So they were effective in the past, but less effective today." When the leading free CA, Let's Encrypt, began in 2015, less than a fifth of websites were secured by HTTPS. True, Walsh tweeted, "When DNS-based security services were first introduced, most of the web wasn't encrypted, and threat actors didn't use trusted domains like Google, Microsoft, GitHub, et al. Paul Walsh, founder and CEO of the zero-trust security company, MetaCert and co-founder of the World Wide Web Consortium (W3C) URL Classification Standard, sees many other problems with our naïve belief that HTTPS alone is enough to secure our internet connections. It's also not just that the CA process can be abused. Google, Microsoft, and Apple have also had their names taken in vain by phishers. ![]() ![]() A perfect example of "Why we can't have nice things," it's been revealed that Let's Encrypt, the free, open, and automated CA, had been used to create thousands of SSL certificates for phishing sites illegally using "PayPal" as part of their name. Of course, CAs shouldn't issue bogus security certificates. True, the data sent along that connection is secure, but safe? I think not! ![]() Because the certificates are valid, even though they're operating under false premises, Chrome reports these sites as being secure. A few years ago, WordFence, a well-regarded WordPress security company, found that SSL certificates are being issued by certificate authorities (CA) to phishing sites pretending to be other sites.
0 Comments
Leave a Reply. |