> And that's the price we pay for anyone being able to buy their own domain and run their own secure site.
No, that's the price we pay for using a name resolution system from the 80's (70's?) that was not built with trust validation in mind,decoupled from the infrastructure we use to establish domain ownership and authority. And also without user friendliness or of a layman's ability to independently validate authority in mind. e.g.: reverse order of hierarchy where in english you read left to right but dns has least authoritative/lowest level on the left and most authoritative on the right,why would I evaluate trust worthiness of site.com if 'secure' is evaluated first in secure.site.com (another example:google.com.site.info).
yes, very wrong conclusion. the author blames cheap domains and easy to get https. You could as well blame cheap computers, cheap internet access, cheap electricity.
Since that looked like an SMS, I would report it to your mobile provider, let them track who sent the message.
The Internet became the standard for global networking in the 1990s by being an informal trust based system where the competition was things like Al Gore's Information Superhighway - these other hypothetical systems were centralized extension of something like a cable TV network and essentially had all the bad things we decry in today's Internet and none of the good.
Which to say, the lack of centralization in DNS or whatever aspects on might name in the Internet (IP addresses, etc) allows bad actors from below to do their terrible things.
But the lack of centralization also prevents bad actors from above from doing their terrible things. Centralized DNS is already a target - cable companies were complaining to congress about firefox from enabling secure DNS and keeping them from MTM traffic.
No, it’s the price you pay for trusting concepts that are not intended to be trustworthy. No matter what you come up with, as long as you train people to do things wrong there will always be a way to fool them.
No company should send messages containing a url that requires login, payment data or the like. People should go to these places by typing the url or by using their own bookmarks.
I think it's time stuff like domains and basic internet things like that need to become part of the school curriculum. Education is the only way to combat these things.
The price we pay (scammers registering date based domain names) is due to the name resolution system being decoupled from the infrastructure we use to establish domain ownership and authority? How is looking up the domain supposed to give you more validation than the domain being assigned in the first place?
Right now that infrastructure is the only thing in the stack that actually does any validation (you get your cert because you have the name). There isn't any other validation infrastructure to couple it to for it to be "decoupled".
For some time I've wondered what the internet would look like if we used reverse domain notation (like with software package identifiers), which I think would mitigate this issue.
`com.01-01-2020-billing.secure.hsbc` or whatever looks a hell of a lot more dodgy. But I presume it comes with a whole lot of issues of its own.
This is probably unpopular but I think domains should just cost more. We don't all need our own name as a domain. Make them cost $500 or $1000 a year. [This money goes to ICANN, W3C, etc.] That is nothing for a business but would make scammers and link farms (more) unprofitable. You could still make .org free but it requires sending 501c3 (or similar) documentation to the registrar.
If you want a phone line you have certain fees for 911 and other regulations to help pay for the infrastructure and this is very similar in terms of a naming and communication service.
Their real domain is SOMECOMPANYNAMEHERE.COM but as you see they made a special domain just for email clicks. I thought at first this was a scam email, but then tried clicking and sorted out that it redirects to the real site and login.
But man you can't even easily trust real emails if you're paying attention, i dont know how regular people will defend against stuff like this.
This likely happens to prevent the primary domain from being blacklisted. Many companies including key ESPs will register multiple domains to combat potential spam listings and blacklists. It's possible they rotate through a number of similar domains to ensure if any are blocked they have backups available for use until those get unblocked.
One problem is that if a subdomain gets hacked it can be used for XSS as subdomains are trusted by the TLD, which might be a reason why they don't want every division to use a domain under the TLD.
There's been a lot of talk about the benefits of browsers showing URLs in a stylized way that makes it more obvious to the user what is the domain and what is not the domain.
I should have realized this earlier but: it's also important to have anything that displays clickable URLs (like a messaging app) to also style the URL to help it be more obvious what domain is being linked to.
The problem of better stylized URLs is so much bigger than browser URL bars that show where you are right now; it's also everywhere that displays clickable URLs.
How you get to a page can't matter in terms of security or you've already lost the battle. What's important is once you're on the page you can validate where you are.
> Money and technical expertise used to be strong barriers to prevent people from registering scam domains
That should not be, and should never have been considered the main line of defense against that.
This guy has it backwards. The problem is not that it's affordable or accessible. It's that there's no clear alternative to user vigilance to truly avoid these scams.
