Author Topic: Hackers mostly are using free comodo certificates?!  (Read 25125 times)

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14676
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #45 on: July 31, 2017, 07:50:02 PM »
sure let me ask it again

do you know if that "someone else" is different than the "party in control of the website"?  Yes/No?

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4214
  • Lurking
Re: Hackers mostly are using free comodo certificates?!
« Reply #46 on: July 31, 2017, 08:03:47 PM »
sure let me ask it again

do you know if that "someone else" is different than the "party in control of the website"?  Yes/No?

You didn't need to ask again, I gave you the answer in the last reply. Besides, why do you need me to answer with either yes or no to a question that may have a more complex answer? I do not see any point to requiring that level of control and will therefore no longer continue this conversation if such control is expected over my responses. Good Night.
« Last Edit: July 31, 2017, 08:07:01 PM by Sanya IV Litvyak »
I support privacy and freedom online - eff.org

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14676
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #47 on: July 31, 2017, 09:44:06 PM »
Good night :)

Offline JoWa

  • Humanist
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6439
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #48 on: July 31, 2017, 11:56:49 PM »
That's why DV does not deserve a positive indicator.

Now that we established DV doesn't deserve a positive indicator,  we can talk about if EV deserves a "positive indicator".
With EV: do you know either the person or legal entity you are connecting to?
The answer is yes. These are vetted legal entities. You are trusting CAs to have vetted this for you.
Stop! You need to read and quote me properly, not only quote what seems to confirm your view and ignore everything that doesn’t! I did not confirm your view.
I quote my first three sentences again:
I don’t know that, regardless of DV, OV or EV. There is no guarantee. Just like there is no guarantee that a piece of software with a valid digital signature – with the vendor’s name in it – be secure and safe to use.
Need I rephrase that more clearly?
EV does not guarantee that the person I communicate with is not a person I would rather avoid exchanging data with.
OV does not guarantee that the person I communicate with is not a person I would rather avoid exchanging data with.
DV does not guarantee that the person I communicate with is not a person I would rather avoid exchanging data with.

Got it this time?

If your view is that OV and EV give such a guarantee, feel free to explain how.
Ubuntu 21.04 | Firefox 90β | HTTPS Only Mode | Privacy Badger
Forum Policy | Comodo Product Help

Offline SSL Guru

  • Comodo's Hero
  • *****
  • Posts: 320
  • Retired Comodo Global Support Manager
    • Dağcılar Sitesi
Re: Hackers mostly are using free comodo certificates?!
« Reply #49 on: August 01, 2017, 05:04:13 AM »

Isn't the real question here about the level of validation that has to be achieved to receive a certificate.

There is higher trust in a site that has OV or EV because of the documentation required before issuance.

With DV it's simply ability to receive an email.

And the argument that the user should look at the URL address bar to ensure they arrived
at the right place shouldn't really come into it as a lot of users wouldn't know if they did or didn't.
Thats why we have the visible coloured indication.
“You have to be odd to be number one”
Dr. Seuss

Offline JoWa

  • Humanist
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6439
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #50 on: August 01, 2017, 06:18:58 AM »
And the argument that the user should look at the URL address bar to ensure they arrived at the right place shouldn't really come into it as a lot of users wouldn't know if they did or didn't.
Thats why we have the visible coloured indication.
If the user doesn’t look at the URL-bar, it will not only not see the URL, but also not the security indicator (if any). How interested is the average user in that “boring” “technical” stuff?

And only if the user knows what security indicator to expect, does it matter what type of indicator the site the user arrives at has. In July 2016, I was quite surprised when I visited comodo.com, and it looked like you see in the attached image. I was surprised because I expected EV, and it was actually DV, through Cloudflare. Does an average user have such expectations?

With more than 70 % of all certificates being DV, it is not unexpected to see a legitimate site using such a certificate. They are a big part of peoples’ daily browsing.

Should browsers display a flashing red “Not secure” whenever DV is used? Does it make sense to cry “wolf” every time you see a dog? No one will listen to you, even when you actually see a wolf.
Ubuntu 21.04 | Firefox 90β | HTTPS Only Mode | Privacy Badger
Forum Policy | Comodo Product Help

Offline SSL Guru

  • Comodo's Hero
  • *****
  • Posts: 320
  • Retired Comodo Global Support Manager
    • Dağcılar Sitesi
Re: Hackers mostly are using free comodo certificates?!
« Reply #51 on: August 01, 2017, 06:31:48 AM »
Users always need to be eductated on what to look for browsering.
And your right it is boring stuff.

So, treat them as dumb and show them whats secure and whats not.

People are more likely to notice colours instead of words.

