Hackers mostly are using free comodo certificates?!

Like I’ve also said before, it depends on the data, which is also why there are different types of certificates. For many websites I do not care who they are because the data may not be of external importance but may be internally important, lets say login information exclusive to that websites, I would naturally not care whether the site operator had that information, but I would care if someone else sniffed it out and used it impersonate me on said website. But for a banking website where the data is also externally important, I would require something better, like an EV cert.

Edit: A big part of this conversation also assumes no prior generated trust, a brand new website without any prestige. (Also I’m going to sleep now and gonna play a lot of Secret World Legends when I awake, I don’t really know when I’ll answer again)

who is that “someone else”?
is it different than the “person receiving your data”?

Someone else other than the intended recipient, i.e. the party in control of the website.

Ideally it would be different from “person receiving your data” because “person receiving your data” should be the party in control of the website and “someone else” is therefore not the party in control of the website. There are however situations where “someone else” and “person receiving your data” could theoretically be the same person, for example if a MITM attack was somehow successful, at that point there would be multiple “person receiving your data” and you’d have to be more specific in your question.

How do you know if that “someone else” is different than the “party in control of the website”? Yes/No?

Did you just ask me to answer a “How” question with yes or no? In that case I would like to answer with: Cat.

Either way, it’s in the definition of ‘someone else’. How do I know that the party in control of the website isn’t someone else? Because if they were then they wouldn’t be the party in control of the website.

I should once again clarify that I am fine with making DV certs show neutral, as long as no cert (http) is shown as negative. I do not, however, equate DV cert with no cert and would therefore not be in favour of a solution that wouldn’t differentiate between the two.

Edit: Also, I feel like we’re going in circles with this and that we simply don’t agree on definitions, however regardless of those definitions I can still see value in your proposal even if I think encryption vs encipher is irrelevant to the issue and given some other implications (like http not being neutral). As it’s nearing 2AM I will retire to bed for now, don’t wait up. :slight_smile:

sure let me ask it again

do you know if that “someone else” is different than the “party in control of the website”? Yes/No?

You didn’t need to ask again, I gave you the answer in the last reply. Besides, why do you need me to answer with either yes or no to a question that may have a more complex answer? I do not see any point to requiring that level of control and will therefore no longer continue this conversation if such control is expected over my responses. Good Night.

Good night :slight_smile:

Stop! You need to read and quote me properly, not only quote what seems to confirm your view and ignore everything that doesn’t! I did not confirm your view.
I quote my first three sentences again:

Need I rephrase that more clearly?
EV does not guarantee that the person I communicate with is not a person I would rather avoid exchanging data with.
OV does not guarantee that the person I communicate with is not a person I would rather avoid exchanging data with.
DV does not guarantee that the person I communicate with is not a person I would rather avoid exchanging data with.

Got it this time?

If your view is that OV and EV give such a guarantee, feel free to explain how.

Isn’t the real question here about the level of validation that has to be achieved to receive a certificate.

There is higher trust in a site that has OV or EV because of the documentation required before issuance.

With DV it’s simply ability to receive an email.

And the argument that the user should look at the URL address bar to ensure they arrived
at the right place shouldn’t really come into it as a lot of users wouldn’t know if they did or didn’t.
Thats why we have the visible coloured indication.

If the user doesn’t look at the URL-bar, it will not only not see the URL, but also not the security indicator (if any). How interested is the average user in that “boring” “technical” stuff?

And only if the user knows what security indicator to expect, does it matter what type of indicator the site the user arrives at has. In July 2016, I was quite surprised when I visited comodo.com, and it looked like you see in the attached image. I was surprised because I expected EV, and it was actually DV, through Cloudflare. Does an average user have such expectations?

With more than 70 % of all certificates being DV, it is not unexpected to see a legitimate site using such a certificate. They are a big part of peoples’ daily browsing.

Should browsers display a flashing red “Not secure” whenever DV is used? Does it make sense to cry “wolf” every time you see a dog? No one will listen to you, even when you actually see a wolf.

Users always need to be eductated on what to look for browsering.
And your right it is boring stuff.

So, treat them as dumb and show them whats secure and whats not.

People are more likely to notice colours instead of words.

DV may be commonplace and in use by some legitimate sites, but how do you
distinguish between good ones and bad ones?
Bearing in mind that with DV you only need to able to recieve an email.

To give users who are not interested in this geeky stuff isn’t easy. But it’s clear that you must be careful with when you cry “wolf”. If you make a browser that says that sites like https://blog.wikimedia.org/ and https://www.libreoffice.org/ be “Not secure” or similar, no user will take your warnings seriously.

I don’t know how many sites that have a DV-certificate from Comodo, but I know that 47 million sites have a DV-certificate from Let’s Encrypt. For both CAs, a really tiny fraction of the issued certificates are used for phishing. Maybe about 0,6 ‰ (not %) for Let’s Encrypt, based upon Netcraft’s numbers (47 500 blocked sites, and 61 % of them using Let’s Encrypt).

One phishing site is of course one too many, but to flag DV as insecure because a tiny fraction of them are used by fraudsters makes no sense.

Indeed “how do you distinguish between good ones and bad ones?”. Good question. Not by looking at the certificate, but by looking at the content. To protect against fraud, good fraud protection is needed. Good spam filters, so users don’t get fraudulent links in their mailbox, good (fast) URL-blocking, in services like Safe Browsing and SmartScreen. Sadly, those are never good/fast enough.

BTW, I think most users of DV got the certificate through a hosting provider or CDN, by clicking a button in the control panel.

One thing I have noticed throughout this thread is the use of the word ‘looking’.
Looking at the URL address bar.
Looking at the certificate.
Looking at the content.

Now, just to throw this into the mix…imagine the user is blind.

How do we indicate to a blind user that a site is safe or not?

If that user uses verbal feedback to help them navigate, what’s being displayed to verbally feedback to assist them?

If nothing guarantees “that the person I communicate with is not a person I would rather avoid exchanging data with”, then why do you insist in having a positive indicator for DV?

Here is a Twitter post today from the CA Security Council. @CertCouncil

Making #HTTPS #phishing sites easier to spot https://www.helpnetsecurity.com/2017/06/28/https-phishing-sites/ via @helpnetsecurity

It states:
Finally, a CA issuing a Domain Validation (DV) certificates for a domain must only make sure that the applicant has control over the domain in question. It usually does so by sending (and receiving a response from) an email to the email contact in the domain’s whois details or an administrative contact in the domain (e.g. admin@). The CA may have no idea who the applicant for the DV certificate is – the whole process can be anonymous and untraceable.

Consequently, DV certificates offer encryption (i.e. assurance that the traffic to and from the website is encrypted, and therefore the sent sensitive data is known only to the user and the site’s owner), but do not offer proof that the owner of the site is a legal entity (existing organization), or a particular legal entity. In fact, with DV certificates the owner of the site may be completely unknown.

Because it is of value to protect data from eavesdropping and modification during transport.

Did I ever say a positive indicator?

Sure, and I did not try to say they are not different. But I want the discussion to be nuanced. I will not call DV useless, and I will not call EV flawless. (What does it mean for users and their trust that COMODO CA Limited in Salford has been validated by COMODO CA Limited in Salford? “You can trust me because I trust me”?)

So there are scenarios when DV offers sufficient security? Like when I log in on forums using DV, paying attention to the URL?

And I guess most sites with DV are used passively, i.e. without the user entering any information (such as login credentials) on them. Maybe entering some text in a search box.

Is it flawed to click on a link on an insecure site (without TLS) to a site with DV? If that DV-site is unknown to me, it would not be wise of me to blindly trust it. But if the site instead has OV? If I bother to open the certificate viewer I will see a name and a location. Maybe I have never heard of the organisation, or even the city it’s located in. Should I blindly trust it?

I agree that DV should not be used for e-commerce or other financial transactions. I’m even disappointed that one of my banks has OV and not EV.

I think you guys are missing the point here. First, nobody is saying that DV certificates are completely useless. What is being explained here, is that DV certificates are neutral, period. Why?

For example, let’s say that you visit regularly the roughmedia.com website. You receive an email from roughrnedia.com where they ask you take advantage an activate a very good incredible offer. So you click, login with your personal details… but wait! Your account is no longer private. What happened, what went wrong? You submitted your private data over “a secure ciphered” channel! That’s right, you likely wouldn’t notice in the address bar of the browser that the owner of the website and the DV certicite has replaced the “m” in media with an “r” and an “n” that look very much like an “m.” That’s it for your private data, sent through “encrypted” enciphered channel.

Why would you need protection from eavesdropping and modification during transport, if the bad guy is the owner of the private key (yes, DV certificate).

We need to think broader and not only for ourselves but for those who have less experience in the web and are more vulnareble.

Assuming that the email was not caught by Gmail’s spam filter, and that Safe Browsing did not block the fraudulent site, and that I swallow the tasty bait, and that I am not surprised that Chrome suddenly does not remember my login credentials, and that I do not look at the URL-bar, yes, then I might give my login credentials to some bad guy. Is that DV’s fault? Does roughmedia.com also have DV, or maybe OV? Doesn’t matter, since I did not look in the URL-bar, not to mention the certificate viewer. If the user does not pay attention to anything outside the content area, different indicators for DV, OV and EV do not matter.

There are plenty of bad guys.

I have several times referred to average users, and how they might think and react in various cases. People with average or below average knowledge and interest in the matters we are discussing here are the big challenge for security engineers and UI-designers.

Different indicators for different certificates will not protect those users from fraud. Most people have no idea what a digital certificate is, and the indicator looks different if an image on the page is loaded over an insecure connection (Look at this forum!), so a changed indicator is not really a big thing for users.