Too bad domain names are generally written in the 'wrong' order. These issues would have been preventable if domain names were written the following way: https://org.example.www/index.html
I remember (very vaguely) reading into the debates around domain name sequence and being irritated that natural readability won out over scope order. Codified so deeply for so long that there''s no hope of ever changing it except in limited circumstances (Java class hierarchy for example).
Web-based phishing has become a game of speed. Domains are not expected to survive more than an hour (and few do), even with all kinds of countermeasures in place (browser / geo detection, destroy-after-first-use links, etc). Yet it's still economically viable to do. Companies offering blocking products like Google Safe Browsing have been forced to increase the frequency of their blacklist, up to the point where Google had to resort to checking suspicious URLs against their online database rather than a cached local index.
This is a classical arms-race and will only intensify. With domains that look generic enough and only serve malicious traffic when hit with the right URL, parameters, user-agent and geographical location, blocking will have to rely on sourcing these URLs directly from the targeted endpoints (e.g. SMS/WhatsApp/Email), rather than "crawling" or relying on users to report these. Another approach is to do some of the blocking locally, which of course means pushing the detection logic to the client and thus exposing the classification mechanism. Neither approach is sustainable long-term in my opinion.
>Domains are not expected to survive more than an hour (and few do),
So if they have solved the problem why are we still complaining about it? All you need to do is show a big warning message for domains that are younger than 1-2 days.
It seems to me that a list of known good domains provided by a large browser vendor (Google) with extra treatment in the browser might be the most effective against phishing and other scams.
This could be sold as an add-on for a certificate, or something like that, with a just high enough barrier for proving authenticity. Known-good domains could then additional treatment, like a blue padlock or one with a star (ok, I'm not an icon designer).
Of course you can argue against it on a freedom basis, but I think for protecting vulnerable web users it'd be pretty useful.
Wouldn't a soundex-like algorithm catch the similarity between the legit domain and a substring of the malicious one? An alert could be fired upon reception from any address resembling domains where online transactions or any other sensitive activities are involved.
> Money and technical expertise used to be strong barriers to prevent people from registering scam domains.
Cannot confirm. I registered my .de-Domain in 2005. That was 15 years ago. It wasn't that difficult, and quite cheap (imho 12€ for a year). So the tech barriers vanished a long time ago.
.info domains can now be bought for around €1. If, like the scammers I mentioned, you're buying one for every day of the year, that's a several thousand Euro difference.
Spammers are in business. When certain costs fall, it makes their enterprise more profitable.
I think the most practical solution here is to train users not to use domain names and de-emphasize them in the UI (and URLs more generally). Which I hate as much as anyone here, but if I'm going to give my parents advice on how not to fall for a scam, telling them "Google the name of the bank [or whatever] and click on that link" seems like the most secure path.
Once security keys become ubiquitous, they should also provide some protection. But right now setting up 2FA for every site they use is impractical.
A lot of replies here are pointing at DNS being not trust-able, but let's back up a bit. This is only a problem because people are still clicking on unsolicited links they get in their E-mail. When you get an unsolicited phone call and the guy on the other end claims to be from your bank, do you give him your personal information and conduct whatever business he wants to conduct? Of course not! So why would you click through some random link you get in E-mail or text, regardless of how official it looks?
Users need to stop clicking on links they get out of the blue over E-mail, and legitimate companies need to stop sending links they expect customers to click, which encourages this risky behavior. Easy to say, but behavior is hard to change.
> Users need to stop clicking on links they get out of the blue over E-mail, and legitimate companies need to stop sending links they expect customers to click
I agree with the first part, but how is the second part supposed to work? We're using links to easier guide people in the "right" direction (depending on who "you" are, changes what "right" means), what could an alternative be?
So, a X just finished, and the user can now use it. In my notification to the user, how to guide them to that specific X?
Apple could do some basic spam filtering on SMS messages directly on the device (ditto for Google on Android). Querying a domain reputation service will very quickly tell you whether a URL is a risky click.
At a bare minimum, show me a warning when an SMS comes through containing a risky URL. I just don’t see why these giant companies with billions in profit can’t connect the dots here.
Those giant companies already have connected the dots and have super aggressive spam filters for links. It’s a testament to the volume of spam that’s out there that so much still gets through.
SMS has the problem that since you don’t have a spam folder filters have to be lenient because it’s more of a problem when they get a false positive.
This is a situation where EV certificates would be helpful. The cost and the fact that it generates somewhat of a paper trail would discourage scammers from getting them.
