First the good news. Starting with the release of the program tourς Chrome 90 της Google στα μέσα Απριλίου, ο Chrome από προεπιλογή θα προσπαθεί να φορτώσει την έκδοση ενός ιστότοπου που είναι ασφαλής με κάποιο Transport Layer Security (TLS).
These are the sites that show a lock on the Chrome address bar (URL).
The bad news is that just because a site is protected by HTTPS does not mean that it is trustworthy.
A few years ago, WordFence, a well-known WordPress security company, discovered that SSL certificates issued by certification authorities (CAs) on phishing sites pretend to be other sites.
Because the certificates are valid, even though they are running on incorrect installations, Chrome will list these sites as secure. So the data sent with this connection will not be secure.
Of course, CAs do not have to issue fake security certificates. Unfortunately, it happens.
A perfect example: it was revealed that Let's Encrypt, a free, open and automated CA, had been used to generate thousands of SSL certificates for phishing websites that illegally use “PayPal” as part of their name. And it's not just PayPal. Google, Microsoft and Apple had their domains as part of malicious URLs on phishing pages.
Επίσης, δεν μπορεί να γίνει κατάχρηση της διαδικασίας CA. Ο Paul Walsh, ιδρυτής και διευθύνων σύμβουλος της εταιρείας ασφαλείας, MetaCert και συνιδρυτής του World Wide Web Consortium (W3C) URL Classification Standard, αναφέρει ότι υπάρχουν πολλά άλλα προβλήματα με την αφελή πεποίθησή μας ότι το HTTPS από μόνο του είναι αρκετό για να διασφαλίσει τις συνδέσεις μας στο Διαδίκτυο .
Walsh wrote on Twitter, "When DNS-based security services first appeared, most of the web was not encrypted and attackers did not use trusted domains such as Google, Microsoft, GitHub, etc. It used to be that way in the past, but it's less effective today. " The
When the leading free CA, Let's Encrypt, launched in 2015, less than a fifth of websites had HTTPS. Today, 82,2% of sites are covered.
But that was then. There are other problems today.
First, Walsh believes that what Google is doing (enforcing HTTPS) is “theoretical, but its execution sucks. I think it is immoral for a company to make people think that it is right for every website creator and every person who uses the web. ”
Walsh is not the only one who feels like this: "Enforcing https is a stupid idea."
In addition, as Walsh observed in his site security analysis, “the key [URL] padlock is designed to inform users when their link to a site is encrypted. A padlock does not represent trust or identity. They should make the site's identity more obvious - like a separate icon on the toolbar - making it completely separate from the padlock. ”
In other words, you can insure a site that pretends to be real Amazon, eBay or PayPal. Failure.
This is not just because of fake websites with real HTTPS certificates. Walsh points out that Modlishka attacks create a reverse proxy between you and the site you want to visit.
You seem to be connected to the real thing, because you are receiving genuine content from the legitimate site, but the proxy server silently reverses all your traffic to and from the Modlishka server.
Thus, your “credentials and sensitive information, such as a Password or a wallet address entered by the user, are automatically passed on to the attackers. The reverse proxy also prompts users for their 2FA tokens when prompted by the website. Attackers can then harvest these 2FA tokens in real-time to access victims' accounts.”
Apart from the above, Walsh is not at all convinced that free and easy HTTPS certificates are good:
"The volume of cyberattacks that use automatically issued free certificates has weakened the Internet's most reliable computer base (TCB) in my opinion. And free certificates pose an existential threat to the security and well-being of society. ”
The answer? According to Walsh, CCs should:
- More delimit the authentication procedures.
- Reduce costs, time and effort of obtaining identity verification.
- Sellers need to draw another authentication icon on the browser toolbar - next to the padlock.
- Browser providers need to improve the user experience so that the true identity of the sites is intuitive.
Then, and only then, will the Web be on its way to being truly secure.
