Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
It's Time to Improve Website Identity Indicators, Not Remove Them
Oldest First  |  Newest First  |  Threaded View
dwrightetc
50%
50%
dwrightetc,
User Rank: Apprentice
10/24/2019 | 5:44:59 PM
Not of Concern
I have to aree with Google and Mozilla on this one. While EV SSL do a more through checking on the purchaser during inital setup they do little to increase user privacy or confidence in a website.  There is no encryption difference between EV and DV certs. An evildoer could just as easilyy purchase an EV cert with false information if they own the domain they are phishing from (which in most cases they do with similarish names) it just takes a few days vs. a few minutes to obtain the certificate.  If we want to really provide users with better privacy a focus would be placed on securing domains with DNSSEC and making it easier for users to utilize protocols like DNSCrypt/DoH/DoT and providing more secure no log DNS servers.  Use of those tools will almost completely eliminate phishing all together as the problem with DNS is that it is unencrypted and unvalidated by default which allows for the malicious redirects in the first place.  In my opinion, the reluctancy to implement these technologies revolves around the fact that ISP's, governments, fill in the blank, all make huge amounts of money data mining our DNS requests as well as using them to track everything regular users do on the internet, they are also used to implement content filtering and access restrictions many places, if privacy is really implemented billions of dollars could be lost.  Mozilla took a lot of heat for being one of the early adopters of DoH/DoT which their browser now supports however, this was/is the right move to increase privacy and security of end users across the board.
timcallan
50%
50%
timcallan,
User Rank: Author
10/25/2019 | 8:18:08 PM
Re: Not of Concern
It's inaccurate to say, "An evildoer could just as easilyy purchase an EV cert with false information if they own the domain they are phishing from..." In fact, that is not the case. EV requires the use of highly effective authentication methods that have remained undefeated in more than ten years of widescale, global production on the most valuable and lucrative online targets. While spoofing a domain name is as easy as coming up with a credible string that is available for registration, the information presented in an EV certificate is highly reliable.

EV certs are here today, they work, and they have an impeccable track record. Let's continue to benefit from them. Let's build on that, not tear it down.


Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I've never actually seen the corporate ladder before.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5216
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
CVE-2020-5217
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
CVE-2020-5223
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.