Skip to content

The Isoblog. Posts

Let’s Encrypt and Comodo targeted by Phishers for TLS certs

A netcraft report highlights that both Let’s Encrypt and Comodo have been issuing thousands of domains that in some form or the other contain the words “apple”, “paypal” or “ebay” in them, and that virtually all of these domains are being used for phishing or other fraudulent activities.

Netcraft provides a metric called “Deceptive Domain Score“, and uses the opportunity to promote this service of theirs, requesting that certificate authorities implement a similar service.

In each of these examples above — and in the other statistics referenced above — the certificate authority had sight of the whole hostname that was blocked. These examples did not rely on wildcard certificates to carry out their deception. In particular, some of these examples (such as update.wellsfargo.com.casaecologica.cl) demonstrate that the certificate authority was better placed to prevent misuse than the domain registrar (who would have seen casaecologica.cl upon registration).

The two services are attractive to phishers, because they offer TLS certificates for free and through an API, with a very limited screening process. Both services are using the Safe Browsing API to check if the domain being certified does contain malware, but because it usually does not at the time the cert is being issued this is pointless. Netcraft would rather have the CAs buy their Deceptive Domain Scoring service instead.

6 Comments

Curlbash, and Desktop Containers

I was having two independent discussions recently, which started with some traditional Unix person condemning software installing with curlbash (“curl https://… | bash”), or even “curl | sudo bash”.

I do not really think this to be much more dangerous than the installation of random rpm or dpkg packages any more. Especially if those packages are unsigned or the signing key gets installed just before the package.

The threat model really became a different one in the last few years, and the security mechanism have had to change as well. And they have, UIDs becoming much less important.

Desktop containers and Sandboxes have become much more important, and segregation happens now at a much finer granularity (the app level) instead of the user level.

5 Comments

The Illustrated Guide to Kubernetes

»The other day, my daughter sidled into my office, and asked me, “Dearest Father, whose knowledge is incomparable, what is Kubernetes?”

And I responded, “Kubernetes is an open source orchestration system for Docker containers. It handles scheduling onto nodes in a compute cluster and actively manages workloads to ensure that their state matches the users’ declared intentions. Using the concepts of “labels” and “pods”, it groups the container which make up an application into logical units for easy management and discovery.”

And my daughter said to me, “Huh?”

And so I give you…«

Video: https://www.youtube.com/watch?v=4ht22ReBjno

Comic: The Illustrated Guide to Kubernetes

Leave a Comment

Deutsche Post makes more StreetScooters

Production Street Scooter in Aachen

Deutsche Post tried to purchase a lot of simple and cheap electric vans for delivery of post and parcels – could not find a suitable offer. So they teamed up with StreetScooter Aachen, later purchased the company.

Their vehicles: electric bikes for loads up to 50kg, and the “Work” parcel delivery car. Both have been an unmitigated success, and StreetScooter was swamped with requests from other companies having similar needs.

End Result: doubled production capacity (20k per year), new factory in NRW, Germany, selling vehicles to third parties due to high demand, and a new Scooter, Work L, with double the load.

The full fleet is expected to cover all urban delivery needs, from e-bikes through e-trikes, to electric vans with 4, 8 and 20 cbm transport capacity. Deutsche Post plans to be completely emissions free in 2050.

3 Comments

One Cookie Popup? We demand Hundreds of them!

You can’t read any website anywhere in Europe without getting a completely useless “We too are using Cookies” overlay. This has been such a unmitigated success that there exists a separate “Kill all Cookie banners” category in every Adblocker available.

But, says the Article 29 group of European Privacy Commissioners, is by far not annoying enough, we can do worse. Consent cannot be given in general, you need to make this more specific.

That is, they demand hundreds of these overlays on each site (PDF).

Page 17 of that PDF:

The end-user must be able to give separate consent per  website or app for tracking for different purposes (such as social media sharing or advertising). […]

For both browsers and data controllers this means it would be invalid if they would only offer an option ‘to accept all cookies’, since this would not enable users to provide the required granular consent.

Right. How is this even practical.

8 Comments