Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
social.tchncs.de is one of the many independent Mastodon servers you can use to participate in the fediverse.
A friendly server from Germany – which tends to attract techy people, but welcomes everybody. This is one of the oldest Mastodon instances.

Administered by:

Server stats:

3.8K
active users

social.tchncs.de: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#dv

3 posts3 participants0 posts today
Public *
Erik van Straten

Let's Encrypt

In infosec.exchange/@aral@mastodo @aral wants us to pay taxes to keep Let's Encrypt "alive". Here's another reason NOT to do that.

Apparently the *.eu.org domain needed laundrying because it's reputation became too bad. So scammers create zillions of insane domain names and obtain *FREE* (for them) certificates for those sites. Usually such sites are not malicious; they're intended to have virusscanners remove detection, eventually for the sub-TLD ".eu.org".

To see this, you may consider opening
crt.sh?q=eu.org
but that will fail because there are WAY too many results.

To restrict the amount of records, try a subdomain name and further restrict output by deduplicating and restricting to not expired, as follows:

crt.sh/?Identity=madaline.eu.o

The screenshot below gives an idea (they're all Let's Encrypt certs by the way, and I marked one with an insane domain name).

I wrote about this phenomenon before, e.g. in security.nl/posting/781057/Let (at the time I did not understand why yet).

VirusTotal knows of 72.5K direct subdomains of *.eu.org:

"Subdomains (72.5 K)"

(open the RELATIONS tab in virustotal.com/gui/domain/eu.o).

@TheDutchChief @EUCommission @letsencrypt @nlnet

Screenshot of the current top of https://crt.sh/?Identity=madaline.eu.org&exclude=expired&deduplicate=Y Note that colums on the left and the right are not visible in this screenshot. Visible is (I've replaced ".org" by ",org" to prevent accidental opening: Not Before Not After Common Name 2025-03-31 2025-06-29 tpxupgtc.madaline.eu,org 2025-03-31 2025-06-29 preprod.visualize.madaline.eu,org 2025-03-31 2025-06-29 visualize.preview.madaline.eu,org 2025-03-30 2025-06-28 notexistsrandom.madaline.eu,org 2025-03-30 2025-06-28 www.www.rvplpiry.madaline.eu,org 2025-03-29 2025-06-27 mygrqtdf.madaline.eu,org 2025-03-29 2025-06-27 www.elasticsearch.prod.madaline.eu,org 2025-03-29 2025-06-27 ai-integration.madaline.eu,org 2025-03-29 2025-06-27 demo-visualizations.madaline.eu,org 2025-03-29 2025-06-27 www.www.www.www.board.development.madaline.eu,org 2025-03-29 2025-06-27 notexistssuperset-test.madaline.eu,org 2025-03-28 2025-06-26 www.forecast.madaline.eu,org 2025-03-28 2025-06-26 www.www.visualize.preview.madaline.eu,org
#DV#DVcerts#LetsEncrypt
Replied in thread
Public
Erik van Straten

@emu : given a domain name (*) for a website with an APPARENT owner, DV certs do not provide ANY security because users have no reasonable way to determine whether said domain name DOES NOT belong to the apparent owner.

Phishing is wreaking havoc on the internet. There are lots of people like you who DO NOT provide ANY solutions.

(*) In some message (email, SMS, chatapp, DM, ...), found by Googling, out of a QR-code, in a paper letter or on social media.

A DV cert may be fine for your home NAS, but not for your bank. Unfortunately big tech does not want users to see the difference between a fake and a real bank (or any other critical website) in their browsers.

#phishing#DV#Browsers
Replied in thread
Public
Erik van Straten

@jschwart : aan add-ons hebben we niks: die zullen door veel te weinig mensen worden gebruikt waardoor er niets verandert (bovendien bestaat het risico dat mensen nep-add-ons installeren).

Het gaat om een *combinatie* van wijzigingen die de EU zal moeten afdwingen.

Domeinnamen (inclusief het toenemende aantal TLD's) zijn namelijk het *probleem*. Je kunt ze vergelijken met telefoonnummers of woonadressen, potentieel iets- of nietszeggende strings die van een eigenaar *kunnen* zijn (en morgen van een ander). De enige voordelen ervan zijn dat ze uniek zijn en meestal kort.

