Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
zelon88 4 days ago

Not to users. The user who types Wal-Mart into their address bar expects to communicate with Wal-Mart. They aren't going to check if the certificate matches. Only that the icon is green.

This is where the disconnect comes in. Me and you know that the green icon doesn't prove identity. It proves certificate validity. But that's not what this is "sold as" by the browser or the security community as a whole. I can buy the domain Wаl-Mart right now and put a certificate on it that says Wаl-Mаrt and create the conditions for that little green icon to appear. Notice that I used U+0430 instead of the letter "a" that you're used to.

And guess what... The identity would match and pass every single test you throw at it. I would get a little green icon in the browser and my certificate would be good. This attack fools even the brightest security professionals.

So you see, Identity isn't the value that people expect from a certificate. It's the encryption.

Users will allow a fake cert with a green checkmark all day. But a valid certificate with a yellow warning is going to make people stop and think.

chowells 4 days ago | parent | next [-]

Well, no. That's just not true.

I care that when I type walmart.com, I'm actually talking to walmart.com. I don't look at the browser bar or symbols on it. I care what my bookmarks do, what URLs I grab from history do, what my open tabs do, and what happens when I type things in.

Preventing local DNS servers from fucking with users is critical, as local DNS is the weakest link in a typical setup. They're often run by parties that must be treated as hostile - basically whenever you're on public wifi. Or hell, when I'm I'm using my own ISP's default configuration. I don't trust Comcast to not MitM my connection, given the opportunity. I trust technical controls to make their desire to do so irrelevant.

Without the identity component, any DNS server provided by DHCP could be setting up a MitM attack against absolutely everything. With the identity component, they're restricted to DoS. That's a lot easier to detect, and gets a lot of very loud complaints.

BrandoElFollito 4 days ago | parent [-]

You use words that are alien to everyone. Well, there is a small incertainity in "everyone" and it is there where the people who actually understand DHCP, DoS, etc. live. This is a very, very small place.

So no, nobody will ever look at a certificate.

When I look at them, as a security professional, I usually need to rediscover where the fuck they moved the certs details again in the browser.

chowells 4 days ago | parent [-]

Who said a word about looking at a certificate?

I said exactly the words I meant.

> I don't look at the browser bar or symbols on it. I care what my bookmarks do, what URLs I grab from history do, what my open tabs do, and what happens when I type things in.

Without the identity component, I can't trust that those things I care about are insulated from local interference. With the identity component, I say it's fine to connect to random public wifi. Without it, it wouldn't be.

That's the relevant level. "Is it ok to connect to public wifi?" With identity validation, yes. Without, no.

hedora 4 days ago | parent [-]

When you say identity, you mean “the identity of someone that convinced a certificate authority that they controlled walmart.com’s dns record at some point in the last 47 days, or used some sort of out of band authentication mechanism”.

You don’t mean “Walmart”, but 99% of the population thinks you do.

Is it OK to trust this for anything important? Probably not. Is OK to type your credit card number in? Sure. You have fraud protection.

chowells 4 days ago | parent [-]

So what you're saying is that you actually understand the identity portion is critical to how the web is used and you're just cranky. It's ok. Take a walk, get a bite to eat. You'll feel better.

hedora 3 days ago | parent [-]

I’m not the person you were arguing with. Just explaining your misunderstanding.

JambalayaJimbo 3 days ago | parent | prev | next [-]

Right so misrepresenting your identity with similar looking urls is a real problem with PKI. That doesn’t change the fact that certificates are ultimately about asserting your identity, it’s just a flaw in the system.

aseipp 3 days ago | parent | prev [-]

Web browsers have had defenses against homograph attacks for years now, my man, dating back to 2017. I'm somewhat doubtful you're on top of this subject as much as you seem to be suggesting.