Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
flipboard.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Welcome to Flipboard on Mastodon. A place for our community of curators and enthusiasts to inform and inspire each other. If you'd like to join please request an invitation via the sign-up page.

Administered by:

Server stats:

1.3K
active users

flipboard.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#ediw

0 posts0 participants0 posts today
Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@odr_k4tana" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>odr_k4tana</span></a></span> : it does not scale to let every person on earth determine the identity of some other entity without something comparable to a passport.</p><p>Yes, sometime criminals possess falsified passports. It is the least worse method we have.</p><p>We need reliable third parties to issue certificates. They must be repeatedly audited by governments AND by consumer organizations.</p><p>Not by some CA/B forum where all members are commercial stake holders, and not *only* by governments who may abuse certs for spying (Germans have abused DV-certs to MitM: <a href="https://notes.valdikss.org.ru/jabber.ru-mitm/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">notes.valdikss.org.ru/jabber.r</span><span class="invisible">u-mitm/</span></a>).</p><p>The latest known of both:</p><p>1. the reliability of the identify verification process of the entity responsible for the website</p><p>2. the trustworthyness of the CA and CSP's, as determined by the independent auditors I mentioned above</p><p>must be included in each certificate and must be shown to the user.</p><p>The user is to see relevant info when they visit a website for the first time, or when anything relevant changes. They can then determine how much they trust the website, based on the fact that they know who to sue if they get defrauded, and what their chances are in such a case. In addition, they *may* use such information to determine the *reputation* of the responsible entity.</p><p>Al lot more info can be shown, such as warnings for IDN's or scam domain names such as</p><p> www-example·com<br> m-santander·de<br> whatverer.bank.com-secure.my·id</p><p>W.r.t. passkeys: not only implementing serverside is a PITA. Apple and Google passkeys are unreliable (I'll lookup links if you're interested).</p><p>But passkeys do not protect you for sites that you do not (yet) have an account on, and they are not phishing proof if a cert is erroneously issued to a criminal (<a href="https://infosec.exchange/@ErikvanStraten/112914050216821746" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/112914050216821746</span></a>). </p><p>And passkeys do not protect if the phishing site claims that your passkey has been corrupted and you now have to log on in an alternative way (such as using your rescue code).</p><p>See also <a href="https://infosec.exchange/@ErikvanStraten/114061799937444243" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/114061799937444243</span></a>.</p><p>It is INSANE to introduce <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> / <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a> without the person knowing the authenticity of the verifyer. It will lead to lots of phishing (AitM) and identity fraud.</p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://mastodon.nl/@rooskatoen" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>rooskatoen</span></a></span> : probably news like this is considered "too complicated" for "ordinary people".</p><p>Or the journalists themselves do not understand it, and fear making errors. Indeed, often when they *do* occasionally report on such topics, often their stories are incomplete, sensational and/or plain wrong.</p><p>ICT is treated like "rocket science"; only nerds can understand it.</p><p>IMO this is very wrong. Way too few people are interested in ICT fundamentals, and why things are the way they are. All of us depend on it more every day. This makes us unnecessarily vulnerable.</p><p>While you don't have to know where the pistons are located in your car's combustion engine, you *do* need to learn to drive a car and know *all* of the traffic rules that apply.</p><p>Similarly, most people don't have to be able to write computer programs or implement websites, but their basic knowledge of ICT is insufficient. Computer and software manufacturers have done their extreme best to make everything *look* simple. It's a trick, if not a trap.</p><p>Too few people are aware that soon we'll be confronted with EHDS (European Health Data Space) and will be seduced into using EDIW/EUDIW (European Digital Identity Wallet). They will only tell you about the advantages, and most people will buy that. Like they did when internet banking was introduced.</p><p>Like ChatControl (and a couple of years ago, Covid apps), such technologies will severely impact our lives. They were pushed by lobbyists (payed by <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BigTechIsEvil</span></a> with endless money) to noob politicians. No fundamental democratic discussion, considering all advantages AND disadvantages, takes place.</p><p>B.T.W. such news *is* covered, but on "nerd"-sites only, like <a href="https://security.nl" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">security.nl</span><span class="invisible"></span></a> and <a href="https://tweakers.net" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">tweakers.net</span><span class="invisible"></span></a>.</p><p>Unfortunately, for unseasoned readers, on those sites it is hard to distinguish between noise and news that really matters.</p><p>On Mastodon, following the right people may help you to gain insight.</p><p><span class="h-card" translate="no"><a href="https://indieweb.social/@jbz" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>jbz</span></a></span> </p><p><a href="https://infosec.exchange/tags/EHDS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EHDS</span></a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/ChatControl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ChatControl</span></a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a></p>
Erik van Straten<p>"The world is under siege. This is not news. State-sponsored cybercriminals and a growing army of newbies using powerful tools from the dark web are exploiting every weak link in our cybersecurity chains, which is first and foremost our users."</p><p>Aldus John Gunn in <a href="https://www.bleepingcomputer.com/news/security/mfa-failures-the-worst-is-yet-to-come/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/mfa-failures-the-worst-is-yet-to-come/</span></a>.</p><p>John Gunn heeft gelijk. Het internet is veel te onveilig en niemand die daar iets tegen doet.</p><p>Terwijl websites steeds anoniemer worden, moet *U* steeds betrouwbaarder authenticeren (<a href="https://www.security.nl/posting/872694/VK+verplicht+vanaf+juli+%27robuuste%27+online+leeftijdsverificatie+voor+pornosites" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">security.nl/posting/872694/VK+</span><span class="invisible">verplicht+vanaf+juli+%27robuuste%27+online+leeftijdsverificatie+voor+pornosites</span></a>). Aanvankelijk gebruikmakend van hersenloze technieken, zoals het opsturen van een scan van uw paspoort. Alsof degene die zo'n kopie in handen krijgt (op legale of illegale wijze) niet *OOK* kan bewijzen dat zij of hij u is. </p><p>Echter:</p><p>BINNENKORT HOEFT ZO'N SCAN NIET MEER!</p><p>Dan krijgt "iedereen" namelijk "geheel vrijwillig" een elektronisch paspoort op haar of zijn telefoon. Wat zou *DAAR* nou mis mee kunnen gaan?</p><p>Ik waarschuw er al heel lang voor dat het internet veel te onveilig wordt. Maar dat is tegen dovemansoren, of zo'n artikel wordt simpelweg weggecensureerd. Zélfs als je zo'n artikel met verifieerbare feiten onderbouwt - middels links naar pagina's van VirusTotal (een dochterbedrijf van Google).</p><p>(Mijn artikel valt overigens nog hier te lezen - voor zolang als dát duurt (Big Tech duldt geen kritiek): <a href="https://archive.is/3UwWn" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">archive.is/3UwWn</span><span class="invisible"></span></a> - zie ook <a href="https://infosec.exchange/@ErikvanStraten/113837934294209517" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113837934294209517</span></a>). </p><p>John Gunn gaat verder met:</p><p>"Multi-Factor Authentication (MFA), once celebrated as an unbreakable defense, is crumbling under the weight of its outdated technology. Phishing attacks, ransomware, and sophisticated exploits are bypassing legacy MFA with astonishing ease."</p><p>Ook daar waarschuw ik al jááren voor.</p><p>Fix: <a href="https://www.security.nl/posting/840236/Veilig+inloggen" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">security.nl/posting/840236/Vei</span><span class="invisible">lig+inloggen</span></a> (eigenlijk ben ik gek dat ik nog naar die site verwijs, waar ik al vele jaren -voor nop- aan bijdraag; stank voor dank).</p><p>Daarin ook "plaatjes" waarin te zien is waarom 2FA/MFA middels SMS of "Authenticator" app geen zier helpt tegen AitM (Attacker in the Middle of MitM: <a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">en.wikipedia.org/wiki/Man-in-t</span><span class="invisible">he-middle_attack</span></a>) aanvallen; u bent kansloos als u alle informatie op een nepwebsite invoert.</p><p>Hetzelfde risico loopt u straks met uw EDIW - nog een veilige dag gewenst.</p><p><a href="https://infosec.exchange/tags/Calimero" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Calimero</span></a> <a href="https://infosec.exchange/tags/Censuur" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Censuur</span></a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GoogleIsEvil</span></a> <a href="https://infosec.exchange/tags/UBentHetProduct" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>UBentHetProduct</span></a> <a href="https://infosec.exchange/tags/BigTech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BigTech</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MFA</span></a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>2FA</span></a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TOTP</span></a> <a href="https://infosec.exchange/tags/AuthenticatorApp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AuthenticatorApp</span></a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eID</span></a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a> <a href="https://infosec.exchange/tags/LeeftijdsVerificatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LeeftijdsVerificatie</span></a> <a href="https://infosec.exchange/tags/Authenticatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authenticatie</span></a> <a href="https://infosec.exchange/tags/Impersonatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonatie</span></a> <a href="https://infosec.exchange/tags/IdentiteitsFraude" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IdentiteitsFraude</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@patrickcmiller" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>patrickcmiller</span></a></span> : and the digital passport (or other government-provided eID) will wreak havoc - because fake (AitM) websites will steal the identity of many unsuspecting people.</p><p><a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeWebsites</span></a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eID</span></a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a></p>
