We need more phishing sites on HTTPS!
All the books, Montag.
If we want a 100% encrypted web then we need to encrypt all sites, despite whether or not you agree with what they do/say/sell/etc… 100% is 100% and it includes the ‘bad guys’ too.
Extended Validation is Broken
How a certificate with extended validation makes it easier to phish. But I think the title could be amended—here’s what’s really broken:
On Safari, the URL is completely hidden! This means the attacker does not even need to register a convincing phishing domain. They can register anything, and Safari will happily cover it with a nice green bar.
Related links
SSL Issuer Popularity - NetTrack.info
This graph warms the cockles of my heart. It’s so nice to see a genuinely good project like Let’s Encrypt come in and upset the applecart of a sluggish monopolistic industry.
Phishing with Unicode Domains - Xudong Zheng
Domains registered with punycode names (and then given TLS certificates) are worryingly indistinguishable from their ASCII counterparts.
Can you spot the difference between the URLs https://adactio.com and https://аdаctіо.com?
TLS Everywhere, not https: URIs - Design Issues
This is a really good point from Tim Berners-Lee: there’s no good reason why switching to TLS should require a change of URLs from http:// to https://
Certified Malice – text/plain
Following from that great post about the “zone of death” in browsers, Eric Law looks at security and trust in a world where certificates are free and easily available …even to the bad guys.
Related posts
Insecure
Security or access: choose one.
IncrementURL
Jake’s got an idea for improving the security of displaying URLs in browsers.
Someday
Changing defaults in browsers …someday.
This is for everyone with a certificate
The browser beatings will continue until morale improves.
Security for all
I want the web to be delivered over https:// but we might be in for a rough period of transition.