undefined | Better HN

0 pointsocdtrekkie6y ago0 comments

The only meaningful impact of LetsEncrypt and HTTPS Everywhere pushes is that now most phishing sites use HTTPS. Since most non-technical users trust the presence of the lock icon (even though they shouldn't), this has been great for phishing sites.

0 comments

4 comments · 1 top-level

IcePic6y ago· 3 in thread

Then again, the phishing problem is that you can get m1cros0ft.com registered. If you can get that one and trick someone, you won. If you can get it and a cert for it (free or not) then you as a phisher win. If you can't get it, then you can't get an LE cert for it either and you lose. Therefore, the LE part is just icing on the cake, not the enabler for scams.

ocdtrekkieOP6y ago

Cost is a barrier to entry, and when you are scamming people, you often have to be able to generate large numbers of scam attempts, as most will fail. A cert costing $70 is a big deal for a scammer, because a scammer may need to get certs for a large number of domains. Therefore, before HTTPS Everywhere, phishers weren't using them much, it added a lot of cost to each attempt. Now, it's a requirement to avoid warnings in browsers, and the certs are free, and hence, all phishers now use HTTPS. And unfortunately, a whole generation of computer illiterate users believe that lock means the site is legit.

seandougall6y ago

> a scammer may need to get certs for a large number of domains.

Why? In the m1cros0ft.com example, you just need one domain, and you can send a phishing link out to millions of addresses.

> And unfortunately, a whole generation of computer illiterate users believe that lock means the site is legit.

That's exactly why EV doesn't help, because those users _also_ don't know that the absence of green is supposed to carry semantic meaning. In fact, those users largely don't know or care what a URL is in the first place.

HTTPS everywhere is unequivocally a good thing. I can (and do) personally run websites that have active user accounts precisely because of LetsEncrypt; it would be a terrible idea to train my users that they should type a password into a form that's submitted over HTTP. But I don't have a budget to pay rent-seeking CAs for certificates whose value is based on artificial scarcity.

1 more reply

eridius6y ago

You've got a bit of circular reasoning here.

Phishers weren't using SSL before HTTPS Everywhere much because it didn't matter. Most users (and in particular, unsophisticated users that are more likely to fall for phishing attempts) who type in passwords by hand aren't going to notice the lack of a padlock. We needed HTTPS Everywhere before browsers could meaningfully penalize the HTTP experience, otherwise they'd be penalizing the majority of sites on the internet. And we can't have HTTPS Everywhere unless SSL certificates are easy to obtain.

Which is to say, the fact that phishers can obtain a LE cert today for their phishing site and therefore not have the "Not Secure" indicator is not meaningfully different from the old days where they'd use HTTP and not have the small green padlock that most people don't notice.

j / k navigate · click thread line to collapse