We need more phishing sites on HTTPS!
All the books, Montag.
If we want a 100% encrypted web then we need to encrypt all sites, despite whether or not you agree with what they do/say/sell/etc… 100% is 100% and it includes the ‘bad guys’ too.
Certified Malice – text/plain
Following from that great post about the “zone of death” in browsers, Eric Law looks at security and trust in a world where certificates are free and easily available …even to the bad guys.
Related links
SSL Issuer Popularity - NetTrack.info
This graph warms the cockles of my heart. It’s so nice to see a genuinely good project like Let’s Encrypt come in and upset the applecart of a sluggish monopolistic industry.
The Line of Death – text/plain
A thoroughly fascinating look at which parts of a browser’s interface are available to prevent phishing attacks, and which parts are available to enable phishing attacks. It’s like trench warfare for pixels.
Extended Validation is Broken
How a certificate with extended validation makes it easier to phish. But I think the title could be amended—here’s what’s really broken:
On Safari, the URL is completely hidden! This means the attacker does not even need to register a convincing phishing domain. They can register anything, and Safari will happily cover it with a nice green bar.
Related posts
Insecure
Security or access: choose one.
This is for everyone with a certificate
The browser beatings will continue until morale improves.
Security for all
I want the web to be delivered over https:// but we might be in for a rough period of transition.
Insecure …again
Breaking the web for security.