Erik Jonker<p>The EU Digital Identity Wallet is a great way to make use less dependent on big tech platforms, protect our privacy and share data in a sensible and secure way. Ofcourse there are hurdles and risks. But i prefer a democratically controlled solution over one from Apple and Google where we have no influence on privacy, protection, ethics etc.<br><a href="https://youtu.be/smiM0GFRu_w?si=bj-rzcOkDrxDOSrv" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">youtu.be/smiM0GFRu_w?si=bj-rzc</span><span class="invisible">OkDrxDOSrv</span></a><br><a href="https://mastodon.social/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://mastodon.social/tags/EU" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EU</span></a> <a href="https://mastodon.social/tags/DigitalIdentity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DigitalIdentity</span></a> <a href="https://mastodon.social/tags/Wallet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Wallet</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://mastodon.nl/@yivi_privacybydesign" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>yivi_privacybydesign</span></a></span> : betrouwbare online leeftijdsverificatie bestaat niet.</p><p>Waarom online leeftijdsverificatie onbetrouwbaar en onwenselijk is, herhaalde ik recentelijk in <a href="https://www.security.nl/posting/861643/NSC+en+CU+komen+met+motie+voor+%27privacyvriendelijke+leeftijdsverificatie%27#posting861777" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">security.nl/posting/861643/NSC</span><span class="invisible">+en+CU+komen+met+motie+voor+%27privacyvriendelijke+leeftijdsverificatie%27#posting861777</span></a>.</p><p>Ook met Yivi niet, want *niet jij* maar *de verifieerder* bepaalt welke gegevens hij van jou wil. Je hebt twee keuzes: verstrekken wat gevraagd wordt, of het opgeven.</p><p>Onderstaand plaatje is de huidige stand van een enquête op security.nl.</p><p><a href="https://infosec.exchange/tags/OnlineLeeftijdsVerificatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OnlineLeeftijdsVerificatie</span></a> <a href="https://infosec.exchange/tags/Authenticatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authenticatie</span></a> <a href="https://infosec.exchange/tags/Impersonatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonatie</span></a> <a href="https://infosec.exchange/tags/Yivi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Yivi</span></a> <a href="https://infosec.exchange/tags/Irma" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Irma</span></a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eID</span></a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a> <a href="https://infosec.exchange/tags/Privacy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Privacy</span></a> <a href="https://infosec.exchange/tags/PrivacyVriendelijk" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PrivacyVriendelijk</span></a> <a href="https://infosec.exchange/tags/NepNietVanEchtKunnenOnderscheiden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NepNietVanEchtKunnenOnderscheiden</span></a> <a href="https://infosec.exchange/tags/EchtNietVanNepKunnenOnderscheiden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EchtNietVanNepKunnenOnderscheiden</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://chaos.social/@necrosis" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>necrosis</span></a></span> : hat Nancy die Liste mit alle Europäischen Bürger-Identifikationsnummer schon bekommen?</p><p>Daß wäre 'nen Datenleck...</p><p><a href="https://infosec.exchange/tags/VerzeiheDuitseSpelFouten" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>VerzeiheDuitseSpelFouten</span></a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/NichtNurVideoIdent" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NichtNurVideoIdent</span></a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a></p>
Erik van Straten<p>Hoe de Politiehack precies heeft plaatsgevonden, weet ik niet.</p><p>Wel weet ik dat veel "experts"hun kop in het zand steken of mij zelfs voor gek verklaren als ik schrijf dat:</p><p>1) Het opzet is dat mensen op internet nep niet van echt kunnen onderscheiden (<a href="https://security.nl/posting/859906/Speculatie_over_Politie-hack" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">security.nl/posting/859906/Spe</span><span class="invisible">culatie_over_Politie-hack</span></a>), en dat daar *dringend* iets aan gedaan moet worden;</p><p>2) Zij aanraden om zwakke MFA (<a href="https://security.nl/posting/859561/MFA-2FA_is_als_peniciline" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">security.nl/posting/859561/MFA</span><span class="invisible">-2FA_is_als_peniciline</span></a>) te gebruiken in plaats van een wachtwoordmanager die op domeinnamen checkt;</p><p>3) Onder hen er *zelfs* zijn die stellen dat we, op *dit* internet, EDIW veilig zouden kunnen gebruiken (reactie op een posting van Ivo Jansch, één van de architecten van EDIW: <a href="https://tweakers.net/nieuws/204138/#r_18249704" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">tweakers.net/nieuws/204138/#r_</span><span class="invisible">18249704</span></a>). Welliswaar met de opmerking dat er alternatieven moeten blijven bestaan (die er nu ook niet meer zijn voor communicatie met de overheid of met uw bank).</p><p>Zie ook <a href="https://www.security.nl/posting/827137/Kopie-ID-Kap-Ermee#posting833162" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">security.nl/posting/827137/Kop</span><span class="invisible">ie-ID-Kap-Ermee#posting833162</span></a>, bovenaan die pagina en <a href="https://www.security.nl/posting/833217/Internet-toenemende_impersonatie" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">security.nl/posting/833217/Int</span><span class="invisible">ernet-toenemende_impersonatie</span></a>.</p><p><a href="https://infosec.exchange/tags/Politiehack" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Politiehack</span></a> <a href="https://infosec.exchange/tags/Politie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Politie</span></a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MFA</span></a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>2FA</span></a> <a href="https://infosec.exchange/tags/ZwakkeMFA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ZwakkeMFA</span></a> <a href="https://infosec.exchange/tags/Zwakke2FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Zwakke2FA</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/Certificaten" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Certificaten</span></a> <a href="https://infosec.exchange/tags/LetsEncrypt" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LetsEncrypt</span></a> <a href="https://infosec.exchange/tags/LetsAuthenticateTheWebsiteFirst" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LetsAuthenticateTheWebsiteFirst</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EvilProxy</span></a> <a href="https://infosec.exchange/tags/PhaaS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PhaaS</span></a> <a href="https://infosec.exchange/tags/Evilginx2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Evilginx2</span></a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a> <a href="https://infosec.exchange/tags/EC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EC</span></a> <a href="https://infosec.exchange/tags/KopieID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>KopieID</span></a> <a href="https://infosec.exchange/tags/KopietjePaspoort" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>KopietjePaspoort</span></a> <a href="https://infosec.exchange/tags/VideoIdent" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>VideoIdent</span></a> </p><p>(Bron van onderstaand plaatje: <a href="https://www.maxvandaag.nl/sessies/themas/media-cultuur/waarom-steken-we-ons-hoofd-in-het-zand-als-het-lastig-wordt/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">maxvandaag.nl/sessies/themas/m</span><span class="invisible">edia-cultuur/waarom-steken-we-ons-hoofd-in-het-zand-als-het-lastig-wordt/</span></a>)</p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@tasket" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>tasket</span></a></span> : thank you for a friendlier response.</p><p>Unfortunately letting organizations know that they should do a better job is pointless (I tried - a lot).</p><p>And educating people, in an attempt to let everyone become a digital forensic expert (<span class="h-card" translate="no"><a href="https://framapiaf.org/@pmevzek" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>pmevzek</span></a></span> : who knows what a CNAME is and uses 'dig' all the time), is going to fail as well.</p><p>Phishing is a gigantic and increasing problem - leading to enormous financial losses by organizations and individuals. It enables cybercriminals to penetrate networks of organizations and their cloud accounts. It is followed up by more BEC based phishing, the exfiltration of confidential data, encryption of files, databases and backups, and the demand for ransoms. Since some will pay anyway it has become a booming business. Big tech and domain name parking guys make big bucks.</p><p>In Europe soon we'll have EDIW (aka EUDIW, European Digital Identity Wallet) where one creates a digital copy of their passport on their smartphone - making "strong" online authentication of citizens possible.</p><p>To order booze online or visit a pornsite people will have to prove they're old enough (which will not work because it's easy to evade).</p><p>However, such authentication is going to be a lot weaker than predicted. Worse, it will fail miserably because citizens will be phished into authenticating on *fake* websites. Those websites will act as AitM's (Attacker in the Middle) to *authentic* websites, posing as the citizen.