals into a secret code (= system of letters, numbers, or symbols) that people cannot understand or use on normal equipment", "1. Encipher 2. Encode" But I concede that encryption may differ from enciphering, but not enough to make it a point, a point that still doesn't hold up when examined.

Edit:
I should also clarify that I would be okay with giving DV certs a neutral indication, with the condition that no certs (http) gets a negative indication. Either way I also like how Vivaldi treats it, it doesn't say "SECURE", it just shows a tiny green faded padlock for DV certs, see attachments for examples.
« Last Edit: July 31, 2017, 06:55:44 PM by Sanya IV Litvyak »
I support privacy and freedom online - eff.org

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #33 on: July 31, 2017, 06:53:31 PM »
I don’t know that....

That's why DV does not deserve a positive indicator.

Now that we established DV doesn't deserve a positive indicator,  we can talk about if EV deserves a "positive indicator".
With EV: do you know either the person or legal entity you are connecting to?
The answer is yes. These are vetted legal entities. You are trusting CAs to have vetted this for you.

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #34 on: July 31, 2017, 06:54:52 PM »
Ahhhh, thank you Melih. I see it pretty clearly now (crystal clear).

Guys, just read Melih's post slowly and try to understand the reality behind it:

In simple terms, the definitions:
To Encrypt = your private information ciphered + authorized party you know/want deciphers (trusted)
To Encipher = your private information ciphered + ? (untrusted)

As you can see, the process of encryption involves something more than just merely encipher data. It also involves a process to ensure that an authorized party decode and read your data. Without the latter your ciphered data is insecure even if its ciphered because you don't know who really is the identity or person behind.

DV does only Encipher your data (period). DV doesn't provide Encryption (see meaning above), hence it doesn't deserve a "secure indicator" as Melih states.

 :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU
Thank you for taking the time to read it. It is uncharted territory and will need a lot of focus to fully understand. You have 100% got it though, kudos to you! Now you can help me explain this to people pls :)

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #35 on: July 31, 2017, 06:58:41 PM »

The confusion you seem to be having is that an authorised party needs to be identified with a name as well, no such identification is needed, the only thing you need to know is that they're in control of the website you're trying to visit, and that's what DV certs provide.

You are missing the point: You are using Encryption to "avoid bad people".....the guy who you are sending the data using DV could very well be that 'bad people"....you simply do not know! Because you don't know, because you can't vouch, you can't say its "secure" or even "private"....you can say you "enciphered the data" thats all....

Because you don't identify neither the "authorised party" nor the bad people you are trying to avoid, you do not know if they are not the same people!

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4212
  • Lurking
Re: Hackers mostly are using free comodo certificates?!
« Reply #36 on: July 31, 2017, 07:06:48 PM »
You are missing the point: You are using Encryption to "avoid bad people".....the guy who you are sending the data using DV could very well be that 'bad people"....you simply do not know! Because you don't know, because you can't vouch, you can't say its "secure" or even "private"....you can say you "enciphered the data" thats all....

Because you don't identify neither the "authorised party" nor the bad people you are trying to avoid, you do not know if they are not the same people!

And I do not agree with this. In this case I am not using encryption to "avoid bad people", I am using it to make sure that only the 'authorised party' can read the data I'm sending them, and that only I can read the data they are sending me, and this authorised party are those in control of the website, whether they are good or bad. Of course if I was doing something like banking etc I would require a higher level of trust, one which a DV cert wouldn't provide.

Besides, you've just changed the definition by saying encryption is to "avoid bad people", recently it was just authorised party. If I'm connecting to the website where I can hire murders, I'm connecting to bad people, but I still want that connection to be encrypted because I'd want to avoid the good people. Yes that's a weak argument but either way encryption doesn't require a bad party present at all and nor do I use it as such either.

Edit: Also I can say that it's secure, the connection is secure and I can say that it's private, why would I not? If I couldn't say it's private then I wouldn't with EV as well since they can share the data with the NSA if they want. What happens beyond the technological is irrelevant when discussing the technological.
« Last Edit: July 31, 2017, 07:10:52 PM by Sanya IV Litvyak »
I support privacy and freedom online - eff.org

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #37 on: July 31, 2017, 07:08:30 PM »
And I do not agree with this. In this case I am not using encryption to "avoid bad people", I am using it to make sure that only the 'authorised party' can read the data I'm sending them, and that only I can read the data they are sending me, and this authorised party are those in control of the website. Of course if I was doing something like banking etc I would require a higher level of trust, one which a DV cert wouldn't provide.