DV may be commonplace and in use by some legitimate sites,  but how do you
distinguish between good ones and bad ones?
Bearing in mind that with DV you only need to able to recieve an email.
“You have to be odd to be number one”
Dr. Seuss

Offline JoWa

  • Humanist
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6439
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #52 on: August 01, 2017, 07:39:49 AM »
To give users who are not interested in this geeky stuff isn’t easy. But it’s clear that you must be careful with when you cry “wolf”. If you make a browser that says that sites like https://blog.wikimedia.org/ and https://www.libreoffice.org/ be “Not secure” or similar, no user will take your warnings seriously.

I don’t know how many sites that have a DV-certificate from Comodo, but I know that 47 million sites have a DV-certificate from Let’s Encrypt. For both CAs, a really tiny fraction of the issued certificates are used for phishing. Maybe about 0,6 ‰ (not %) for Let’s Encrypt, based upon Netcraft’s numbers (47 500 blocked sites, and 61 % of them using Let’s Encrypt).

One phishing site is of course one too many, but to flag DV as insecure because a tiny fraction of them are used by fraudsters makes no sense.

Indeed “how do you distinguish between good ones and bad ones?”. Good question. Not by looking at the certificate, but by looking at the content. To protect against fraud, good fraud protection is needed. Good spam filters, so users don’t get fraudulent links in their mailbox, good (fast) URL-blocking, in services like Safe Browsing and SmartScreen. Sadly, those are never good/fast enough.

BTW, I think most users of DV got the certificate through a hosting provider or CDN, by clicking a button in the control panel.
Ubuntu 21.04 | Firefox 90β | HTTPS Only Mode | Privacy Badger
Forum Policy | Comodo Product Help

Offline SSL Guru

  • Comodo's Hero
  • *****
  • Posts: 320
  • Retired Comodo Global Support Manager
    • Dağcılar Sitesi
Re: Hackers mostly are using free comodo certificates?!
« Reply #53 on: August 01, 2017, 07:56:42 AM »
One thing I have noticed throughout this thread is the use of the word 'looking'.
Looking at the URL address bar.
Looking at the certificate.
Looking at the content.

Now, just to throw this into the mix......imagine the user is blind.

How do we indicate to a blind user that a site is safe or not?

If that user uses verbal feedback to help them navigate, what's being displayed to verbally feedback to assist them?
“You have to be odd to be number one”
Dr. Seuss

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14676
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #54 on: August 01, 2017, 11:27:58 AM »
Stop! You need to read and quote me properly, not only quote what seems to confirm your view and ignore everything that doesn’t! I did not confirm your view.
I quote my first three sentences again:Need I rephrase that more clearly?
EV does not guarantee that the person I communicate with is not a person I would rather avoid exchanging data with.
OV does not guarantee that the person I communicate with is not a person I would rather avoid exchanging data with.
DV does not guarantee that the person I communicate with is not a person I would rather avoid exchanging data with.

Got it this time?

If your view is that OV and EV give such a guarantee, feel free to explain how.

If nothing guarantees  "that the person I communicate with is not a person I would rather avoid exchanging data with", then why do you insist in having a positive indicator for DV?

Offline SSL Guru

  • Comodo's Hero
  • *****
  • Posts: 320
  • Retired Comodo Global Support Manager
    • Dağcılar Sitesi
Re: Hackers mostly are using free comodo certificates?!
« Reply #55 on: August 01, 2017, 12:51:46 PM »
Here is a Twitter post today from the CA Security Council. [at]CertCouncil

Making #HTTPS #phishing sites easier to spot  https://t.co/t40mapoE0G via [at]helpnetsecurity

It states:
Finally, a CA issuing a Domain Validation (DV) certificates for a domain must only make sure that the applicant has control over the domain in question. It usually does so by sending (and receiving a response from) an email to the email contact in the domain’s whois details or an administrative contact in the domain (e.g. admin[at]). The CA may have no idea who the applicant for the DV certificate is – the whole process can be anonymous and untraceable.

Consequently, DV certificates offer encryption (i.e. assurance that the traffic to and from the website is encrypted, and therefore the sent sensitive data is known only to the user and the site’s owner), but do not offer proof that the owner of the site is a legal entity (existing organization), or a particular legal entity. In fact, with DV certificates the owner of the site may be completely unknown.

“You have to be odd to be number one”
Dr. Seuss

Offline JoWa

  • Humanist
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6439
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #56 on: August 01, 2017, 01:41:24 PM »
If nothing guarantees  "that the person I communicate with is not a person I would rather avoid exchanging data with", then why do you insist in having a positive indicator for DV?
Because it is of value to protect data from eavesdropping and modification during transport.

Did I ever say a positive indicator?
« Last Edit: August 01, 2017, 01:46:20 PM by JoWa »
Ubuntu 21.04 | Firefox 90β | HTTPS Only Mode | Privacy Badger
Forum Policy | Comodo Product Help

Offline JoWa

  • Humanist
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6439
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #57 on: August 02, 2017, 03:24:33 AM »
Isn't the real question here about the level of validation that has to be achieved to receive a certificate.

There is higher trust in a site that has OV or EV because of the documentation required before issuance.

With DV it's simply ability to receive an email.
Sure, and I did not try to say they are not different. But I want the discussion to be nuanced. I will not call DV useless, and I will not call EV flawless. (What does it mean for users and their trust that COMODO CA Limited in Salford has been validated by COMODO CA Limited in Salford? “You can trust me because I trust me”?)
DV certs do NOT offer security unless the user types the https url in full into the address bar in the browser for a site they have already pre established trust with. Clicking on an https link on an http site is flawed if the https site has a DV cert! And DV certs should NOT be used for any ecommerce whatsoever!
So there are scenarios when DV offers sufficient security? Like when I log in on forums using DV, paying attention to the URL?

And I guess most sites with DV are used passively, i.e. without the user entering any information (such as login credentials) on them. Maybe entering some text in a search box.

Is it flawed to click on a link on an insecure site (without TLS) to a site with DV? If that DV-site is unknown to me, it would not be wise of me to blindly trust it. But if the site instead has OV? If I bother to open the certificate viewer I will see a name and a location. Maybe I have never heard of the organisation, or even the city it’s located in. Should I blindly trust it?

I agree that DV should not be used for e-commerce or other financial transactions. I’m even disappointed that one of my banks has OV and not EV.
Ubuntu 21.04 | Firefox 90β | HTTPS Only Mode | Privacy Badger
Forum Policy | Comodo Product Help

Offline w-e-v

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1503
  • BETA FORCE MEMBER
Re: Hackers mostly are using free comodo certificates?!
« Reply #58 on: August 02, 2017, 08:54:30 AM »
I think you guys are missing the point here. First, nobody is saying that DV certificates are completely useless. What is being explained here, is that DV certificates are neutral, period. Why?

For example, let’s say that you visit regularly the roughmedia.com website. You receive an email from roughrnedia.com where they ask you take advantage an activate a very good incredible offer. So you click, login with your personal details... but wait! Your account is no longer private. What happened, what went wrong? You submitted your private data over "a secure ciphered" channel! That's right, you likely wouldn’t notice in the address bar of the browser that the owner of the website and the DV certicite has replaced the “m” in media with an “r” and an “n” that look very much like an “m.” That's it for your private data, sent through "encrypted" enciphered channel.

Because it is of value to protect data from eavesdropping and modification during transport.

Why would you need protection from eavesdropping and modification during transport, if the bad guy is the owner of the private key (yes, DV certificate).

We need to think broader and not only for ourselves but for those who have less experience in the web and are more vulnareble.

Offline JoWa

  • Humanist
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6439
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #59 on: August 02, 2017, 12:03:10 PM »
For example, let’s say that you visit regularly the roughmedia.com website. You receive an email from roughrnedia.com where they ask you take advantage an activate a very good incredible offer. So you click, login with your personal details... but wait! Your account is no longer private. What happened, what went wrong? You submitted your private data over "a secure ciphered" channel! That's right, you likely wouldn’t notice in the address bar of the browser that the owner of the website and the DV certicite has replaced the “m” in media with an “r” and an “n” that look very much like an “m.” That's it for your private data, sent through "encrypted" enciphered channel.
Assuming that the email was not caught by Gmail’s spam filter, and that Safe Browsing did not block the fraudulent site, and that I swallow the tasty bait, and that I am not surprised that Chrome suddenly does not remember my login credentials, and that I do not look at the URL-bar, yes, then I might give my login credentials to some bad guy. Is that DV’s fault? Does roughmedia.com also have DV, or maybe OV? Doesn’t matter, since I did not look in the URL-bar, not to mention the certificate viewer. If the user does not pay attention to anything outside the content area, different indicators for DV, OV and EV do not matter.
Why would you need protection from eavesdropping and modification during transport, if the bad guy is the owner of the private key (yes, DV certificate).
There are plenty of bad guys.
We need to think broader and not only for ourselves but for those who have less experience in the web and are more vulnareble.
I have several times referred to average users, and how they might think and react in various cases. People with average or below average knowledge and interest in the matters we are discussing here are the big challenge for security engineers and UI-designers.

Different indicators for different certificates will not protect those users from fraud. Most people have no idea what a digital certificate is, and the indicator looks different if an image on the page is loaded over an insecure connection (Look at this forum!), so a changed indicator is not really a big thing for users.
Ubuntu 21.04 | Firefox 90β | HTTPS Only Mode | Privacy Badger
Forum Policy | Comodo Product Help

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek