Chrome 90 new settings: good and bad news

First the good news. Starting with the release of the browser Chrome 90 by Google in mid-April, Chrome will try to load a site that is secure with a Transport Layer Security (TLS).

These are the sites that show a lock on the Chrome address bar (URL).

The bad news is that just because a site is protected by HTTPS does not mean that it is trustworthy.

A few years ago, WordFence, a well-known security of WordPress, found that SSL certificates issued by certificate authorities (CAs) to phishing sites are pretending to be other sites.

Because the certificates are valid, even though they are running on incorrect installations, Chrome will list these sites as secure. So the data sent with this connection will not be secure.

Of course, CAs do not have to issue fake security certificates. Unfortunately, it happens.

Ένα τέλειο παράδειγμα: αποκαλύφθηκε ότι η Let's Encrypt, μια , ανοιχτή και αυτοματοποιημένη CA, είχε χρησιμοποιηθεί για τη thousands of SSL certificates for phishing sites that illegally use “PayPal” as part of their name. And it's not just PayPal. Google, Microsoft and Apple had their domains as part of malicious URLs on phishing pages.

Also, the CA process cannot be abused. Paul Walsh, founder and CEO of security company MetaCert and co-founder of the World Wide Web Consortium (W3C) URL Classification Standard, says there are many other problems with our naive belief that HTTPS alone is enough to secure our connections on Dia .

Walsh tweeted, “When they first came out DNS-based security systems, most of the web was not encrypted and attackers were not using trusted domains like Google, Microsoft, GitHub, etc. So it was effective in the past, but it is less effective today.” The

When the leading free CA, Let's Encrypt, launched in 2015, less than a fifth of websites had HTTPS. Today, 82,2% of sites are covered.

But that was then. There are other problems today.

First, Walsh believes that what Google is doing (enforcing HTTPS) is “theoretical, but its execution sucks. I think it is immoral for a company to make people think that it is right for every website creator and every person who uses the web. ”

Walsh is not the only one who feels like this: "Enforcing https is a stupid idea."

In addition, as Walsh observed in his site security analysis, “the key [URL] padlock is designed to inform users when their link to a site is encrypted. A padlock does not represent trust or identity. They should make the site's identity more obvious - like a separate icon on the toolbar - making it completely separate from the padlock. ”

In other words, you can insure a site that pretends to be real Amazon, eBay or PayPal. Failure.

This is not just because of fake websites with real HTTPS certificates. Walsh points out that Modlishka attacks create a reverse proxy between you and the site you want to visit.

It looks like you are connected to the real one, because you are getting authentic content from the legitimate site, but the proxy is reversing (-proxy) silently all your traffic to and from the Modlishka server.

So your “credentials and sensitive σας, όπως ένας κωδικός πρόσβασης ή ένα wallet entered by the user are automatically passed on to the attackers. The reverse proxy also prompts users for their 2FA tokens when prompted by the website. Attackers can then harvest these 2FA tokens in real-time to access victims' accounts.”

Apart from the above, Walsh is not at all convinced that free and easy HTTPS certificates are good:

"The volume of cyberattacks that use automatically issued free certificates has weakened the Internet's most reliable computer base (TCB) in my opinion. And free certificates pose an existential threat to the security and well-being of society. ”

The answer? According to Walsh, CCs should:

  • More delimit the authentication procedures.
  • Reduce costs, time and effort of obtaining identity verification.
  • Sellers need to draw another authentication icon on the browser toolbar - next to the padlock.
  • The browsers must improve the user experience so that the true identity of websites is intuitive.

Then, and only then, will the Web be on its way to being truly secure.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).