</p><p>Authentication mandates a trustworthy verifier. The first step to find out whether a verifier is trustworthy, is to know *who exactly* they are. A domain name simply does not suffice.</p><p>It is insane to demand from people that they use increasingly stonger authentication, while the reliability of the authentication of verifiers decreases every day.</p><p>P.S. I was writing a much longer toot with additional examples, but pressed a wrong button or so and lost the text. I'll reproduce the examples if you'd like me to.</p><p><a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/DomainNames" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DomainNames</span></a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/WeakAuthentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WeakAuthentication</span></a> <a href="https://infosec.exchange/tags/OnlineAuthentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OnlineAuthentication</span></a> <a href="https://infosec.exchange/tags/Authenticatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authenticatie</span></a> <a href="https://infosec.exchange/tags/Impersonatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonatie</span></a> <a href="https://infosec.exchange/tags/OnlineAuthenticatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OnlineAuthenticatie</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://retro.pizza/@textualdeviance" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>textualdeviance</span></a></span> wrote, among other things:</p><p>« Sudden revolutions come with obscenely high body counts of innocent civilians. »</p><p>That is not necessarily true, in for example the following cases:</p><p>🔸 <a href="https://en.wikipedia.org/wiki/Velvet_Revolution" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">en.wikipedia.org/wiki/Velvet_R</span><span class="invisible">evolution</span></a></p><p>🔸 A revolution that STOPS killing must take place <a href="https://infosec.exchange/tags/NOW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NOW</span></a>. The anihilation of Palestinians is simply unacceptable, in particular because western countries condone, support or even encourage it. At some point the governments of the USA, NL and others must stop following orders from their Zionist sponsors, in order to not make them EVEN MORE complicit to genocide.</p><p>🔸 Personally I'm "fighting" for a safer internet; fixing tech does not have to involve bloodshed at all (although big tech and leeches like <a href="https://safer.io/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">safer.io/</span><span class="invisible"></span></a> will lose income). Such as:</p><p>• By insisting on a system where internet users can distinguish betwee fake and authentic websites (see <a href="https://infosec.exchange/@ErikvanStraten/113079966331873386" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113079966331873386</span></a>);</p><p>• By providing strong arguments why "Chatcontrol" (governments scanning every smartphone looking for Child Sexual Abuse Material - and what not) will not protect a single child - on the contrary (<a href="https://infosec.exchange/@ErikvanStraten/113075518670257012" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113075518670257012</span></a>; chatcontrol is *not* just a privacy risk);</p><p>• By warning for passkeys (<a href="https://infosec.exchange/@ErikvanStraten/113058944497262936" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113058944497262936</span></a>) and suggesting better alternatives;</p><p>• By warning for risks such as when unlocking the screen of an iPhone/iPad with a PIN (<a href="https://infosec.exchange/@ErikvanStraten/113053761440539290" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113053761440539290</span></a>);</p><p>• By warning for security measures that are easily bypassed, such as 2FA/MFA (using SMS, voice, or TOTP "Authenticator" apps including Microsoft's using "number matching");</p><p>• Et cetera.</p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@0xabad1dea" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>0xabad1dea</span></a></span> </p><p><a href="https://infosec.exchange/tags/AIPAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AIPAC</span></a> <a href="https://infosec.exchange/tags/CIDI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CIDI</span></a> <a href="https://infosec.exchange/tags/Gaza" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Gaza</span></a> <a href="https://infosec.exchange/tags/Westbank" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Westbank</span></a> <a href="https://infosec.exchange/tags/EthnicCleansing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EthnicCleansing</span></a> <a href="https://infosec.exchange/tags/Genocide" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Genocide</span></a> <a href="https://infosec.exchange/tags/Palestinians" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Palestinians</span></a> <a href="https://infosec.exchange/tags/BigTech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BigTech</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/Fake" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fake</span></a> <a href="https://infosec.exchange/tags/Real" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Real</span></a> <a href="https://infosec.exchange/tags/Authentic" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentic</span></a> <a href="https://infosec.exchange/tags/Impostors" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impostors</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/CyberCrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberCrime</span></a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eID</span></a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a> <a href="https://infosec.exchange/tags/ChatControl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ChatControl</span></a> <a href="https://infosec.exchange/tags/CSS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CSS</span></a> <a href="https://infosec.exchange/tags/CSAM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CSAM</span></a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>2FA</span></a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MFA</span></a> <a href="https://infosec.exchange/tags/NumberMatching" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NumberMatching</span></a> <a href="https://infosec.exchange/tags/PhaaS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PhaaS</span></a> <a href="https://infosec.exchange/tags/Evilginx2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Evilginx2</span></a> <a href="https://infosec.exchange/tags/HSTS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HSTS</span></a> <a href="https://infosec.exchange/tags/httpvshttps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpvshttps</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/OV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OV</span></a> <a href="https://infosec.exchange/tags/EV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EV</span></a> <a href="https://infosec.exchange/tags/QWAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>QWAC</span></a> <a href="https://infosec.exchange/tags/passcode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>passcode</span></a> <a href="https://infosec.exchange/tags/iPhone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iPhone</span></a> <a href="https://infosec.exchange/tags/iPad" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iPad</span></a> <a href="https://infosec.exchange/tags/Android" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Android</span></a> <a href="https://infosec.exchange/tags/iOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iOS</span></a> <a href="https://infosec.exchange/tags/iPadOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iPadOS</span></a></p>
Erik van Straten<p>🟡 INTRODUCTION/BACKGROUND<br>It has become *way too easy* and cheap, to anonymously (or lying about identity) register a domain name, hire or hack a server and obtain a valid DV (Domain Validated) server certificate.</p><p>Furthermore, possibly *stimulated* by the fact that most servers now use DV-certificates, (web) browsers have made it increasingly hard for internet users to view certificate details, without providing any alternatives for those users to distinguish between misleading fake and real (authentic) setvers.</p><p>A steadily increasing number of internet servers is now *anonymous* (it has been *deliberately* made impossible to reliably find out who is responsible), which has lead, and still leads, to huge amounts of unneccesary victims of phishing.</p><p>This causes enormous financial losses to individuals, companies, governmental and healthcare organizations - while most of that money flows into the pockets of criminals who often operate from regimes that are our enemies. Thereby, indirectly or directly, enriching those regimes (the rest of the stolen money flows into the pockets of hosting-, cloud- and CDN providers, as well as DNS registrars and domain name parking services).</p><p>Note: a server certificate never directly warants reliability of the owner of a domain name. However, in order to distinguish between fake and real servers or websites, it is essential that users know who is *responsible* and in which country they are established or live. Eventually, if neccessary, to be able to sue them.</p><p>🟡 From <a href="https://www.theregister.com/2024/09/03/white_house_bgp_security/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">theregister.com/2024/09/03/whi</span><span class="invisible">te_house_bgp_security/</span></a>:<br>«<br>White House thinks it's time to fix the insecure glue of the internet: Yup, BGP<br>3 Sep 2024, 22:34 utc - Thomas Claburn<br>[...]<br>"As initially designed and commonly operating today, BGP does not provide adequate security and resilience features for the risks we currently face," the report (<a href="https://whitehouse.gov/wp-content/uploads/2024/09/Roadmap-to-Enhancing-Internet-Routing-Security.pdf" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">whitehouse.gov/wp-content/uplo</span><span class="invisible">ads/2024/09/Roadmap-to-Enhancing-Internet-Routing-Security.pdf</span></a>) [PDF] says. "Concerns about fundamental vulnerabilities have been expressed for more than 25 years."