Besides, you've just changed the definition by saying encryption is to "avoid bad people", recently it was just authorised party. If I'm connecting to the website where I can hire murders, I'm connecting to bad people, but I still want that connection to be encrypted because I'd want to avoid the good people. Yes that's a weak argument but either way encryption doesn't require a bad party present at all and nor do I use it as such either.

who is the "authorized party"?

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4212
  • Lurking
Re: Hackers mostly are using free comodo certificates?!
« Reply #38 on: July 31, 2017, 07:11:19 PM »
who is the "authorized party"?

As I've said, the people in control of the website that you are visiting, their exact identities are not needed to make them authorised.

Edit: As another thought exercise, since those seem to be popular here, Imagine a website owned by an organisation, and they're using an EV cert. Now lets imagine X government raids this organisation and takes over the website and start collecting logs. You as a user won't be any wiser, therefore you're now not sure exactly who you are trusting, you only know who the certificate was issued to. Suddenly it's no longer encryption?
« Last Edit: July 31, 2017, 07:19:37 PM by Sanya IV Litvyak »
I support privacy and freedom online - eff.org

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #39 on: July 31, 2017, 07:16:40 PM »
As I've said, the people in control of the website that you are visiting, their exact identities are not needed to make them authorised.

So let me get it straight...

You want to "enchipher" your data for someone you don't know and you don't care who they maybe?

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4212
  • Lurking
Re: Hackers mostly are using free comodo certificates?!
« Reply #40 on: July 31, 2017, 07:24:18 PM »
So let me get it straight...

You want to "enchipher" your data for someone you don't know and you don't care who they maybe?

Like I've also said before, it depends on the data, which is also why there are different types of certificates. For many websites I do not care who they are because the data may not be of external importance but may be internally important, lets say login information exclusive to that websites, I would naturally not care whether the site operator had that information, but I would care if someone else sniffed it out and used it impersonate me on said website. But for a banking website where the data is also externally important, I would require something better, like an EV cert.

Edit: A big part of this conversation also assumes no prior generated trust, a brand new website without any prestige. (Also I'm going to sleep now and gonna play a lot of Secret World Legends when I awake, I don't really know when I'll answer again)
« Last Edit: July 31, 2017, 07:27:06 PM by Sanya IV Litvyak »
I support privacy and freedom online - eff.org

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #41 on: July 31, 2017, 07:27:02 PM »
t I would care if someone else sniffed it out and used it impersonate me on said website......

who is that "someone else"?
is it different than the "person receiving your data"?

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4212
  • Lurking
Re: Hackers mostly are using free comodo certificates?!
« Reply #42 on: July 31, 2017, 07:33:53 PM »
who is that "someone else"?
is it different than the "person receiving your data"?


Someone else other than the intended recipient, i.e. the party in control of the website.

Ideally it would be different from "person receiving your data" because "person receiving your data" should be the party in control of the website and "someone else" is therefore not the party in control of the website. There are however situations where "someone else" and "person receiving your data" could theoretically be the same person, for example if a MITM attack was somehow successful, at that point there would be multiple "person receiving your data" and you'd have to be more specific in your question.
I support privacy and freedom online - eff.org

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #43 on: July 31, 2017, 07:36:25 PM »
Someone else other than the intended recipient, i.e. the party in control of the website.

How do you know if that "someone else" is different than the "party in control of the website"?  Yes/No?

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4212
  • Lurking
Re: Hackers mostly are using free comodo certificates?!
« Reply #44 on: July 31, 2017, 07:46:57 PM »
How do you know if that "someone else" is different than the "party in control of the website"?  Yes/No?

Did you just ask me to answer a "How" question with yes or no? In that case I would like to answer with: Cat.

Either way, it's in the definition of 'someone else'. How do I know that the party in control of the website isn't someone else? Because if they were then they wouldn't be the party in control of the website.

I should once again clarify that I am fine with making DV certs show neutral, as long as no cert (http) is shown as negative. I do not, however, equate DV cert with no cert and would therefore not be in favour of a solution that wouldn't differentiate between the two.

Edit: Also, I feel like we're going in circles with this and that we simply don't agree on definitions, however regardless of those definitions I can still see value in your proposal even if I think encryption vs encipher is irrelevant to the issue and given some other implications (like http not being neutral). As it's nearing 2AM I will retire to bed for now, don't wait up. :)
« Last Edit: July 31, 2017, 07:51:13 PM by Sanya IV Litvyak »
I support privacy and freedom online - eff.org

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek