Author Topic: Hackers mostly are using free comodo certificates?!  (Read 14607 times)

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5735
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #75 on: August 05, 2017, 05:49:57 AM »
Authorized by whom? Fake Apple-like domain names are authorized by whom to receive real Apple IDs?
Have you read nothing I have written? As soon as a connection has been established, the two connected parties are authorised to exchange information. The authorisation is in the connection.
Ubuntu 19.04 | Chrome 74β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline SSL Guru

  • Comodo's Hero
  • *****
  • Posts: 320
  • Retired Comodo Global Support Manager
    • Dağcılar Sitesi
Re: Hackers mostly are using free comodo certificates?!
« Reply #76 on: August 05, 2017, 05:59:54 AM »
The conversation appears to have moved to ciphers,  encryption,  authorization  and how it's done etc.

Haven't we moved away from the question?

Quite simply, should DV certificates be given the same trust indication in a browser?
Given the level of validation required to get a DV certificate I personally would say no.

“You have to be odd to be number one”
Dr. Seuss

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5735
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #77 on: August 05, 2017, 06:46:32 AM »
The conversation appears to have moved to ciphers,  encryption,  authorization  and how it's done etc.

Haven't we moved away from the question?
It moves hither and thither.
Quite simply, should DV certificates be given the same trust indication in a browser?
Given the level of validation required to get a DV certificate I personally would say no.
DV deserves a security indicator, but not a trust indicator.
Ubuntu 19.04 | Chrome 74β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline w-e-v

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1503
  • BETA FORCE MEMBER
Re: Hackers mostly are using free comodo certificates?!
« Reply #78 on: August 05, 2017, 08:15:00 AM »
Yes/No Question: If a connection is "encrypted" (according to your definition) fake Apple-like domain names are "authorized" to receive username and passwords from real Apple users/accounts?
You still haven't answered my yes/no question with a yes/no answer.

Have you read nothing I have written? As soon as a connection has been established, the two connected parties are authorised to exchange information. The authorisation is in the connection.
So the connection alone authorizes the fake apple-like domain name to capture real apple ids?

Offline w-e-v

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1503
  • BETA FORCE MEMBER
Re: Hackers mostly are using free comodo certificates?!
« Reply #79 on: August 05, 2017, 08:35:58 AM »
The conversation appears to have moved to ciphers,  encryption,  authorization  and how it's done etc.

Haven't we moved away from the question?

Quite simply, should DV certificates be given the same trust indication in a browser?
Given the level of validation required to get a DV certificate I personally would say no.

Yes, the definition is pretty clear.

Oxford Dictionary defines "Encryption" as:
The process of converting information or data into a code, especially to prevent unauthorized access.
https://en.oxforddictionaries.com/definition/encryption

And how does Oxford Dictionary defines "unauthorized"?
Not having official permission or approval.
https://en.oxforddictionaries.com/definition/unauthorized

Regardless of a connection type, coded or not, if the person receiving the private data is "unauthorized" (not having official permission or official approval), the connection is not secure regardless it's type (HTTP or HTTPS).

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14651
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #80 on: August 05, 2017, 08:10:52 PM »
That client and server have authorised (allowed) one another to communicate (exchange data). It has nothing to do with the user, hence technically authorised. The user may have arrived at a site it would rather avoid, by clicking on an obfuscated link, or similar, but the site is none the less fully authorised to send data to the client. All the user can do is to unauthorise the server by closing the connection to it. A connection, secure or not, intended or not, means authorisation to communicate.

hmmm...you just made that up didn't you :)
You are merely explaining key to key encipherement, not key holder to key holder encryption.

You are now trying to "make up new terminology" called "Technical authorization" to describe "encipherement".

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14651
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #81 on: August 05, 2017, 08:14:17 PM »
DV deserves a security indicator, but not a trust indicator.

Security?
why?
you will say: because it creates a secure tunnel.
I will say: securing from who?
you will say: securing from any "unauthorized person"
I will say: how do you know the recipient is not the person you are trying to avoid?
You will say: .........................................
:)
because you can't differentiate between the recipient and the people you are trying to avoid, you can't give DV neither "security" nor "Trust" indicator. It has to be "Neutral".

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5735
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #82 on: August 06, 2017, 07:19:50 AM »
hmmm...you just made that up didn't you :)
You are merely explaining key to key encipherement, not key holder to key holder encryption.

You are now trying to "make up new terminology" called "Technical authorization" to describe "encipherement".
The interpretation and description of what is happening are mine.

The user is always late to the party, arrives when the dinner is already served (the webpage has been downloaded). What is left for the user to authorise? Continued communication. Or to unauthorise continued communication (leave the party). And the dinner may contain surprises, ingredients (files) from third parties, from other domains and other entities, known or unknown. Who authorised those to be downloaded to the client’s device? Not the user, who might not even be aware of them.

In TLS, authentication of the identity of the communicating parties is optional. For “key holder to key holder encryption” you need PGP, where the sender specifies the authorised recipient(s), or something like that.
Security?
why?
Because security is… [drumroll]… technical! It’s protocols, ciphers, algorithms etc. The green padlock in Chrome or Firefox simply says that the connection is secure (click on it to see the description), not the sender/recipient at the other end of the tunnel.
you will say: because it creates a secure tunnel.
I will say: securing from who?
you will say: securing from any "unauthorized person"
I will say: how do you know the recipient is not the person you are trying to avoid?
You will say: .........................................
:)
because you can't differentiate between the recipient and the people you are trying to avoid, you can't give DV neither "security" nor "Trust" indicator. It has to be "Neutral".
To avoid going in circles (repeating what has already been said, since we both know and acknowledge the shortcomings of DV), I will skip to the indicator.

What does a neutral indicator look like? Like in the attached image (from a site with mixed content)? If so, I hope you have a plan for sites with mixed content. What is the plan for HTTP without TLS? Is that also neutral, or insecure? The plan for OV? Like in Dragon 57 (Chrome’s current EV-indicator?).

To communicate security to people with little or no knowledge, and no interest, is far from trivial. How to communicate that the connection is secure, but the guy(s) at the other end of it might not be? It is a balancing act.

And again, a name in the certificate does not guarantee that the guy(s) at the other end of the connection be “secure” (trustworthy). Should browsers ever say “Trusted” (like Opera 12 for EV)?

As long as there are insecure connections (without TLS), the use of (well implemented and configured) TLS deserves to be indicated differently than no TLS. Maybe write “TLS” in the indicator. Or maybe something most users understand.
Ubuntu 19.04 | Chrome 74β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14651
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #83 on: August 06, 2017, 12:38:31 PM »
Neutral means no indicator
HTTP: should receive a negative indicator.

drumrolls....without users there is no internet....so you trying to create world removing users is not the world the users live in...it is the users who put the computers, certificates, internet connection...its also the user who are doing all this for a purpose....for example...a user is choosing to use encryption for a reason to make sure their data is secure by making sure it only goes to the intended recipient.... so first you are trying to make up new terminology with technical authorization and now creating a world with no users.....:)

Offline w-e-v

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1503
  • BETA FORCE MEMBER
Re: Hackers mostly are using free comodo certificates?!
« Reply #84 on: August 06, 2017, 05:25:18 PM »
The user is always late to the party, arrives when the dinner is already served (the webpage has been downloaded). What is left for the user to authorise? Continued communication. Or to unauthorise continued communication (leave the party). And the dinner may contain surprises, ingredients (files) from third parties, from other domains and other entities, known or unknown. Who authorised those to be downloaded to the client’s device? Not the user, who might not even be aware of them.
The user shall be able to identify by indicators if the party is secure or not BEFORE entering the party (before entering private data). That's what the indicators are for. If the party indicator shows that its secure, user can enter the party (enter details). But if the party indicator is neutral, the user has a hint to reconsider if entering the party or not (enter details or not). That is why the indicator is needed. If the party turns to be "evil" (insecure), the user will not have a happy ending even with his own bodyguards (enciphered connection).

You still haven't answered my yes/no question with a yes/no answer.

So the connection alone authorizes the fake apple-like domain name to capture real apple ids?

Offline w-e-v

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1503
  • BETA FORCE MEMBER
Re: Hackers mostly are using free comodo certificates?!
« Reply #85 on: August 06, 2017, 05:47:04 PM »
Encipher: Convert (a message or piece of text) into a coded form.
https://en.oxforddictionaries.com/definition/encipher

Encryption: The process of converting information or data into a code, especially to prevent unauthorized access.
https://en.oxforddictionaries.com/definition/encryption

Unauthorized: Not having official permission or approval.
https://en.oxforddictionaries.com/definition/unauthorized

Do you see the difference?

Encryption: Coded data + authorized party. Secure.
Encipher: Coded data only (that's it). Insecure.

