> Author then claims that just about anybody can get .gov domain which is untrue.
It didn't take much Googling to find Krebs stating that it's pretty easy: https://krebsonsecurity.com/2019/11/its-way-too-easy-to-get-...
Even without an article, it seems obvious to me that a criminal setting up a phishing site wouldn't be deterred by a bit more wire fraud to obtain a .gov.
It's probably not enough.
I think just by the nature of .gov domains, it's going to be very difficult to properly secure them. Even if registration is airtight, an attacker can still use other vectors:
- XSS vuln on a legit .gov page to inject their own content
- Open redirect vuln to redirect a legit .gov link to their page
- Break a .gov server. I'm sure at least one of them is running a WordPress site with a vulnerable plugin
- Break into or social engineer into the DNS server
Don't even need to Google it; that article is referenced and linked directly from the OP.
But in fairness to NIST all of their machines have been smartcard auth only for a while now. Internal services are still under a password rotation policy, but you need a smartcard to access any NIST computer, and smartcard or RSA token for remote access to the network.
So in my opinion it could be a lot worse in terms of an actual security risk. (I am not a security researcher, just a random NIST scientist with personal opinions)
Whatever you talk about with this person can't be heard by anyone outside the room.
This room can only help guarantee that no one outside can hear you, not that the person you're talking to is trustworthy.
If the other person is a thief and you tell them where your valuables are, they could be stolen.
If the other person is trustworthy, you can be sure no one else will hear what you tell them and your secrets are safe.
The soundproof room is HTTPS. The other person is a server.
You could tell someone something like this and provide a lay person with a basic understanding of many fundamental building blocks of the web rather quickly (DNS can be explained as a phone book for example).
Somehow who doesn't know what's going on will interpret that as "if this substring appears anywhere, it's safe".
So, the hijacker just needs to create a URL like "https: // united.stat.es/census2020.gov/yourcensus" and fool a loooot of people.
1) .gov means the site is official
2) https:// means it's secure
Author takes #2 out of context provided by #1 and argues that https:// doesn't necessarily mean it's secure because it could be phishing. However the point is that it's secure if it's both .gov and https://
Author then claims that just about anybody can get .gov domain which is untrue.
However, as long as URLs read both right to left, and left to right, in the same string, its very hard to communicate to standard people what the "end" is https://example.com./.gov ends in .gov, and the percentage of people that dont know a - is not a delimiter but / is and . sometimes is is high.
Following the authors article around acquiring a .gov domain it seems as though it was relatively easy for that particular person to obtain a .gov domain.
The argument is that it still may be a phishing attempt even if it does have both https:// and .gov.
But of course we're relying heavily on the article around acquiring a .gov domain being correct.