The consumer's dependence on "legit-sounding domain name", a green SSL key, and recognizable corporate logos and website layout as the "proof" of authenticity is passe.
In this era of online ubiquity there should be another layer of opt-in validation, ring of trust, p2p feedback and rating, that can all be plugged into the consumer web experience.
To me it's very simple: nation states should have their own layer that uses the national registry for companies to verify a domain.
When you register a business you also provide your official domains and so the validity of the website is checked against the validity of the business.
In practice consumers just go straight to Amazon because they're afraid of the wider internet and depend on the return policy to save them when they get scammed. Doubt any "opt-in validation, ring of trust, p2p feedback and rating" will change that in the next decade.
Thanks for investigating this and ultimately getting the fraudulent store taken down. I saw the same social media post regarding the fraudulent store and was surprised that a small local store was targeted with this kind of attack. A good mix of small stores and major corporations in the list. I wonder if they target the small stores because SEO is easier?
It's inspiring to see you follow up like this and help out a wonderful mountain shop. A great reminder and inspiration to be more involved in my community.
Ish. But there are two significant flaws for ecommerce:
1. Knowing that the company using the certificate is who they say they are, doesn't necessarily mean you can trust them not to be fraudulent traders.
2. Control of the domain names and associated certificates can change hands after the fact, officially through buyouts/merges or via more nefarious means, just like any other certificate.
and of course the other key question to address which is:
3. How do you trust those validating the certificate. The average user is not going to know/care that a rogue CA exists and it might take some time for their actions to be noticed and for appropriate revocations to happen.
However they were intended to be used, HTTPS and certificates for it are used to protect data in transit and not really for identity assurance.
----
There is also the more cynical view that the main thing EV certs addressed was the desire for CAs to bring in some revenue, especially as standard certs became more and more a commodity item (now effectively free) with low or zero margins.
Off-topic, but something seems dangerously off with urlscan.io (a service I had never heard of before).
If I go to urlscan.io and look at the recently scanned sites (which are live-updated), every now and then I can find links with potentially sensitive information.
I found OneDrive and SharePoint links. I was unable to actually access the documents in them (it asked me to login), but I could see their content (or metadata) with UrlScan's "live screenshot" feature.
At one point, it scanned a "reset password" link with the authentication token in the query string (!). I was able to access that link and I would likely be able to reset the password for that specific user. I won't share the underlying website so others don't go ahead looking for it, but it was for a non-US government service.
The impression I have is that some email provider (or perhaps some antivirus software?) is automatically scanning user emails and the links are being shared publicly, alongside a "live screenshot".
Makes me question if URL-as-all-factors is a secure way to authenticate someone/thing. Even with SSL encrypting the path , there is the risk of someone sharing that URL since it is a familiar thing to do to share links.
If homophones are the pattern to follow, then (since a large collection of legitimate stores can be thought of as a "mall") perhaps the new word should be "a maul" or "a mawl" (suggestive of being something that swallows your money, and doesn't give you anything of value in return).
mamborambo|3 years ago
In this era of online ubiquity there should be another layer of opt-in validation, ring of trust, p2p feedback and rating, that can all be plugged into the consumer web experience.
jesterson|3 years ago
If we have centralised "licensing" solution it is abused by large capital to wash off smaller - there is plenty of examples.
If we have decentralised solution (which is basically what review is) - it is immediately abused by "marketers".
There is no simple and easy solution to the problem.
FortiDude|3 years ago
When you register a business you also provide your official domains and so the validity of the website is checked against the validity of the business.
NavinF|3 years ago
unknown|3 years ago
[deleted]
Krisjohn|3 years ago
lovingCranberry|3 years ago
These sites are literally made to steal my grandma's money when she's buying presents for Christmas and what not.
mfonda|3 years ago
It's inspiring to see you follow up like this and help out a wonderful mountain shop. A great reminder and inspiration to be more involved in my community.
aww_dang|3 years ago
steve_taylor|3 years ago
sofixa|3 years ago
dspillett|3 years ago
1. Knowing that the company using the certificate is who they say they are, doesn't necessarily mean you can trust them not to be fraudulent traders.
2. Control of the domain names and associated certificates can change hands after the fact, officially through buyouts/merges or via more nefarious means, just like any other certificate.
and of course the other key question to address which is:
3. How do you trust those validating the certificate. The average user is not going to know/care that a rogue CA exists and it might take some time for their actions to be noticed and for appropriate revocations to happen.
However they were intended to be used, HTTPS and certificates for it are used to protect data in transit and not really for identity assurance.
----
There is also the more cynical view that the main thing EV certs addressed was the desire for CAs to bring in some revenue, especially as standard certs became more and more a commodity item (now effectively free) with low or zero margins.
asdadsdad|3 years ago
langsoul-com|3 years ago
Fairly sure you could do a HTML search with Google, 7 stores having extremely similar HTML and images seems rather unlikely.
Effectively, it's virus total but for copycat sites.
justusthane|3 years ago
bashcoder|3 years ago
10g1k|3 years ago
napsterbr|3 years ago
If I go to urlscan.io and look at the recently scanned sites (which are live-updated), every now and then I can find links with potentially sensitive information.
I found OneDrive and SharePoint links. I was unable to actually access the documents in them (it asked me to login), but I could see their content (or metadata) with UrlScan's "live screenshot" feature.
At one point, it scanned a "reset password" link with the authentication token in the query string (!). I was able to access that link and I would likely be able to reset the password for that specific user. I won't share the underlying website so others don't go ahead looking for it, but it was for a non-US government service.
The impression I have is that some email provider (or perhaps some antivirus software?) is automatically scanning user emails and the links are being shared publicly, alongside a "live screenshot".
I might be missing something, but this is weird.
chair6|3 years ago
freitasm|3 years ago
quickthrower2|3 years ago
ccbccccbbcccbb|3 years ago
[deleted]
zinckiwi|3 years ago
BLKNSLVR|3 years ago
quickthrower2|3 years ago
dane-pgp|3 years ago
unknown|3 years ago
[deleted]
GauntletWizard|3 years ago