<br>»</p><p>🟡 IMO, to not *first* fix WebPKI is plain *stupid* because:</p><p>➡️ If the *combination* of:<br>🔸 A *decent* WebPKI {1}, *and*<br>🔸 Improved browsers {2}, *and*<br>🔸 User education {3},<br>*enables* internet users to reliably distinguish between fake and real (authentic) servers, then the necessity for RPKI decreases enormously {4};</p><p>➡️ Apart from the fact that RPKI is fully hidden for internet users (they *neither* know whether it's used for their current IP-connections, and if that happens to be the case, *nor* how reliable the authentication of the parties involved took place), RPKI does *not* solve a much bigger problem: DNS-hijacks.</p><p>➡️ A decent WebPKI effectively mitigates the following vulnerabilities (in the order of most to least occuring):<br>🔸 People not knowing who is responsible for a given (often misleading) domain name;<br>🔸 DNS hijacks/attacks;<br>🔸 BGP hijacks;<br>🔸 AitM's {5} "near" the real server who unrightfully obtain DV-certificates.</p><p>🟡 {1} WHAT IS A DECENT WEBPKI<br>A *decent* WebPKI means that:</p><p>1️⃣ We must get rid of the current (effectively Google owned) CA/B forum, simply because server certificates exist primarily in the interest of *internet users* (not even represented in the CA/B forum) instead of it's current members: *commercial* cloud providers, browser makers, CA's (Certificate Authorities) and/or CSP's (Certificate Service Providers).</p><p>2️⃣ The world needs a new, independent, organization that supervises requirements of certificates, CA's and CSP's, as well as all requirements for (web) browsers related to certificates. For easy referencing I'll call it the WPKIF (Web Public Key Infrastructure Forum) in this toot. It is essential that internet users are strongly represented in the WPKIF. The WPKIF must be repeatedly audited by independent auditors (based on clear predefined requirements and/or controls).</p><p>3️⃣ Each *critical* server {6} *must* use a server certificate that, more or less reliably, uniquely defines the person, people or organization responsible for the server(s) (and content, security etc.) referenced by the server's domain name(s) included in the certificate.</p><p>4️⃣ The layout of server certificates needs an update to better serve internet users. Most of those users are *not* interested in technical details such as long serial numbers or hexadecimal public key values (such data must remain accessible for experienced users). So some sort of split between technical and *human readable" (not "CN=") information must be made.</p><p>5️⃣ Each server certificate must also contain a standardized indicator that reveals the *minimum* reliability of the authentication of the person, people or organization responsible for all domain names, and all servers referenced by all domain names (included in the certificate). In short: how certain is it that the owner of a website is who they claim to be.</p><p>6️⃣ Each server certificate must also contain a reference to a WPKIF website with a standardized indicator that reveals the *reliability* of the least reliable link in the chain starting at the applicable CA and ending with the CSP (including both ends plus intermediate certificates and their owners). In short: how reliable is the information in the certificate, as determined by the WPKIF.</p><p>7️⃣ The WPKIF must immediately and objectively take action against any CA, intermediate or CSP that violates the rules and requirements as defined by the WPKIF. Such by decreasing their reliability rating upto canceling their right to issue certificates.</p><p>🟡 {2} Web browsers (and perhaps other clients) must make it a lot easier for users to determine who is responsible for a server or website. IMO, at the very least when an internet user visits a website with a specific domain name *for the first time* (using that browser), *OR* when the server sends a new certificate, the browser should first show full details of the owner of the domain name *before* fetching any content - and let the user decide whether they want to continue and open the website. (Note: I've not given it enough thought how to handle third party websites - where CSS, JavaScript, images and/or analytics stuff is downloaded from).</p><p>🟡 {3} Internet users need to be educated about the importance of knowing who owns a domain name (and thus server and/or website). Browsers must play a role by offering tutorials. Current "awareness trainings" are simply insufficient (as notably Google found out, see <a href="https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">security.googleblog.com/2024/0</span><span class="invisible">5/on-fire-drills-and-phishing-tests.html</span></a> - more info, in Dutch: <a href="https://infosec.exchange/@ErikvanStraten/113045136092456532" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113045136092456532</span></a>).</p><p>🟡 {4} RPKI vs WebPKI<br>Increasingly cybercriminals succeed into hijacking cryptocurrency websites, and they may do so by hijacking BGP and subsequently acquiring a DV certificate for their fake server (examples can be found here: <a href="https://infosec.exchange/@ErikvanStraten/112914050216821746" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/112914050216821746</span></a>). However, BGP hijack attacks are not easy to accomplish and often detected soon. In particular it will be hard for the attackers to obtain *trustworthy* server certificates. </p><p>🟡 {5} AitM = Attacker in the Middle. A server in a hosting center may be AitM'ed in the same center without touching the actual server itself and without requiring DNS- or BGP hijacks (because the AitM and the real server are both comnected to an internal network), as for example happened to "jabber.ru" in a German hosting center (see <a href="https://therecord.media/jabber-ru-alleged-government-wiretap-expired-tls-certificate" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">therecord.media/jabber-ru-alle</span><span class="invisible">ged-government-wiretap-expired-tls-certificate</span></a>, full details in <a href="https://notes.valdikss.org.ru/jabber.ru-mitm/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">notes.valdikss.org.ru/jabber.r</span><span class="invisible">u-mitm/</span></a>).</p><p>🟡 {6} A critical server is one whose *authenticity* and/or *indistinguishability from fake sites* are important upto (thtough) essential for internet users. I don't care if a home NAS uses a DV-cert, but banks, goverments (in particular those that do *not* use a specific domain name ending, such as .gov), insurances, websites showing and/or receiving medical/patient data etc. - any server related to PII or needs to otherwise prove their identity.</p><p>🟡 MORE INFORMATION<br>🔸 Let's Encrypt certificates mis-issuances &amp; ocsp ending: <a href="https://infosec.exchange/@ErikvanStraten/112914047006977222" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/112914047006977222</span></a></p><p>🔸 Untrustworthy HSTS and lack of "https only" in many browsers: <a href="https://infosec.exchange/@ErikvanStraten/with_replies" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/with_replies</span></a></p><p>🔸 Why awareness trainings fail (in Dutch): <a href="https://infosec.exchange/@ErikvanStraten/113045136092456532" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113045136092456532</span></a></p><p>🔸 Why the physical location of an offline service provider (like a bank office or a town hall) is a hugely underestimated authentication factor (in Dutch): <a href="https://security.nl/posting/855557" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">security.nl/posting/855557</span><span class="invisible"></span></a></p><p>🔸 Why Google lied when they killed EV certs, and why it's insane to introduce digital identity wallets (eID's) for strong online authentication of people on the current, highly crminalized, internet, with more anonymous servers every day (in Dutch): <a href="https://infosec.exchange/@ErikvanStraten/113031344934186250" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113031344934186250</span></a></p><p>🔸 How Google became evil by facilitating cybercrime, renting them hosting services for domain names such as NNoutlook.com, NNNNoutlook.com and ecbeuropa[.]eu, even providing them with server certificates for free: <a href="https://www.virustotal.com/gui/ip-address/35.241.18.84/relations" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">virustotal.com/gui/ip-address/</span><span class="invisible">35.241.18.84/relations</span></a></p><p>Internet reliability needs to be restored, and further improved upon, ASAP.</p><p><a href="https://infosec.exchange/tags/RPKI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RPKI</span></a> <a href="https://infosec.exchange/tags/PKI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PKI</span></a> <a href="https://infosec.exchange/tags/WebPKI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WebPKI</span></a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://infosec.exchange/tags/BGP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BGP</span></a> <a href="https://infosec.exchange/tags/BGPHijack" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BGPHijack</span></a> <a href="https://infosec.exchange/tags/DNS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNS</span></a> <a href="https://infosec.exchange/tags/DNSHijack" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNSHijack</span></a> <a href="https://infosec.exchange/tags/Websites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Websites</span></a> <a href="https://infosec.exchange/tags/Real" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Real</span></a> <a href="https://infosec.exchange/tags/Fake" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fake</span></a> <a href="https://infosec.exchange/tags/Authentic" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentic</span></a> <a href="https://infosec.exchange/tags/Authenticity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authenticity</span></a> <a href="https://infosec.exchange/tags/Impostors" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impostors</span></a> <a href="https://infosec.exchange/tags/CABForum" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CABForum</span></a> <a href="https://infosec.exchange/tags/Commercialization" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Commercialization</span></a> <a href="https://infosec.exchange/tags/Independant" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Independant</span></a> <a href="https://infosec.exchange/tags/UserRepresentatives" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>UserRepresentatives</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/OV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OV</span></a> <a href="https://infosec.exchange/tags/EV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EV</span></a> <a href="https://infosec.exchange/tags/QWAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>QWAC</span></a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eID</span></a> <a href="https://infosec.exchange/tags/eIDAS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eIDAS</span></a></p>
