top | item 42013645

(no title)

Before clicking the link or seeing the domain, I was expecting either a rehashed (or if I was optimistic: a novel) argument for why what LE does isn’t actually validating domains. Philosophically or technically. For example: they don’t validate you’re going to the domain you intend on visiting. And 500 words on why that makes them useless. (I don’t agree, but that’s what I was expecting)

discuss

bikingbismuth|1 year ago

I worked for a brand that was heavily impacted by phishing sites that used LE certs. It was annoying, but honestly I wasn’t sure what LE couple do about it. If you deny creating a cert with Gmail in the domain, people will just use something like gmall instead.

strogonoff|1 year ago

Many fishing attacks could be thwarted if there was a more manual process for certificate issuance, CAs were obligated to KYC and verify/monitor applicants stringently and lost their license for malpractice, etc. Web would be a safer place, but the cost is higher barriers for entry, and attackers would just focus on stealing the actual certs.

Some would say being able to communicate privately/securely is irrelevant to whether you should trust whoever you’re communicating with, but then someone could argue that in practice the two get conflated all the time and the aura of the channel colours the counterparty.

I notice that there are two most common categories of non-techie users: those for whom being able to visit a website without loud warnings is enough to auto-trust it, and those who by default distrust anything that has to do with anything on the Web (and the latter are unfortunately correct). You can’t expect people to perform sophisticated threat detection at all times and feel good about their life at the same time.

system33-|1 year ago

Exactly. “Unsolvable” is a strong word, but … how wrong is it? Shrug.

nixosbestos|1 year ago

Passkeys. The answer is passkeys.