Nothing. Smartphones are still very fragile. Eventually, pretty much everyone will crack their screen. Because usually the phone is perfectly usable with cracked glass, and because most smartphone designs are user-hostile, repairing the damage ranges from not economical to not possible in practice - so you see a lot of regular people walking around with cracked phones.
Is there a phenomenon? If anything I feel like about five years ago nearly every phone I saw in the wild had a cracked screen and now it's far fewer, but my sample bias probably also changed with age.
Tell that to the any number of people that have fallen for similar (or even more basic) scams. Unfortunately, not everyone is Internet savvy enough to know what's legitimate and what's a scam.
More interesting than these obvious scams are when your phone company sends you legitimate texts that look like scams. I got what I thought was something super scammy from Verizon and did a lot of investigation and eventually found out that it was them.
The TLDR is that apparently they send all their marketing texts from "+90 (007) 000 38 64". You can opt out on their website and now I don't get these anymore. It's nice. But sad that my $120 a month isn't enough money for them, and they have to text me at 3AM to get me to buy a new phone. (And sell my browsing data.)
[+] [-] badrabbit|6 years ago|reply
No, that's the price we pay for using a name resolution system from the 80's (70's?) that was not built with trust validation in mind,decoupled from the infrastructure we use to establish domain ownership and authority. And also without user friendliness or of a layman's ability to independently validate authority in mind. e.g.: reverse order of hierarchy where in english you read left to right but dns has least authoritative/lowest level on the left and most authoritative on the right,why would I evaluate trust worthiness of site.com if 'secure' is evaluated first in secure.site.com (another example:google.com.site.info).
Cracked foundations make shaky buildings.
[+] [-] acvny|6 years ago|reply
Since that looked like an SMS, I would report it to your mobile provider, let them track who sent the message.
[+] [-] joe_the_user|6 years ago|reply
The Internet became the standard for global networking in the 1990s by being an informal trust based system where the competition was things like Al Gore's Information Superhighway - these other hypothetical systems were centralized extension of something like a cable TV network and essentially had all the bad things we decry in today's Internet and none of the good.
Which to say, the lack of centralization in DNS or whatever aspects on might name in the Internet (IP addresses, etc) allows bad actors from below to do their terrible things.
But the lack of centralization also prevents bad actors from above from doing their terrible things. Centralized DNS is already a target - cable companies were complaining to congress about firefox from enabling secure DNS and keeping them from MTM traffic.
Which is worse? I couldn't say.
[+] [-] tinus_hn|6 years ago|reply
No company should send messages containing a url that requires login, payment data or the like. People should go to these places by typing the url or by using their own bookmarks.
[+] [-] thepete2|6 years ago|reply
[+] [-] zamadatix|6 years ago|reply
Right now that infrastructure is the only thing in the stack that actually does any validation (you get your cert because you have the name). There isn't any other validation infrastructure to couple it to for it to be "decoupled".
[+] [-] ljm|6 years ago|reply
`com.01-01-2020-billing.secure.hsbc` or whatever looks a hell of a lot more dodgy. But I presume it comes with a whole lot of issues of its own.
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] rjsw|6 years ago|reply
[1] https://en.wikipedia.org/wiki/JANET_NRS
[+] [-] snarf21|6 years ago|reply
If you want a phone line you have certain fees for 911 and other regulations to help pay for the infrastructure and this is very similar in terms of a naming and communication service.
[+] [-] LyalinDotCom|6 years ago|reply
I recently got an email from them to check on a transaction that settled, the domain was:
https://click.SOMECOMPANYNAMEHEREinvestments.com/? ...
Their real domain is SOMECOMPANYNAMEHERE.COM but as you see they made a special domain just for email clicks. I thought at first this was a scam email, but then tried clicking and sorted out that it redirects to the real site and login.
But man you can't even easily trust real emails if you're paying attention, i dont know how regular people will defend against stuff like this.
[+] [-] enonevets|6 years ago|reply
[+] [-] z3t4|6 years ago|reply
[+] [-] multidim|6 years ago|reply
I should have realized this earlier but: it's also important to have anything that displays clickable URLs (like a messaging app) to also style the URL to help it be more obvious what domain is being linked to.
The problem of better stylized URLs is so much bigger than browser URL bars that show where you are right now; it's also everywhere that displays clickable URLs.
[+] [-] lonelappde|6 years ago|reply
Websites don't display clickable URLs, they display clickable links.
Browsers used to show the URL in the status bar, but then started hiding that too.
Anyway, links don't matter much, because if clicking a link is dangerous, your browser is broken. The destination location is what matters.
