Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
sugarpimpdorsey 4 days ago

> The domain name was `npmjs dot help` which obviously should have caught my eye, and would have if I was a bit more awake.

It's a good thing the WebPKI cartel mostly did away with EV certs.... these days any old cert where only the SAN matches the domain and your browser gives a warm fuzzy "you're secure!"

mananaysiempre 4 days ago | parent | next [-]

The browsers mostly did away with EV certs[1], against sustained pushback from CAs, because of research invariably showing that the feeling of security is mostly unfounded. (Both because users are garbage at reading security indicators—and unscrupulous companies are eager to take advantage of that, see Cloudflare’s “security of your connection”—and because the legal-name namespace is much more Byzantine and locale-dependent than any layman can parse[2].)

By contrast, OV certs, which were originally supposed a very similar level of assurance, were did away with by CAs themselves, by cost-optimizing the verification requirements into virtual nonexistence.

That said, it remains a perpetual struggle to get people to understand the difference between being connected to the legitimate operator of satan.example (something an Internet-wide system mostly can guarantee) and it being wise to transact there (something extensive experience shows it can’t and shouldn’t try to). And if you’re a domain owner, your domain is your identity; pick one and stick to it. Stackoverflow.blog is stupid, don’t be like stackoverflow.blog.

[1] https://www.troyhunt.com/extended-validation-certificates-ar...

[2] https://arstechnica.com/information-technology/2017/12/nope-...

sugarpimpdorsey 4 days ago | parent [-]

> That said, it remains a perpetual struggle to get people to understand the difference between being connected to the legitimate operator of satan.example

That's because the browser implementers gave up on trying to solve the identity problem. It's too difficult they said, we'd rather push other things.

Google implemented certificate pinning in Chrome for themselves and a few friends, said fuck everyone else, and declared the problem solved. Who cares about everyone else when your own properties are protected and you control the browser?

Meanwhile the average user has no idea what a certificate does, whether it does or doesn't prove identity.

No wonder they removed the lock icon from the browser.

ameliaquining 3 days ago | parent [-]

How would you propose that it should work?

Kwpolska 4 days ago | parent | prev [-]

People never paid attention to the special EV cert markers. And even if they did, what would stop someone from registering a company named "npm, Inc." and buying an EV cert for it? Sure, it’s going to cost some money upfront, but you can make much more by stealing cleptocurrency.