Hackers mostly are using free comodo certificates?!

Let’s see if I understand authorised rightly.

When I go to a site, I authorise it to exchange information with me. Right? I always go to a site, not to a person or organisation. It’s also not a person who encrypts and decrypts the data.

I go to “DV-site.org”, we shake hands, saying “ClientHello” and “ServerHello”, and “let’s establish a secure connection using the best mutually supported cipher suite”, and so we do (we chose TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), and I can see “DV-site.org”, a site authorised by me, in the certificate. Now, the communication between my computer and the server hosting the site is perfectly encrypted with a modern cipher suite.

in order to keep the focus…my argument is about DV not deserving a “positive indicator”…
are you claiming DV does deserve an indicator?

Also: 2 questions for you pls with yes/no answers.

1)do you agree with this definition of Encryption? Encryption - Wikipedia :encryption is the process of encoding a message or information in such a way that only authorized parties can access it

2)Do you agree that with DV process we do not know who is receiving our data?

(please keep the discussion to just DV process as it becomes unmanageable to discuss about all the problems about everything if you bring everything else, I am more than happy to discuss other issues once we solve the DV issue as it will create the foundation for the discussion).

Btw: If you define what “Identity” is in legal terms, it will help the understanding. You clearly differentiated between Identity and site with your following statement
“When I go to a site, I authorise it to exchange information with me. Right? I always go to a site, not to a person or organisation.”. You accept both a person and organization is “identity” vs just domain name. These are discussions we can have after you answer the above questions pls.

Yes, for what it does (keeps data private between two ends, client and server). OV may well have a different indicator, more like EV.

Yes, with the understanding of authorised described above. My computer and the server it’s connected to are the two authorised parties.

We do not know what person(s) have access to the server and the information it recieves. (When do we know that?)

A site is not a legal identity, it’s just software on a server. A person is, if we have its full name and personal identity number (whatever that may be called in other countries). For an organisation the corresponding number (organisationsnummer in Swedish) would be required.

keep it “private” from whom?

From anyone who might be trying to read and/or tamper with the data being transported between the client and the server.

How do you know the person who is trying to read/tamper with the data is not exactly the same guy who is receiving your data? Do you know?

Do I ever know that?

So, for the forums with DV-certificates where I log in frequently, the pre-established trust is authentication enough?

And to return to your article, is the real problem DV, or is it that a person who enters its login credentials on what looks like a PayPal-site, but has a totally different URL, did not look at the URL-bar at all, not noticing the incorrect URL and the missing EV-indicator?

again, if you answer the question we can progress the discussion.

How do you know the person who is trying to read/tamper with the data is not exactly the same guy who is receiving your data? Do you know?

Can you clarify your question with an example? With my current understanding of the question, the same issue applies to every other certificate as well, so I must not understand the question correctly.

I wrote extensively in my blog.

I don’t know that, regardless of DV, OV or EV. There is no guarantee. Just like there is no guarantee that a piece of software with a valid digital signature – with the vendor’s name in it – be secure and safe to use.

So what is the real issue in the PayPal-case in your article?

Is it that the fraudulent site has a DV-certificate? No, a fraudster is as fraudulent if its site has an OV-certificate, or even EV.

Is the issue that the browser has the same indicator for DV and OV (while PayPal’s site has an EV-certificate, which looks different, at least on desktop browsers, which is what your screenshot shows)? Neither DV nor OV look like EV, so no, that is not an issue in this case, as it already looks different from the real site. But the fraudulent site in your article has a URL that is very different from paypal.com. If a person does not notice that fundamental difference, it will also not notice different indicators, unless you make it red and flashing or something like that.

To help that person to not fall for the fraud, the warning must look something like this (the way it looks in Chrome and Firefox): https://phishing.safebrowsingtest.com/ And that has nothing to do with the certificate.

Ahhhh, thank you Melih. I see it pretty clearly now (crystal clear).

Guys, just read Melih’s post slowly and try to understand the reality behind it:

In simple terms, the definitions:
To Encrypt = your private information ciphered + authorized party you know/want deciphers (trusted)
To Encipher = your private information ciphered + ? (untrusted)

As you can see, the process of encryption involves something more than just merely encipher data. It also involves a process to ensure that an authorized party decode and read your data. Without the latter your ciphered data is insecure even if its ciphered because you don’t know who really is the identity or person behind.

DV does only Encipher your data (period). DV doesn’t provide Encryption (see meaning above), hence it doesn’t deserve a “secure indicator” as Melih states.

While I personally think making a point about encryption and enciphering is irrelevant, I still disagree with this. The authorised party in this case is whoever has proven that they are in control of that website via a DV certificate. An authorised party does not need to be a party that I know the identity of, if I visit domain.com and they’re using a DV cert then I know I’m at domain.com and consequently I am giving the people in control of domain.com the status of “authorised party”. One can of course go one step further with this and say that EV certs don’t perform encryption either, you don’t know that the people on the other end does with the data they receive, they could be sharing it with the NSA for example, and suddenly not ONLY the authorised source got the data. That is however irrelevant for the technological scope of encryption, which also applies to DV certs.

The confusion you seem to be having is that an authorised party needs to be identified with a name as well, no such identification is needed, the only thing you need to know is that they’re in control of the website you’re trying to visit, and that’s what DV certs provide.

Beyond that I see no reason to differentiate between encryption and enciphering, looking beyond Wikipedia, what does Dictionaries say? Encrypt: “to encipher or encode”, “to change electronic information or signals into a secret code (= system of letters, numbers, or symbols) that people cannot understand or use on normal equipment”, “1. Encipher 2. Encode” But I concede that encryption may differ from enciphering, but not enough to make it a point, a point that still doesn’t hold up when examined.

I should also clarify that I would be okay with giving DV certs a neutral indication, with the condition that no certs (http) gets a negative indication. Either way I also like how Vivaldi treats it, it doesn’t say “SECURE”, it just shows a tiny green faded padlock for DV certs, see attachments for examples.

That’s why DV does not deserve a positive indicator.

Now that we established DV doesn’t deserve a positive indicator, we can talk about if EV deserves a “positive indicator”.
With EV: do you know either the person or legal entity you are connecting to?
The answer is yes. These are vetted legal entities. You are trusting CAs to have vetted this for you.

:-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU
Thank you for taking the time to read it. It is uncharted territory and will need a lot of focus to fully understand. You have 100% got it though, kudos to you! Now you can help me explain this to people pls :slight_smile:

You are missing the point: You are using Encryption to “avoid bad people”…the guy who you are sending the data using DV could very well be that 'bad people"…you simply do not know! Because you don’t know, because you can’t vouch, you can’t say its “secure” or even “private”…you can say you “enciphered the data” thats all…

Because you don’t identify neither the “authorised party” nor the bad people you are trying to avoid, you do not know if they are not the same people!

And I do not agree with this. In this case I am not using encryption to “avoid bad people”, I am using it to make sure that only the ‘authorised party’ can read the data I’m sending them, and that only I can read the data they are sending me, and this authorised party are those in control of the website, whether they are good or bad. Of course if I was doing something like banking etc I would require a higher level of trust, one which a DV cert wouldn’t provide.

Besides, you’ve just changed the definition by saying encryption is to “avoid bad people”, recently it was just authorised party. If I’m connecting to the website where I can hire murders, I’m connecting to bad people, but I still want that connection to be encrypted because I’d want to avoid the good people. Yes that’s a weak argument but either way encryption doesn’t require a bad party present at all and nor do I use it as such either.

Edit: Also I can say that it’s secure, the connection is secure and I can say that it’s private, why would I not? If I couldn’t say it’s private then I wouldn’t with EV as well since they can share the data with the NSA if they want. What happens beyond the technological is irrelevant when discussing the technological.

who is the “authorized party”?

As I’ve said, the people in control of the website that you are visiting, their exact identities are not needed to make them authorised.

Edit: As another thought exercise, since those seem to be popular here, Imagine a website owned by an organisation, and they’re using an EV cert. Now lets imagine X government raids this organisation and takes over the website and start collecting logs. You as a user won’t be any wiser, therefore you’re now not sure exactly who you are trusting, you only know who the certificate was issued to. Suddenly it’s no longer encryption?

So let me get it straight…

You want to “enchipher” your data for someone you don’t know and you don’t care who they maybe?