[+] [-] zamadatix|6 years ago|reply
[+] [-] yellow_lead|6 years ago|reply
https://example.randomsite.phishyourbank.com/Jan3
[+] [-] Ragnarork|6 years ago|reply
That should not be, and should never have been considered the main line of defense against that.
This guy has it backwards. The problem is not that it's affordable or accessible. It's that there's no clear alternative to user vigilance to truly avoid these scams.
[+] [-] thexa4|6 years ago|reply
The domain referenced would have been: https://info.billing-update-jan02.uk.co.ee/ vs https://uk.co.ee/billing-update-jan-02
[+] [-] zentiggr|6 years ago|reply
Sigh.
[+] [-] SmellyGeekBoy|6 years ago|reply
[+] [-] heipei|6 years ago|reply
This is a classical arms-race and will only intensify. With domains that look generic enough and only serve malicious traffic when hit with the right URL, parameters, user-agent and geographical location, blocking will have to rely on sourcing these URLs directly from the targeted endpoints (e.g. SMS/WhatsApp/Email), rather than "crawling" or relying on users to report these. Another approach is to do some of the blocking locally, which of course means pushing the detection logic to the client and thus exposing the classification mechanism. Neither approach is sustainable long-term in my opinion.
[+] [-] imtringued|6 years ago|reply
So if they have solved the problem why are we still complaining about it? All you need to do is show a big warning message for domains that are younger than 1-2 days.
[+] [-] solarkraft|6 years ago|reply
This could be sold as an add-on for a certificate, or something like that, with a just high enough barrier for proving authenticity. Known-good domains could then additional treatment, like a blue padlock or one with a star (ok, I'm not an icon designer).
Of course you can argue against it on a freedom basis, but I think for protecting vulnerable web users it'd be pretty useful.
[+] [-] squarefoot|6 years ago|reply
[+] [-] layoutIfNeeded|6 years ago|reply
[+] [-] MrGilbert|6 years ago|reply
Cannot confirm. I registered my .de-Domain in 2005. That was 15 years ago. It wasn't that difficult, and quite cheap (imho 12€ for a year). So the tech barriers vanished a long time ago.
[+] [-] edent|6 years ago|reply
Spammers are in business. When certain costs fall, it makes their enterprise more profitable.
[+] [-] scarmig|6 years ago|reply
Once security keys become ubiquitous, they should also provide some protection. But right now setting up 2FA for every site they use is impractical.
[+] [-] unexaminedlife|6 years ago|reply
The system sounds pretty safe to me, even with its warts.
[+] [-] ryandrake|6 years ago|reply
Users need to stop clicking on links they get out of the blue over E-mail, and legitimate companies need to stop sending links they expect customers to click, which encourages this risky behavior. Easy to say, but behavior is hard to change.
[+] [-] capableweb|6 years ago|reply
I agree with the first part, but how is the second part supposed to work? We're using links to easier guide people in the "right" direction (depending on who "you" are, changes what "right" means), what could an alternative be?
So, a X just finished, and the user can now use it. In my notification to the user, how to guide them to that specific X?
[+] [-] ttul|6 years ago|reply
At a bare minimum, show me a warning when an SMS comes through containing a risky URL. I just don’t see why these giant companies with billions in profit can’t connect the dots here.
[+] [-] Spivak|6 years ago|reply
SMS has the problem that since you don’t have a spam folder filters have to be lenient because it’s more of a problem when they get a false positive.
[+] [-] meehow|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] RcouF1uZ4gsC|6 years ago|reply
[+] [-] cpach|6 years ago|reply
[+] [-] jrockway|6 years ago|reply
[+] [-] acvny|6 years ago|reply
[+] [-] TeMPOraL|6 years ago|reply
[+] [-] paulgb|6 years ago|reply
[+] [-] hartator|6 years ago|reply
Not it’s not. billing-jan-2020.info looks suspicious as hell. Recognizing domain names from url is very 101 Internet security.
[+] [-] edent|6 years ago|reply
Here's some examples I've collected of people clicking on links in suspicious texts:
https://twitter.com/edent/status/1193147685370552322 https://twitter.com/edent/status/780317797855395841
[+] [-] msinclair|6 years ago|reply
[+] [-] jrockway|6 years ago|reply
The TLDR is that apparently they send all their marketing texts from "+90 (007) 000 38 64". You can opt out on their website and now I don't get these anymore. It's nice. But sad that my $120 a month isn't enough money for them, and they have to text me at 3AM to get me to buy a new phone. (And sell my browsing data.)