Aral Balkan
@aral@mastodon.ar.al  ·  activity timestamp last week
@ErikvanStraten @letsencrypt Yeah, a security certificate doesn’t guarantee who owns a particular end point, only that the entity that controls it has access to the private key that was used when the certificate was issued so as to mitigate MITM attacks.

As far as the Small Web is concerned, that’s a fact of life we have to contend with (I’d much prefer a decentralised system like DANE had succeeded) but I definitely don’t want more hurdles and/or information. You want to be anonymous on your personal site? Go right ahead. There’s no reason to prove that a person quite possible exploring an aspect of themselves at rainbows-and-butterflies.org is actually Jane Someone.

We just have different use cases, basically.
Erik van Straten
@ErikvanStraten@infosec.exchange  ·  activity timestamp last week
@aral : different use cases indeed, but for ordinary end users there is no way to reliably distinguish between them - unless a different browser would be needed.

Unreadable domain names will make even more people skip looking at their browsers address bar.

A (quick&dirty) mockup of what I'd like browsers to show in case of an IPv6 address, can be seen below (of course I'm fully open to discussion regarding layout, contents and the "one year" period).

Note: important is that the user can distinguish between such information provided by the browser, to not be fooled by a webpage that fakes such info (how is probably device-, OS- and browser-dependent).

If ownership information *is* available in the certificate, the browser should show that - and provide an indication of the *reliability* of such information.

@letsencrypt

#Phishing#PhishingPrevention#SecureTheInternet #SaferInternet

A mockup of which information a browser should show to the user. At the top, an address bar reading (without both "): "https://[2602:ff3a:1:abad:c0f:fee:abad:cafe]/" Text follows: "This is the first time (in at least one year) that you visit the website with the domain name or IP address shown in the address bar above. Your browser cannot provide you with reliable information regarding who currently owns said domain name or IP address. We suggest that you contact the person or organization via a secure channel to determine whether this exact domain name or IP address belongs to them, and continue only after confirmation about this website's authenticity. Please choose one of the following:" Three buttons are visible below that line: [ Cancel ] [ Trust this website once ] [ Trust this website (without visits for 1 year) ]
A mockup of which information a browser should show to the user. At the top, an address bar reading (without both "): "https://[2602:ff3a:1:abad:c0f:fee:abad:cafe]/" Text follows: "This is the first time (in at least one year) that you visit the website with the domain name or IP address shown in the address bar above. Your browser cannot provide you with reliable information regarding who currently owns said domain name or IP address. We suggest that you contact the person or organization via a secure channel to determine whether this exact domain name or IP address belongs to them, and continue only after confirmation about this website's authenticity. Please choose one of the following:" Three buttons are visible below that line: [ Cancel ] [ Trust this website once ] [ Trust this website (without visits for 1 year) ]
A mockup of which information a browser should show to the user. At the top, an address bar reading (without both "): "https://[2602:ff3a:1:abad:c0f:fee:abad:cafe]/" Text follows: "This is the first time (in at least one year) that you visit the website with the domain name or IP address shown in the address bar above. Your browser cannot provide you with reliable information regarding who currently owns said domain name or IP address. We suggest that you contact the person or organization via a secure channel to determine whether this exact domain name or IP address belongs to them, and continue only after confirmation about this website's authenticity. Please choose one of the following:" Three buttons are visible below that line: [ Cancel ] [ Trust this website once ] [ Trust this website (without visits for 1 year) ]
Erik van Straten
@ErikvanStraten@infosec.exchange  ·  activity timestamp last week
@aral wrote: "If your friends and family are trying to phish you, you have bigger problems."

Phishing means that an adversary *claiming to be* someone you know (including friends and family) convinces you to click on a link.

The purpose of a certificate, telling a receiver *WHO* (human readable) owns the associated private key (the last resort to distinguish between fake and authentic), now has completely vanished.

As if phishing is not already the nr. 1 problem on the internet.

Note: I'm fine with the idea provided that browsers clearly inform users about the reliability of authenticity (I've read your article, did you read https://infosec.exchange/@ErikvanStraten/113079966331873386 ?)

@letsencrypt

#Phishing#LetsEncrypt#DNS#DomainNames#Identification#Authentication
Erik van Straten
@ErikvanStraten@infosec.exchange  ·  activity timestamp last week
@aral : what a brilliant idea!

*NOT*

Meaningless, unreadable & impossible to remember long domain names that do not fit in address bars of mobile browsers...

And adding '[' and ']' to make even more people skip reading address bars because they don't understand what's in it.

Phishers will love them though.

@letsencrypt

#Phishing