I think the definitions are pretty clear. What JoWa is describing is the mere and simple process of encipherment because although the connection is through HTTPS, the receiving party might or might not be the authorized party to receive such information. Whereas what Melih is describing is that ONLY if the receiving party has been authorized (within an authorization process) to receive such data, the Encryption process is completed. If the receiving party is unauthorized but receives the information, encryption is not in place only encipherment.

Since Domain Validated certificates only encipher and do not encrypt, the indicator must be neutral.

Is very simple when you read the definitions.

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5735
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #86 on: August 07, 2017, 02:43:21 AM »
Neutral means no indicator
HTTP: should receive a negative indicator.
That makes sense. Insecure should not be neutral. At least Chrome and Firefox have began to indicate that the connection is insecure login field on the page. The question is when users are ready for such an indicator on every insecure connection. Currently about forty percent of all connections are not secure. Warning fatigue is to be expected if the indicator were introduced today. More TLS is needed. That will mean more DV.

Once the insecure connections are few enough to mark them as not secure (a negative indicator), it will not make much sense to use a positive indicator for secure connections. If negative means not secure, neutral will mean secure. And that includes more than DV. Even EV is not very effective as defence against phishing, it seems. (And some mobile browsers have no special EV-indicator.)

“Jackson et al. asked study participants to identify phishing attacks and found that ‘extended validation did not help users defend against either attack’”.¹

To protect against phishing, we need good phishing protection, not different certificate indicators.
drumrolls....without users there is no internet....so you trying to create world removing users is not the world the users live in...it is the users who put the computers, certificates, internet connection...its also the user who are doing all this for a purpose....for example...a user is choosing to use encryption for a reason to make sure their data is secure by making sure it only goes to the intended recipient.... so first you are trying to make up new terminology with technical authorization and now creating a world with no users.....:)
Am I not admirably and impressively creative! Eliminate the messy users, and you eliminate the problems!

But sadly, or luckily, I did not successfully eliminate the users. And I never tried to. What I am trying to do is to see what users really do, and what happens automatically, like the authorisation, which happens silently when connecting to a server.

Also, average users care much less about various indicators than we who discuss them.

1 https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45366.pdf
Ubuntu 19.04 | Chrome 74β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5735
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #87 on: August 07, 2017, 02:47:05 AM »
You still haven't answered my yes/no question with a yes/no answer.
Who gave you authority to dictate how people should answer?
Ubuntu 19.04 | Chrome 74β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14651
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #88 on: August 07, 2017, 10:50:33 AM »

Also, average users care much less about various indicators than we who discuss them.

1 https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45366.pdf

http://nypost.com/2017/07/11/google-pays-for-research-papers-in-effort-to-influence-policy/

do differentiate between paid and free research ;) Google has been reported to pay for these research....
If people don't care about it, then why use it in the first place.....you can't have it both ways.....
google use it because people do care about it...but they don't want to admit it....because if they admitted it...then they will be at the wrong side of the argument...
so that's why they continue to use it while claiming users don't care.......which is an oxyfool*... if people don't care..then remove it!!...But we know people do care....that's why they continue using it.

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5735
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #89 on: August 07, 2017, 11:57:31 AM »
I don’t understand your reasoning.

“google use it because people do care about it...but they don't want to admit it”

Why would they not want to admit that people care about something they have always been doing, if that is indeed the case?

Chrome has more than one billion users. If Google makes bad security decisions for Chrome, it soon gets problematic at a very large scale. Very bad for users means very bad for Google.

Google did not introduce the padlock. I don’t know who did, maybe Netscape. Google was late to the party (2008). In the 1990s, when Netscape created SSL, the situation was very different. Very very few sites used secure connection, and then it made sense to indicate that. And so it did for a long time. Now secure is dominating, and insecure is becoming an exception. Then it makes sense to reverse the indicators. Use a negative indicator for insecure connections (until they disappear), and no indicator for secure connections, which are now standard.

To remove the positive indicator for secure connections, without adding a negative indicator for insecure connections would not make sense. Also, to use a negative indicator for insecure connections would make users get used to it and ignore it, if it is done too soon (when there are still quite many insecure connections).

“But we know people do care....that's why they continue using it.”

How do we know that?

Recently Ryan Sleevi posted Google’s plans for indicators in Chrome¹. Here is an excerpt:

“Thus, our focus is on introducing negative indicators that accurately reflect when there is no connection security, while also working to reduce the confusion introduced by the myriad of positive indicators by aligning to a single, neutral state.”

1 https://cabforum.org/pipermail/public/2017-July/011671.html
Ubuntu 19.04 | Chrome 74β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek