
Half of All Phishing Sites Now Have the Padlock - snowy
https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/
======
bonestamp2
On the bright side, at least your data won't get stolen by a fourth party
while it's being stolen by a third party.

~~~
erkose
Your data is being sold by the 1st party.

~~~
notatoad
no, you're giving your data to the first party.

~~~
dieterrams
Well, someone's having a party.

~~~
quickben
Data aggregation party. They'll resell it later.

------
vezycash
The many mobile browsers which hide the address bar are training people to
ignore website urls.

Sites who use lots of nonsensical malware-ish url redirects (Google, Microsoft
are guilty) train people to accept random urls.

I guess the chief culprits are email tracking links. Everyone including banks
use them. Often tracking domains have nothing in common with the destination
URL. This teaches people to disable or ignore email provider warnings and
click any link in official sounding emails.

~~~
hanoz
Banks and credit card companies have always been the absolute worst offenders
for this, requiring people to use hidden iframes from all sorts of
acmegenericsecure.net domains, and all the while professing to be the high
priests of good practice with their absurd PCI racket, not to mention asking
people to install random third party software just to use their websites
because browsers apparently aren't good enough.

~~~
woodruffw
Chase likes to send emails from the not-at-all-suspicious "acctmanagement.com"
domain[1].

[1]:
[https://twitter.com/8x5clPW2/status/1046244493203263488](https://twitter.com/8x5clPW2/status/1046244493203263488)

~~~
Mistri
Their reply to your tweet pisses me off

~~~
heyoni
Not as bad as T-Mobile defending the practice of storing passwords in
plaintext!

~~~
antsar
Defending at least implies engaging with the complaint.

Chase just said "go file a ticket". In other words, "fuck off".

------
jstarfish
Users are not discerning enough to look for the padlock; they'll get taken
either way. They are not the problem here.

The bigger problem with this is that the paths being requested can't be
monitored by intermediary devices unless you're MITMing all outbound traffic.

It becomes impossible to tell whether a domain is simply cybersquatting or if
they're up to something more sinister. '/' may return a parking page, '/login'
may return a phishing page, and '/?id=c4010087800cf4e5753c80c9afbe0fe5' may be
a malware callback, but as far as you can tell from your network logs all
traffic to httpx://www.xn--bbox-vw5a.com is simply requesting '/'.

~~~
Rjevski
I think it’s still a worthwhile trade off.

The percentage of people using network inspection for “good” like
malware/phishing filtering is much lower than the percentage using it for bad
stuff like ad/cancer tracking.

~~~
TeMPOraL
Still, I wish it was easier for me to locally MITM a single application
running on my computer/phone. I find myself wanting to do this roughly every
month.

~~~
Rjevski
There are tools like Fiddler or Charles Proxy that make it easy.

------
girst
Only half? I'd expected them to nearly all use ssl by now. C'mon, phishers,
it's free! ;-)

------
qrbLPHiKpiux
The cycle continues and will continue to cycle. The only proper browsing
hygiene takes place between the chair and keyboard, or touch screen. Sadly, it
won't change. Humans are humans.

------
olliej
Well yes (that it’s only 50% is surprising), but realistically the
presence/absence of a padlock is a terrible security indicator. Long term I
would hope it goes away and you get an “insecure” UI only.

~~~
mr_toad
There are still valid reasons for not using ssl for everything. Internal
facing sites, device admin pages, development servers etc. If I have to deal
with obnoxious warning pages doing local Node.js development & testing I’m
switching browsers.

~~~
olliej
internal facing site: so hopefully no logins, no confidential info, right?
Similar for dev servers.

For local development localhost(and 127.0.0.1, and ::1) is explicitly in the
definition of "secure" used by browsers and the html specs.

Device admin pages are about the only place you could legit claim the ssl
isn't viable (because it isn't). But that's a problem that needs to be solved
- if you can't make a secure connection to your device, then anyone can
intercept the login creds. Those various peering steps required for a lot of
new devices are explicitly there to act us a side channel to establish trust
(either a shared key, or certs, or whatever) as until you have a source of
trust that isn't from the network, you can't trust anything you receive from
the device (and the device can't trust you).

------
sandov
Noob question, if a.com gets a certificate, then b.a.com can use the same
cert, right? As in the example of the fb impostor in 000webhost.

So, in that same vein, can a TLD get a certificate? For example, com gets a
certificate, so now anything.com has a valid certificate. Also, can I issue a
cert specifically for d.c.b.a.com?

~~~
tialaramex
In the Web PKI, which is what you care about:

A certificate can have an effectively unlimited (CAs impose an arbitrary limit
like 100, nobody is sure the maximum that could work) number of names listed
(the subscriber will have to achieve proof of control for all these names to
get the cert).

Each name can either be an exact fully qualified domain name, and will match
only that single name, or it can be a "wildcard" like *.example.com which
matches any DNS name with exactly one label (a part with no dots in,
essentially) where the asterisk is and the rest an exact match.

Thus, a wildcard in com, even if it could exist (it is forbidden to issue such
a thing) would not match service.example.com only the exact name example.com
itself.

------
nerdponx
I thought this was the point of EV certs.