Erik van Straten<p>Personeelstrainingen om phishing te herkennen werken slecht en soms averechts, schreef Matt Linton, Chaos Specialist bij Google, afgelopen mei (<a href="https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">security.googleblog.com/2024/0</span><span class="invisible">5/on-fire-drills-and-phishing-tests.html</span></a>).</p><p>Uit zijn betoog maak ik niet eenduidig op "HOE DAN WEL" - terwijl het notabene Google zelf is die GÉÉN veiliger internet wil (<a href="https://infosec.exchange/@ErikvanStraten/113031344934186250" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113031344934186250</span></a>).</p><p>🔸Mijn "HOE DAN WEL" 🔸<br>Onder ander in <a href="https://security.nl/posting/855797" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">security.nl/posting/855797</span><span class="invisible"></span></a> (met diverse links naar meer) schreef ik zojuist hoe *ik* denk "HOE DAN WEL".</p><p>Commentaar (ook onderbouwde kritiek!) stel ik, zoald altijd, zéér op prijs.</p><p><a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/BigTech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BigTech</span></a> <a href="https://infosec.exchange/tags/Google" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Google</span></a> <a href="https://infosec.exchange/tags/Cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybercrime</span></a> <a href="https://infosec.exchange/tags/Internet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Internet</span></a> <a href="https://infosec.exchange/tags/VeiligerInternet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>VeiligerInternet</span></a> <a href="https://infosec.exchange/tags/InternetVeiliger" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InternetVeiliger</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/EV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EV</span></a> <a href="https://infosec.exchange/tags/QWAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>QWAC</span></a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a> <a href="https://infosec.exchange/tags/NepVanEchtKunnenOnderscheiden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NepVanEchtKunnenOnderscheiden</span></a> <a href="https://infosec.exchange/tags/EchtVanNepKunnenOnderscheiden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EchtVanNepKunnenOnderscheiden</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://social.overheid.nl/@staatssecretarisbzk" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>staatssecretarisbzk</span></a></span> :</p><p>Geachte heer Szabó,</p><p>Wellicht interesseert het u te weten dat de aangekondigde Europese Digitale Identiteit (EDIW/EUDIW) tot (te?) hoge risico's op identiteitsfraude leidt voor doorsnee burgers, alsmede wat daar de oorzaken van zijn.</p><p>In <a href="https://infosec.exchange/@ErikvanStraten/113031344934186250" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113031344934186250</span></a> beargumenteer ik dat.</p><p>Met vriendeljke groet,<br>Erik van Straten</p><p><a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eID</span></a> <a href="https://infosec.exchange/tags/eIDAS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eIDAS</span></a> <a href="https://infosec.exchange/tags/Identiteitsfraude" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Identiteitsfraude</span></a> <a href="https://infosec.exchange/tags/Authenticatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authenticatie</span></a> <a href="https://infosec.exchange/tags/Impersonatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonatie</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/EV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EV</span></a> <a href="https://infosec.exchange/tags/QWAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>QWAC</span></a> <a href="https://infosec.exchange/tags/EC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EC</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://mastodon.nl/@ellent" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>ellent</span></a></span> : De Europese digitale identiteit (<a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> aka <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a> voor European Digital Identity Wallet) wordt sowieso een ramp (ik probeer deze toot ook begrijpelijk te maken voor minder ter zake kundige lezers).</p><p>🔸GROEIEND PROBLEEM: PHISHING<br>Phishing wordt een steeds groter probleem - mede doordat veel e-mailaccounts worden gehacked (bekend als BEC, Business Email Compromise) en misbruikt worden voor het verzenden van nepmails (in dat geval zien ontvangers e-mails die *daadwerkelijk* vanaf een door hen vertrouwd e-mailaccount zijn verzonden).</p><p>In zo'n phishingmail zit vaak een lokkertje (bijvoorbeeld "vraag nu een gratis creditcard aan en ontvang een krediet van 25 Euro") of iets dreigends ("voorkom blokkade van uw bankrekening, verifieer uw bij ons geregistreerde gegevens").</p><p>Met tevens in zo'n mail een link naar een nepwebsite die als twee druppels water op de echte kan lijken, doch met een (meer of minder) afwijkende domeinnaam {1}.</p><p>{1} Met de domeinnaam bedoel ik het "webadres" van de server, zoals "bunq.com" of "nos.nl".</p><p>Bijvoorbeeld (ik heb er een extra punt in gezet om onbedoeld openen te voorkómen (dit zijn domeinnamen van echte phishing sites die mogelijk nog of opnieuw live zijn):</p><p>• mijn-bunq-omgeving..com<br>• revolut-mobile..com<br>• identificatie-nl..com<br>• santander-verify-device..com<br>• rabo-bank..com</p><p>🔸AITM<br>Zo'n website, waarop je straks waarschijnlijk met jouw EDIW moet bewijzen wie *jij* bent, kan dan *jouw* gegevens uit EDIW doorsturen naar de echte website, waarbij de aanvallers het door jou opgegeven afleveradres (voor de creditcard) vervangen door dat van henzelf.</p><p>Nb. In plaats daarvan, of tevens, kan zo'n AitM (Attacker in the Middle) een app van zo'n bank op hun telefoon installeren en koppelen aan het bankaccount van het slachtoffer en daar volledige toegang tot verkrijgen (vaak wordt het slachtoffer vervolgens buitengesloten).</p><p>🔸IT TAKES TWO TO TANGO<br>Betrouwbare authenticatie vereist niet alleen dat "de klant" (of burger/patiënt) zich niet eenvoudig als een ander kan voordoen, maar *ook* dat de verifieerder dat niet wil en kan.</p><p>Oftewel, om te voorkómen dat er met jouw identiteit gefraudeerd zal worden, moet je de verifiërende partij kunnen vertrouwen.</p><p>🔸VERTROUWEN STAP 1: WIE IS HET?<br>Zowel "in real life" als online is vertrouwen niet vanzelfsprekend en kan worden beschaamd. Minimaal moet je voldoende zeker moet weten *wie* de verifiërende partij is, zodat je kunt afgaan op reputatie en de wetenschap dat je iemand, die jou een poot uitdraait, voor de rechter kunt slepen.</p><p>🔸OOSPRONKELIJKE PLAN EC<br>Om bovengenoemde reden was het plan van de EC (Europese Commissie) dat:</p><p>1) Elke website waarop je met EDIW kunt authenticeren, een QWAC (<a href="https://en.wikipedia.org/wiki/Qualified_website_authentication_certificate" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">en.wikipedia.org/wiki/Qualifie</span><span class="invisible">d_website_authentication_certificate</span></a>) zou moeten gebruiken. Een QWAC is een digitaal certificaat dat vermeldt wie de verantwoordelijke voor een website is, waarbij de identiteit van de aanvrager zorgvuldig is vastgesteld, én</p><p>2) Webbrowsers (zeker mobiele) zouden duidelijk moeten laten zien wie verantwoordelijk is voor een website, in plaats van slechts een (potentieel misleidende) domeinnaam te tonen in de adresbalk van de browser.</p><p>🔸DÁT GAAN WE DUS NIET DOEN<br>Beide eisen zijn afgewezen door big tech, naar verluidt omdat QWAC's het risico op overheidsspionage zouden vergroten. Dat sluit ik niet voor 100% uit, maar de werkelijke reden dat big tech geen QWAC's wil, is een geheel andere.</p><p>🔸KILLED EXTENDED VALIDATION<br>Big tech heeft eerder, met een smoes, *bewust* sterke websiteauthenticatie middels betrouwbaarder (Extended Validation) certificaten de nek omgedraaid. Dat was naar aanleiding van een door Google onderzoekers "ontdekte" kwetsbaarheid dat de tekst:</p><p>&nbsp;&nbsp;&nbsp;&nbsp;"Stripe, Inc. (US)" </p><p>in de adresbalk van een browser niet *uniek* een bedrijf in de VS identificeerde (er bestond in een andere staat al een bedrijf met die naam). Dat dit een oplosbaar probleem is door een federale KvK in te stellen, of achter "US" de staat toe te voegen, wilde Google niet weten (sowieso nog weinig info, als je een website voor het eerst bezoekt zouden browsers zo uitgebreid mogelijke authentieke identificerende informatie moeten tonen - voordat er content van de site wordt gehaald).</p><p>🔸ONE SHADE OF GREY<br>Als gevolg daarvan zie je in jouw browser, qua *authenticiteit*, geen verschil meer tussen de website van jouw bank, een hobbysite zoals <a href="https://mamablogger.nl" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">mamablogger.nl</span><span class="invisible"></span></a> of één van de nep banksites die ik bovenaan deze toot noemde.</p><p>🔸WINSTOPTIMALISATIE<br>Het doel van big tech is dat goedkoop gehoste websites (waar er onvoorstelbaar veel van zijn) er niet *minder* betrouwbaar uitzien dan websites van banken, overheden en medische zorgverleners (hoewel er nog steeds banken zijn die EV-certificaten inzetten, kun je daar niets meer van terugvinden in de meeste mobiele browsers).</p><p>🔸SYSTEEM FACILITEERT CYBERCRIME<br>De massaliteit aan goedkope websites levert big tech bakken geld op - met als prijs dat cybercriminelen hier massaal van profiteren (van enige authenticatie van de verantwoordelijken is geheel geen sprake meer). Zie bijv. <a href="https://arstechnica.com/security/2024/07/cloudflare-once-again-comes-under-pressure-for-enabling-abusive-sites/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">arstechnica.com/security/2024/</span><span class="invisible">07/cloudflare-once-again-comes-under-pressure-for-enabling-abusive-sites/</span></a>; niemand die zich daar verantwoordelijk voor voelt, ze zijn immers allemaal "teansporteurs" van informatie.</p><p>🔸USERS ZIEN TOCH GEEN VERSCHIL<br>En omdat zelfs echte websites {2} niet meer hun best doen (zelfs niet na grootschalige aanvallen op klanten) om zich te onderscheiden van impersonators, heeft de klant het nakijken.</p><p>{2} Zie bijv. <a href="https://security.nl/posting/768888" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">security.nl/posting/768888</span><span class="invisible"></span></a> voor de phishing-aanval in 2022 op *klanten van* circleci.com, een door software-ontwikkelaars gebruikte website. Dit jaar opnieuw aangevallen zoals ik beschrijf in <a href="https://security.nl/posting/854997" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">security.nl/posting/854997</span><span class="invisible"></span></a> (en noem in <a href="https://security.nl/posting/855095" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">security.nl/posting/855095</span><span class="invisible"></span></a>).</p><p>🔸CLIENTS WEL, SERVERS NIET?<br>Met EDIW moeten burgers, klanten en patiënten straks met hoge mate van zekerheid bewijzen dat zij zijn wie zij claimen te zijn - maar dat is onzinnig indien "de andere kant", d.w.z. de verifiërende partij, potentieel onbetrouwbaar is. Het huidige web is simpelweg veel te onveilig om van gebruikers te eisen dat *zij wel* sterk authenticeren, want dat "bewijs" is dan veel zwakker dan gesuggereerd.</p><p>🔸RISICO'S EN VANGNETTEN<br>Alle risico's hierbij zijn voor "de klant". Probeer maar eens te bewijzen dat niet jij (maar een identiteitsfaudeur) die lening hebt afgesloten. Identiteitsfraude mogelijk gemaakt door big tech die niet wil dat jij nep van echt kunt onderscheiden.</p><p>Waarbij Kifid en andere rechters steeds vaker stellen dat de klant, "in juridische zin" (huh?) "grof nalatig" is geweest. De weinige vangnetten die er waren, worden kapotgeknipt.</p><p>🔸PRIVACY RISKS<br>Wel zullen door EDIW vaker *meer betrouwbare* persoonsgegevens in verkeerde handen vallen, gelekt en/of verhandeld worden; immers "de klant" kan niet meer doelbewust onjuiste gegevens invullen. En zolang er niet strikt gehandhaafd wordt, is het een illusie om te denken dat websites *minder* persoonsgegevens zullen vereisen (overvragen) dan nu het geval is.</p><p>🔸PHISHING: MINST SLECHTE AANPAK<br>Indien "EDIW'ers" niet op z'n minst, geholpen door een betrouwbare derde partij (de certificaatuitgever), behoorlijk zeker weten *wie* de verifieerder is, kunnen zij eenvoudig misleid worden door nep-verifieerders die zich (als AitM) vervolgens voordoen als "de klant". We hebben dus veiligere (onderscheid makende en meer metadata tonende) browsers en fatsoenlijke certificaten nodig - of we moeten geen EDIW willen.</p><p><a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eID</span></a> <a href="https://infosec.exchange/tags/eIDAS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eIDAS</span></a> <a href="https://infosec.exchange/tags/Internet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Internet</span></a> <a href="https://infosec.exchange/tags/Authenticiteit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authenticiteit</span></a> <a href="https://infosec.exchange/tags/Authenticatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authenticatie</span></a> <a href="https://infosec.exchange/tags/Impersonatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonatie</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/Oplichting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Oplichting</span></a></p>
Erik van Straten<p>Uit <a href="https://www.vrt.be/vrtnws/nl/2024/08/26/aalter-digitale-klkuis-succes-vlaanderen-uitrol/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">vrt.be/vrtnws/nl/2024/08/26/aa</span><span class="invisible">lter-digitale-klkuis-succes-vlaanderen-uitrol/</span></a> (bron = {1}):</p><p>«Vlaanderen rolt digitale kluis uit die dag en nacht rijbewijzen en reispassen aflevert: "Proefproject in Aalter was succes" »</p><p>M.i. doodeng. Hoe weet je zeker dat het de *rechtmatige* eigenaar is die afhaalt?</p><p>Tijdens pilots is de kans op aanvallen klein, om meerdere redenen:</p><p>• Niet alle (cyber) criminelen hebben er al weet van;</p><p>• Te kleinschalig (lage winstkans) om de investeringen (onderzoek, opzetten bullet-proof infrastructuur) te rechtvaardigen;</p><p>• Geduld, laat de pilot vooral slagen; dit gaat straks veel meer winst opleveren.</p><p>(Alhoewel er altijd snelle jongens tussen kunnen zitten).</p><p>RISICO'S<br>Een voorzet-touchscreen en ItsMe wordt ItsNotJustMe of ItsNotMeAnymore.</p><p>Of je krijgt een mes tegen je hals c.q. een pistool tegen je hoofd op het moment dat je zo'n ID "uit de muur trekt".</p><p>AANVRAGEN WEL AAN DE BALIE?<br>En kun je zo'n ID trouwens al aanvragen middels VideoIdent? (ai ai: AI, AitM en dwang buiten het gemeentehuis).</p><p>REMOTE IDENTITY PROOFING<br>In hun (Engelstalige) rapport over "Remote Identity Proofing" (dat de risico's van VideoIdent beschrijft), hebben deze "deskundigen" nagelaten (waarom?) om AitM (Attacker in the Middle) aanvallen te benoemen: <a href="https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/ANSSI-BSI-joint-releases/ANSSI-BSI_joint-release_2023.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bsi.bund.de/SharedDocs/Downloa</span><span class="invisible">ds/EN/BSI/Publications/ANSSI-BSI-joint-releases/ANSSI-BSI_joint-release_2023.html</span></a> - een techniek die aan populariteit wint onder online bankrovers.</p><p>VIDEOIDENT: BUNQ / ICSCARDS STYLE<br>Zij sturen een bericht dat stelt dat de wetgever de bank verplicht om klanten opnieuw te laten authenticeren - middels VideoIdent. Zij vragen het aanstaande slachtoffer om op een nepsite, die als "proxy" fungeert voor de echte site, te "VideoIdenten". Daarmee kunnen de aanvallers het bankaccount van het slachtoffer aan *hun* toestel koppelen, om vervolgens de echte eigenaar te buiten te sluiten.</p><p>ONLINE ID AANVRAGEN<br>Precies datzelfde gaat gebeuren zodra je online een identiteitsbewijs of rijbewijs kunt aanvragen.</p><p>SORRY<br>Hoewel er altijd kwakzalvers zijn die anders claimen, *kun* je sommige zaken niet betrouwbaar digitaliseren en/of op afstand regelen, zoals stemmen en identiteitsbewijzen aanvragen/afhalen.</p><p>RISICO'S EN VANGNETTEN<br>Dram je dat toch door, wie draagt dan de risico's? Welke vangnetten (anders dan psychologische "slachtofferhulp") worden er tegelijkertijd opgetuigd?</p><p>BESPARING - VOOR WIE<br>Ow wacht, het is een *bezuinigingsmaatregel* die de overheid geld moet besparen (en waar leveranciers van, onder meer valse beloftes, vet aan verdienen - betaald uit door u en door mij afgedragen belastingen).</p><p>MEER INFO<br>• <a href="https://www.security.nl/posting/827137/Kopie-ID%3A+kap+ermee%21" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">security.nl/posting/827137/Kop</span><span class="invisible">ie-ID%3A+kap+ermee%21</span></a></p><p>• <a href="https://www.security.nl/posting/847095/Digitale+gezichtsopname+moet+papieren+pasfoto+voor+paspoort+vervangen#posting847218" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">security.nl/posting/847095/Dig</span><span class="invisible">itale+gezichtsopname+moet+papieren+pasfoto+voor+paspoort+vervangen#posting847218</span></a></p><p>• Discussie met "denan", betrokken bij Yivi (voorheen IRMA): <a href="https://tweakers.net/nieuws/216792/eu-wijst-drie-pornowebsites-aan-als-zeer-grote-onlineplatforms-onder-dsa.html?showReaction=19454716#r_19454716" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">tweakers.net/nieuws/216792/eu-</span><span class="invisible">wijst-drie-pornowebsites-aan-als-zeer-grote-onlineplatforms-onder-dsa.html?showReaction=19454716#r_19454716</span></a></p><p>• Discussie met Ivo Jansch, archtect van <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> aka <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a> : <a href="https://tweakers.net/nieuws/204138/nederland-krijgt-een-paspoort-voor-op-internet-hoe-gaat-dat-werken.html?showReaction=18249704#r_18249704" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">tweakers.net/nieuws/204138/ned</span><span class="invisible">erland-krijgt-een-paspoort-voor-op-internet-hoe-gaat-dat-werken.html?showReaction=18249704#r_18249704</span></a></p><p>("Anoniem: 1576590": ItWASMe).</p><p>{1} Bron: een boost door Frank Heijkamp (<span class="h-card" translate="no"><a href="https://mastodontech.de/@alterelefant" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>alterelefant</span></a></span> ) van <a href="https://bots.defencegeeks.net/@vrtnws/113028170598740687" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">bots.defencegeeks.net/@vrtnws/</span><span class="invisible">113028170598740687</span></a></p><p><a href="https://infosec.exchange/tags/Authenticatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authenticatie</span></a> <a href="https://infosec.exchange/tags/Impersonatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonatie</span></a> <a href="https://infosec.exchange/tags/InLevendenLijve" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InLevendenLijve</span></a> <a href="https://infosec.exchange/tags/IdentiteitsFraude" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IdentiteitsFraude</span></a> <a href="https://infosec.exchange/tags/AuthenticiteitsFraude" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AuthenticiteitsFraude</span></a> <a href="https://infosec.exchange/tags/VideoIdent" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>VideoIdent</span></a> <a href="https://infosec.exchange/tags/Online" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Online</span></a> <a href="https://infosec.exchange/tags/OpAfstand" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpAfstand</span></a> <a href="https://infosec.exchange/tags/RIDP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RIDP</span></a> <a href="https://infosec.exchange/tags/RemoteIdentityProofing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RemoteIdentityProofing</span></a> <a href="https://infosec.exchange/tags/KatOpHetSpekBinden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>KatOpHetSpekBinden</span></a> <a href="https://infosec.exchange/tags/Geld" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Geld</span></a> <a href="https://infosec.exchange/tags/Bezuinigingen" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Bezuinigingen</span></a> <a href="https://infosec.exchange/tags/Kortzichtigheid" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Kortzichtigheid</span></a> <a href="https://infosec.exchange/tags/Devaluatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Devaluatie</span></a> <a