https är inte lika med säker domän

https kan misstolkas som Säker

Det betyder egentligen endast att trafiken är krypterad, och det är i sig bra! Men det betyder inte att du har fått en krypterad förbindelse med den du tänkt dig.

Domännamn = omkring sista punkten före snedstreck

Det registreras tusentals med certifikat som krypterar kommunikationen med sajter som ser exakt likadana ut som den du tänkt besöka men adressen är inte exakt utan endast snarlik.
Du går till den domän som står före och efter den sista punkten och innan ett eventuellt snedstreck.

Exempel på falska domäner;

  1. servicesonline-americanexpress.com
    Det är inte en punkt innan americanexpress.com.
    Hela adressen är domänen men man kan tro att det är servicesonline hos American Express
  2. dropbox.com.login.verify.danaharperandfriends.com
    Det är inget snedstreck efter dropbox.com.
    Domänen är danaharperandfriends.com
  3. login-appleid.com-direct-apple.com
    Det är inte en punkt innan appleid.com och det är inte heller något snedstreck efter appleid.com.
    Domänen är com-direct-apple.com

Vissa internet-program visar i svart det som är själva domännamnet. Alla program ger också möjlighet att se vem certifikatet är utställt till, vanligen genom att klicka på hängläset.

Mer om falska certifikat hos Netcraft, https://toolbar.netcraft.com/stats/certificate_authorities.

Google Chrome skriver inte längre att en sajt är säker bara för att den har https. https://blogg.loopia.se/tag/google-chrome/.

Put your trust in green certificates. They are Extended Validated!

Extended validated server certificates may be shown as a green address. They are expected whe the transactions you do with the site is extra valuable, eg banking and health businesses.

An EV Certificate is a quite new type of certificate that is designed to prevent phishing attacks better than normal SSL certificates An SSL Certificate Provider has to do some extensive validation to give you one including:

  • Verifying that your organization is legally registered and active
  • Verifying the address and phone number of your organization
  • Verifying that your organization has exclusive right to use the domain specified in the EV Certificate
  • Verifying that the person ordering the certificate has been authorized by the organization
  • Verifying that your organization is not on any government blacklists

EV Certificate image at sslshopper.com

https://www.sslshopper.com/cheapest-ev-ssl-certificates.html

It is even better if the Certificate Provider is one that can be trusted.

Network security monitoring vs supply chain backdoors

On October 4, 2018, Bloomberg published a story titled “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” with a subtitle “The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.”

Network security monitoring vs supply chain backdoors

 

Amazon, Apple Servers Completely Compromised by Chinese Hardware Backdoors

For years, security researchers have warned that unscrupulous hardware manufacturers or foreign governments could hijack the manufacturing process, installing backdoors into equipment that would be difficult to detect or stop. Now, we’ve caught the Chinese red-handed, and the fallout could be ugly.

An extensive report from Bloomberg details how Amazon’s investigation into deploying servers manufactured by Elemental Technologies led to the discovery of hardware backdoors smaller than a grain of rice. The chips had been hidden on Supermicro motherboards.

After discovering the chips in 2015, the government spent three years investigating the situation. They’ve determined that the hardware creates “a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.”

Amazon, Apple Servers Completely Compromised by Chinese Hardware Backdoors

Amazons reply:
https://aws.amazon.com/blogs/security/setting-the-record-straight-on-bloomberg-businessweeks-erroneous-article/

What if the Bloomberg story is true?

Hard(ware) questions about government hacking: what if the Bloomberg story is true?

Tim Berners-Lee tells FastCompany about his radical new plan to upend the World Wide Web

This week, Tim Berners-Lee, ”inventor of the World Wide Web”, will launch Inrupt. It’s mission is to turbocharge a broader movement afoot, among developers around the world, to decentralize the web and take back power from the forces that have profited from centralizing it.

On his screen, there is a simple-looking web page with tabs across the top: Tim’s to-do list, his calendar, chats, address book. He built this app–one of the first on Solid–for his personal use. It is simple, spare. In fact, it’s so plain that, at first glance, it’s hard to see its significance. But to Berners-Lee, this is where the revolution begins. The app, using Solid’s decentralized technology, allows Berners-Lee to access all of his data seamlessly–his calendar, his music library, videos, chat, research. It’s like a mashup of Google Drive, Microsoft Outlook, Slack, Spotify, and WhatsApp.

The difference here is that, on Solid, all the information is under his control. Every bit of data he creates or adds on Solid exists within a Solid pod–which is an acronym for personal online data store. These pods are what give Solid users control over their applications and information on the web. Anyone using the platform will get a Solid identity and Solid pod. This is how people, Berners-Lee says, will take back the power of the web from corporations.

“We are not talking to Facebook and Google about whether or not to introduce a complete change where all their business models are completely upended overnight. We are not asking their permission.”
Game on.

https://www.fastcompany.com/90243936/exclusive-tim-berners-lee-tells-us-his-radical-new-plan-to-upend-the-world-wide-web

You Gave Facebook Your Number For Security. They Used It For Ads.

Two-Factor Authentication Is Not The Problem

First, when a user gives Facebook their number for security purposes—to set up 2FA, or to receive alerts about new logins to their account—that phone number can become fair game for advertisers within weeks. (This is not the first time Facebook has misused 2FA phone numbers.)

But the important message for users is: this is not a reason to turn off or avoid 2FA. The problem is not with two-factor authentication. It’s not even a problem with the inherent weaknesses of SMS-based 2FA in particular. Instead, this is a problem with how Facebook has handled users’ information and violated their reasonable security and privacy expectations.

https://www.eff.org/deeplinks/2018/09/you-gave-facebook-your-number-security-they-used-it-ads

Google wants to get rid of URLs but doesn’t know what to use instead

Their complexity makes them a security hazard; their ubiquity makes replacement nigh impossible.

Sometimes URLs are explicitly typed by users; other times they’re opaque and hidden behind hyperlinks. Some URLs are good for sharing, others aren’t. Sometimes they’re shown on devices with abundant screen space, other times they’re so cramped that only a fragment of the URL can ever be seen.

https://arstechnica.com/gadgets/2018/09/google-wants-to-get-rid-of-urls-but-doesnt-know-what-to-use-instead/

IDN homograph attack

An example of an IDN homograph attack; the Latin letters ”e” and ”a” are replaced with the Cyrillic letters ”е” and ”а”.

The internationalized domain name (IDN) homograph attack is a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike (i.e., they are homographs, hence the term for the attack, although technically homoglyph is the more accurate term for different characters that look alike). For example, a regular user of example.com may be lured to click a link where the Latin character ”a” is replaced with the Cyrillic character ”а”.

This kind of spoofing attack is also known as script spoofingUnicode incorporates numerous writing systems, and, for a number of reasons, similar-looking characters such as Greek Ο, Latin O, and Cyrillic О were not assigned the same code. Their incorrect or malicious usage is a possibility for security attacks.

https://en.wikipedia.org/wiki/IDN_homograph_attack