~~~
M2Ys4U
No, the only point of EV certs is for CAs to make more money.

~~~
blacksmith_tb
Mostly, but to be fair they have also gotten quite a bit cheaper, now merely
hundreds of dollars a year, down from thousands... which is a lot more than OV
or DV, but not a huge bar to entry.

------
upofadown
I remember that people were warned to avoid doing sensitive stuff on websites
without the padlock. I don't remember any attempt to suggest that the padlock
implied some sort of validity.

~~~
Analemma_
Most users do not understand the “necessary but not sufficient” condition.
They need a “if (condition) { SAFE; } else { NOT SAFE; }” test, not an endless
checklist, and the security community has continuously failed to deliver on
this.

~~~
andrewflnr
I'm pretty sure that's actually impossible. If someone registers a domain and
cert that's essentially a homoglyph attack against a common website, you're
basically stuck with heuristics to detect it. You need a global database of
targetable domains that supports similarity checking with arbitrary Unicode.
You need some kind of fuzzy hash of the website to see whether the website
your user is looking at is actually an imitation or just happens to
legitimately have a similar name. It will be messy at best.

~~~
beatgammit
Whatever happened to the Web of Trust thing? We could have a curated one so
that an extension can indicate:

\- whether the domain is substantially similar to a trusted one \- recent data
breaches \- whether the site has been known to sell data

Those could be indicated by different, intuitive colors:

\- red - high likelihood of phishing/malware \- yellow - recent data breach;
user intervention required, but the service itself isn't fraudulent \- green -
reasonable safe \- green padlock - trusted

It would be awesome to get all major browser vendors on board to ship it by
default, and make sure that data is never sent upstream (download a database).

~~~
smittywerben
I loved MyWot! I was one of the earlier users around ~2007 until 2009 or so.
It helped teach intuition on sketchy, dangerous, and bloated web pages. The
community was small and plenty of sites were unrated, though a surprising
number still had ratings (and I was fairly active myself).

To answer your question, privacy addons started selling our data. I remember
Adblock Plus added "Acceptable Ads" around 2012. MyWot redesigned in 2013.
Times were changing. Surely enough in 2016 they were found selling sensitive
user data. It's not like this was a surprise, since it's the reason I left
years ago.

These days, I'd rather reduce my browser dependency. I hope the community
finds a way to filter the 1% of useful data on the internet into like a .txt
file, or something that doesn't make me solve puzzles to grep.

------
throw2016
There is something disingenuous and false about those who have been pushing
ssl 'vehemently' on the pretext of concern end user privacy and surveillance.

It would be slightly more credible if the response by the tech community both
in comment and action to Snowden and Assange's revelations and invasive
surveillance by Google, Facebook and others was not so embarrassing in
inaction.

One can argue of degrees and doing both, but in this case it seems all the
'concern' gets expended in ssl leaving no energy for the far more pervasive SV
surveillance culture the tech community props up without protest or even
leaks.

~~~
marcosdumay
Do you think things would be better tf the effort used to make ssl prevalent
was used to make people stop using Google and Facebook? Lets encrypt has
received what? A million in funding? I doubt it's much more. Do you think
putting that money into convincing people would lead to a larger change?

------
ecesena
I'd be curious to know how many phishing sites support 2fa, i.e. can also
phish time-based codes. If anyone from PhishLabs is reading... :)

Edit: grammar

------
Fred27
Padlock? I thought it was a handbag.

------
everybodyknows
TL;DR: "Padlock" means the usual icon promising the site has a valid TLS cert.

But well worth skimming through for the excellent Firefox about.config tweak
"network.IDN_show_punycode".

------
cutler
Great so every 3 months when I have to manually renew all the LetsEncrypt
certs I manage for clients I know it's giving them zero protection. Kinda
reminds me of the British Government's decision to insert road humps into all
the roads in the towns and cities of the land just to deter speeding drivers.
All it produced was more work for garages mending damaged exhaust pipes.

~~~
isostatic
Why haven't you automated it? It's not exactly hard to automate the renewal,
that's the great thing about letsencrypt, and the whole point about the 3
month period is to encourage you to automate this stuff.

~~~
cutler
Not possible because the domains are pointed to the webserver from a different
host. It has to be done manually with:

`certbot certonly -d $1 -d www.$1 --manual --preferred-challenges dns-01`

The TXT records have to be edited manually then checked with DNS Toolbox. Once
visible certbot can be allowed to process.

~~~
yebyen
Any reason you couldn't use the http-01 challenge? I think there are thousands
of people who are using LetsEncrypt and have automated it successfully. So
whatever you just said,

> all the LetsEncrypt certs I manage for clients

... if this contains some technical reason why it won't work, I think that's
the problem.

But I'd be more inclined to believe you if you just told me that, your clients
periodically need your assistance for other things, but they weren't going to
call because as every good salesperson knows, "if you don't call, they don't
come"... and since they trust you already, this is a reliable door-opener that
gets you back into their offices, where you get to bill for something, even if
this time they didn't need anything else... it gets you valuable face time and
a pretty reliable, even if only nominal, payday.

If that's not it, then tell me that's not it, but... I think that's what
you're doing. (And there's nothing wrong with that.)