href="https://infosec.exchange/tags/DevaluatieVanAuthenticiteit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DevaluatieVanAuthenticiteit</span></a> <a href="https://infosec.exchange/tags/AfwaarderingVanAuthenticiteit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AfwaarderingVanAuthenticiteit</span></a> <a href="https://infosec.exchange/tags/ItsMe" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ItsMe</span></a> <a href="https://infosec.exchange/tags/ItsNotMe" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ItsNotMe</span></a> <a href="https://infosec.exchange/tags/ItsNotJustMe" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ItsNotJustMe</span></a> <a href="https://infosec.exchange/tags/ItWasMe" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ItWasMe</span></a> <a href="https://infosec.exchange/tags/ItsNotMeAnymore" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ItsNotMeAnymore</span></a> <a href="https://infosec.exchange/tags/ItWasNtMe" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ItWasNtMe</span></a> <a href="https://infosec.exchange/tags/Risk" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Risk</span></a> <a href="https://infosec.exchange/tags/Risks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Risks</span></a> <a href="https://infosec.exchange/tags/Risicos" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Risicos</span></a> <a href="https://infosec.exchange/tags/Vangnetten" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Vangnetten</span></a> <a href="https://infosec.exchange/tags/Burgers" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Burgers</span></a> <a href="https://infosec.exchange/tags/Slachtoffers" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Slachtoffers</span></a></p>
Erik van Straten<p>Over het ontbreken van betrouwbare en voor _MENSEN_ bruikbare authenticatie van websites, uit <a href="https://security.nl/posting/855024" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">security.nl/posting/855024</span><span class="invisible"></span></a>:</p><p>Door Anoniem: {<br>Zo rolt de IT in bedrijven niet meer, tegenwoordig.<br>}<br>Van mij mag dat allemaal. Mits bedrijven en overheden stoppen met van burgers/klanten/patiënten te eisen dat zij wél, om "economische redenen" steeds vaker beperkt tot uitsluitend online, met toenemende betrouwbaarheidseisen (2FA/MFA, passkeys, paspoortscan, VideoIdent, eIDAS, EDIW) authenticeren. En daarbij steeds meer onvervalsbare privacygevoelige gegevens moeten delen met slecht beveiligde servers beheerd door niet gescreende uitzendkrachten.</p><p>Dat terwijl eisen voor betrouwbare en zinvolle authenticatie aan de serverzijde zijn afgeschaft, steeds meer operationele (bedrijfs-) risico's op klanten/burgers/patiënten persoonlijk worden afgewenteld, evil proxies welig tieren en steeds meer certificaten onterecht worden uitgegeven (wat ooit nog een doodzonde was ten tijde van Diginotar). Waarbij ook nog eens de weinige bestaande vangnetten door Kifid en rechters kapot worden geknipt.</p><p>En mensen die in phishing trappen stom worden gevonden door anonieme malloten - terwijl commerciële partijen, die websites uit de grond stampen die alle kenmerken van (pensioen) phishing hebben, door diezelfde (? ik kan ze niet van elkaar onderscheiden) anonieme malloten met hand en tand worden verdedigd.</p><p><a href="https://infosec.exchange/tags/Risk" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Risk</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/Authenticatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authenticatie</span></a> <a href="https://infosec.exchange/tags/Impersonatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonatie</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/OV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OV</span></a> <a href="https://infosec.exchange/tags/EV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EV</span></a> <a href="https://infosec.exchange/tags/QWAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>QWAC</span></a> <a href="https://infosec.exchange/tags/Certificaten" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Certificaten</span></a> <a href="https://infosec.exchange/tags/BigTech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BigTech</span></a> <a href="https://infosec.exchange/tags/Kapitalisme" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Kapitalisme</span></a> <a href="https://infosec.exchange/tags/Vermorzelen" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Vermorzelen</span></a> <a href="https://infosec.exchange/tags/Online" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Online</span></a> <a href="https://infosec.exchange/tags/Cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybercrime</span></a> <a href="https://infosec.exchange/tags/Cybercriminaliteit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybercriminaliteit</span></a> <a href="https://infosec.exchange/tags/NepVanEchtKunnenOnderscheiden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NepVanEchtKunnenOnderscheiden</span></a> <a href="https://infosec.exchange/tags/EchtVanNepKunnenOnderscheiden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EchtVanNepKunnenOnderscheiden</span></a> <br><a href="https://infosec.exchange/tags/NepVersusEcht" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NepVersusEcht</span></a> <a href="https://infosec.exchange/tags/EchtVersusNep" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EchtVersusNep</span></a> <br><a href="https://infosec.exchange/tags/Domeinnamen" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Domeinnamen</span></a> <a href="https://infosec.exchange/tags/Domeinnaam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Domeinnaam</span></a> <a href="https://infosec.exchange/tags/VideoIdent" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>VideoIdent</span></a> <a href="https://infosec.exchange/tags/KopietjePaspoort" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>KopietjePaspoort</span></a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a> <a href="https://infosec.exchange/tags/eIDAS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eIDAS</span></a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>2FA</span></a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MFA</span></a> <a href="https://infosec.exchange/tags/Kifid" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Kifid</span></a> <a href="https://infosec.exchange/tags/Rechters" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Rechters</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://noc.social/@hlindqvist" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>hlindqvist</span></a></span> : the most important problem by far is that browser users do not know who is responsible for a website with a given domain name. This enormously exacerbates the phishing problem.</p><p>The main reason why I mention the mis-issued certs is that Google et al. kept complaining about mis-issued OV and EV certs, and insisted that QWAC's would be mis-issued to governments for spying purposes; DV-certs would be safe.</p><p>Google is now even destroying Entrust because of mis-issuance (<a href="https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">security.googleblog.com/2024/0</span><span class="invisible">6/sustaining-digital-certificate-security.html</span></a> - not that I have any opinion about Entrust, but GTS = Google "Trust" services issues certs to cybercriminals all the time).</p><p>Apparently there are no penalties for mis-issuing DV certs, or issuing them to cybercriminals - in particular when they use domain names clearly intended for phishing purposes. That *could* be a legitimate choice, but then users should be made aware what type of cert a website uses, in order to have necessarily trustworthy websites return to using more trustworthy certificates.</p><p>We are being lied to that DV-certs are fine. They are not. Not only because the domain owner is anonymous and users see no difference between websites with DV vs more usable certs, but now there's plenty of proof that DV certs get mis-issued as well.</p><p>A DV cert may be fine for your home NAS, but as long as people cannot distinguish between websites with untrustworthy versus more trustworthy certs, cybercrime will continue to flourish - and probably become an even bigger problem.</p><p>On this insanely insecure internet, the EU wants their citizens to start using EDIW's (European Digital Identity Wallet).</p><p>It's primarily in your own interest if websites that demand that you authenticate using EDIW *are" trustworthy. If you have no way to know, they may AitM you to authenticate *them* as *you* on some other website. They'll be able to get credit cards registered on *your* name (highly trustworthy because of EDIW), but THEY will be draining that credit card. Good luck with proving "it wasn't me".</p><p>Three important facts that are often overlooked:</p><p>1) The easier impersonation is, the less reliable authentication is.</p><p>2) Authentication mandates that BOTH parties are reliable.</p><p>3) It is extremely hard, if not impossible, to overestimate the risks of AitM attacks.</p><p><a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/Entrust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Entrust</span></a> <a href="https://infosec.exchange/tags/certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>certificates</span></a> <a href="https://infosec.exchange/tags/Google" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Google</span></a> <a href="https://infosec.exchange/tags/GTS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GTS</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://westergaard.social/users/kasperd" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>kasperd</span></a></span> : using Windows for sensitive tasks poses *way* more security risks than doing that on smartphones.</p><p>Side note: I've been trying to secure Windows desktops and servers for more than 25 years, and I can tell you this: YOU CAN'T. It's a huge legacy mess exposing an enormous attack surface. Properly fixing things would break too much. No way that throwing ISO 27k* at it will help - those are not even different worlds, but rather distant solar systems.</p><p>For most people, even using a Linux distro for critical tasks means taking more security risks than if they'd use a smartphone to do that.</p><p>On smartphones, users can still do stupid things, but -because of app separation- it is usually not the OS that introduces most security risks. Those risks are concentrated around installing apps with too many privileges (aka permissions) "to break the basic rules", such as required by RAT's (Remote Access Tools) like TeamViewer and AnyDesk.</p><p>Even knowing that there will always be risks that we're not (yet) aware of: in particular for ordinary users, Android and iOS significantly reduce risks compared to "desktop" operating systems.</p><p>Having said all that, IMO the risks of letting a smartphone represent our full identity is insane (such as when using eID/EDIW/EUDIW). Not primarily smartphones are to blame for that, but the internet is.</p><p>Authenticating mandates fully trusting the party that verifies and confirms your identity (*). The first step for trust is exactly knowing *which party* is verifying your identity. On the current internet, for most users it is impossible to distinguish between fake and authentic parties.</p><p>(*) For three reasons:<br>1) They won't let anyone in who claims to be you;<br>2) They won't, as an AitM, abuse your identity and verification data to authenticate as you elsewhere;<br>3) They *really* protect, and remove ASAP, all verification data immediately the verification took place (<a href="https://www.404media.co/id-verification-service-for-tiktok-uber-x-exposed-driver-licenses-au10tix/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">404media.co/id-verification-se</span><span class="invisible">rvice-for-tiktok-uber-x-exposed-driver-licenses-au10tix/</span></a>).</p><p><a href="https://infosec.exchange/tags/Windows" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Windows</span></a> <a href="https://infosec.exchange/tags/Linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Linux</span></a> <a href="https://infosec.exchange/tags/Smartphones" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Smartphones</span></a> <a href="https://infosec.exchange/tags/Risks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Risks</span></a> <a href="https://infosec.exchange/tags/SecurityRisks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityRisks</span></a> <a href="https://infosec.exchange/tags/CyberSecurityRisks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurityRisks</span></a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://infosec.exchange/tags/Android" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Android</span></a> <a href="https://infosec.exchange/tags/iOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iOS</span></a> <a href="https://infosec.exchange/tags/Linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Linux</span></a> <a href="https://infosec.exchange/tags/Identity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Identity</span></a> <a href="https://infosec.exchange/tags/Identification" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Identification</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eID</span></a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a> <a href="https://infosec.exchange/tags/Wallet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Wallet</span></a> <a href="https://infosec.exchange/tags/UsabilitySecurityBalance" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>UsabilitySecurityBalance</span></a> <a href="https://infosec.exchange/tags/SecurityUsabilityBalance" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityUsabilityBalance</span></a> <a href="https://infosec.exchange/tags/Fake" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fake</span></a> <a href="https://infosec.exchange/tags/Authentic" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentic</span></a> <a href="https://infosec.exchange/tags/IdentityVerification" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IdentityVerification</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://westergaard.social/users/kasperd" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>kasperd</span></a></span> wrote:</p><p>&lt;&lt;&lt; The CA system is and always has been flawed. &gt;&gt;&gt;</p><p>So are passports, but I know of nothing better.</p><p>One of the major problems with CA's is that not CONSUMERS (or consumer organizations) are demanding reliability of certificates, but increasingly that commercial organizations are "taking care of this on our behalf".</p><p>&lt;&lt;&lt; What kind of certificate a site uses has little impact on security when the users most likely to be targeted don't even know how to view the certificate. &gt;&gt;&gt;</p><p>That is exactly why I also demand that the UI changes, and that irrelevant details (such as serial numbers, public keys etc.) are not shown on the end user interface (a "Details" button is desirable for experts).</p><p>End users only need to know three things:</p><p>1) identifying information, in human readable format (not CN= etc.), of the person or organization responsible for a website;</p><p>2) The reliability of the identification process leading to the information in 1;</p><p>3) The reputation of the responsible entity (in offline life this is also something people have to figure out for themselves, so we're more used to that than figuring out, given a domain name, who the owner is).</p><p>&lt;&lt;&lt; Here is an example of one very sensitive site which uses a Let's Encrypt certificate: <a href="https://www.mitid.dk/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">mitid.dk/</span><span class="invisible"></span></a> &gt;&gt;&gt;</p><p>More oops: <a href="https://internet.nl/site/mitid.dk/2866949/#control-panel-10" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">internet.nl/site/mitid.dk/2866</span><span class="invisible">949/#control-panel-10</span></a></p><p>I know of an increasing number of health and other critical websites using DV certs. Why? Cheap, auto-update, and browsers (deliberately) hide any differences with more useful certificates. So why bother?</p><p>Such a certificate (together with an associated private key) indeed reasonably makes sure that, if you tap any link and end up with "<a href="https://www.mitid.dk/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">mitid.dk/</span><span class="invisible"></span></a>" in the address bar of your browser (fully visible when tapping it), your browser really has an E2EE connection with a server having the domain name "www.mitid.dk".</p><p>&lt;&lt;&lt; Is it a problem that the site uses a Let's Encrypt certificate and not some other certificate? Maybe it is, but I can assure you that's the least problem. &gt;&gt;&gt;</p><p>Here's my slogan: authentication is always weak if impersonation is easy.</p><p>Most relevant for a visitor is NOT that they're actually visiting some website identified by "www.mitid.dk", but that they're not being fooled by a look-a-like website with whatever domain name that they may or may not know by heart.</p><p>If you're walking in the center of a city and see an ATM, then most of us presume that, after we stick our bank card in it and enter the PIN, it will spit out money and return our card; we do no expect it t keep our card, not give us money and have our account drained.</p><p>I.e. if it reads ATM then we're used to the fact that it IS a legitimate ATM.</p><p>If a building reads "Bank XYZ", then in practice it will not be rented by a group of criminals.</p><p>Location based authentication does NOT apply to the internet. You never know where a server is located, who owns it, who rents it and which people have access to it. </p><p>Even if you can look up an IP-address, that may belong to a proxy (CDN) server. You have no idea what things look like behind that proxy.</p><p>For example, for their cheap offerings Fastly puts 100 mostly unrelated domain names into a single certificate and reuses key pairs for many certificates for multiple years.This is weak E2PE: (your) End To Proxy Encryption.</p><p>Example: <a href="https://crt.sh/?id=13113973072" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">crt.sh/?id=13113973072</span><span class="invisible"></span></a> (see below the Subject Alternative Names). Don't tap "Subject Public Key Info", as the connection will time out while the server tries to find all records of certificates with the same public key.</p><p>It's misplaced trust.</p><p>A mostly criminal internet *might" be okay if we wouldn't move critical services from offline to online. I predict that EDIW (aka EUDIW) will become a disaster - because authenticating yourself mandates that the entity who authenticates YOU, is trustworthy. If you're not even sure who that is, chances are high that it's an AitM who will steal your identity.</p><p><span class="h-card" translate="no"><a href="https://mas.to/@tasket" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>tasket</span></a></span> </p><p><a href="https://infosec.exchange/tags/Trust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Trust</span></a> <a href="https://infosec.exchange/tags/DomainNames" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DomainNames</span></a> <a href="https://infosec.exchange/tags/Aliases" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Aliases</span></a> <a href="https://infosec.exchange/tags/CDN" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CDN</span></a> <a href="https://infosec.exchange/tags/Cloudflare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cloudflare</span></a> <a href="https://infosec.exchange/tags/Fastly" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fastly</span></a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eID</span></a> <a href="https://infosec.exchange/tags/Identity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Identity</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://mstdn.social/@iHansz" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>iHansz</span></a></span> : zeker ga ik stemmen op wat mij dierbaar is!</p><p>Namelijk mijn privacy (en niet alleen die van mij, maar ook van kwetsbare mensen die het ravijn, waar zij naartoe geduwd worden, nog niet zien).</p><p>Met privacy bedoel ik namelijk, in de eerste plaats, de concrete risico's die iedereen loopt in het geval dat vertrouwelijke gegevens van hen (of over hen) in verkeerde handen vallen.</p><p>Een risico dat, voor nog-niet-slachtoffers onvoorstelbaar, al véél te hoog is - en alleen maar blijft stijgen met de toenemende digitalisering.</p><p><a href="https://infosec.exchange/tags/ChatControl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ChatControl</span></a> <a href="https://infosec.exchange/tags/CSS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CSS</span></a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eID</span></a> <a href="https://infosec.exchange/tags/EHDS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EHDS</span></a></p>
ExploreLive feeds
About