De meeste internetters begrijpen echter niet hoe je ze moet interpreteren, zoals dat
www-example·com
iets heel anders is dan
www.example·com
(om het nog maar niet te hebben over IDN's zoals in
"https:⧸⧸lîdl·be/login").

Ik zie geen andere oplossing dan voor *mensen* begrijpelijke en traceerbare identificerende informatie opnemen in websitecertificaten, waaronder bijv. (indien beschikbaar) een KvK-nummer (in tegenstelling tot bij 'whois' kun je bij de KvK wel zinvolle identificerende info vinden). Alleen al betrouwbaar weten in welk land de websiteverantwoordelijke gevestigd is, zou al enorm kunnen helpen tegen oplichting.

In infosec.exchange/@ErikvanStrat zie je een screenshot van
https://play.google-ivi·com
waar Google Trust Services "gewoon" een ceetificaat voor uitgeeft (te zien in infosec.exchange/@ErikvanStrat).

Fake website imitating a page in the Google Play Store for a kind of gambling app targeting Indonesian peope. The domain name to be seen in the address bar of the Chrome browser is: play (dot) google-ivi (dot) com (the real name is play.google.com). The Indonesian text visible at the bottom of the screenshot reads: ABOUT THIS GAME Selamat datang di Super5 -Saatnya bermain slot sungguhan dan rasakan keseruannya! Kami akan memberikan Anda pengalaman yang paling beruntung. Mudah dimainkan dan banyak hadiah. Jika Anda menyukai slot penny atau mesin slot dengan banyak jalur pembayaran. Permainan ini cocok untuk Anda...
Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)Attached: 1 image @dianasusanti@mastodon.social : w.r.t. Indonesian speaking people, the image below that I just made shows another fake site - which will look familiar to Android users. Note that it has a website certificate submitted by "Google Trust Services" while the site hides behind a Cloudflare IP-address. It is not surprising that people fall for this, as (for example), to log in to Microsoft you have to go to: https:⧸⧸login.microsoftonline.com Instead of, any of, for example: https:⧸⧸login.microsoft.com https:⧸⧸login.365.microsoft.com https:⧸⧸login.office.microsoft.com Another scamwebsite: https:⧸⧸lîdl·be/login Note the î instead of the i. P.S. I'm using · instead of . and ⧸ instead of / to prevent accidental opening. #Phishing #Spoofing #AitM #Fraud #FakeWebsites #OnlineFraud #DVCerts #NobodyFeelsResponsible #Cybercrime #CyberCriminals #Russia #GoogleIsEvil #BigTechIsEvil #CloudflareIsEvil #MicrosoftIsEvil
#DV#DVcerts#GTS
Public *
Erik van Straten

"Franse overheid voert phishingtest uit op 2,5 miljoen leerlingen"
security.nl/posting/881630/Fra

KRANKZINNIG!

Het is meestal onmogelijk om nepberichten (e-mail, SMS, ChatApp, social media en papieren post - zie plaatje) betrouwbaar van echte te kunnen onderscheiden.

Tegen phishing en vooral nepwebsites is echter prima iets te doen, zoals ik vandaag nogmaals beschreef in security.nl/posting/881655.

(Big Tech en luie websitebeheerders willen dat niet, dus is en blijft het een enorm gevecht).

Foto van een ogenschijnlijk correctie brief verzonden door DigiD, maar hartstikke nep. De brief bevat een QR-code die je zou moeten scannen, waardoor je op een nepwebsite terecht komt. Meer info: https://infosec.exchange/@ErikvanStraten/114154631328996771 Bron van deze foto: https://www.deorkaan.nl/opgepast-digid-oplichting-per-brief/
#Phishing#NepWebsites#DV
Replied in thread
Public
Erik van Straten

@mensrea : if you visit a shop (or a bank) in the center of the city, chances are near zero that it's run by impostors.

However, if you go to some vague second hand market, chances are the you will be deceived.

Possibly worse, if there's an ATM on the outside wall of a shack where Hells Angels meet, would you insert your bank card and enter your PIN?

On the web, most people do not know WHERE they are.

Big Tech is DELIBERATELY withholding essential information from people, required to determine the amount of trust that a website deserves.

DELIBERATELY, because big tech can rent much more (cheap) hosting and (meaningless) domain names to whomever if website vistors cannot distinguish between authentic and fake websites.

You are right that some people will never understand why they need to know who owns a website.

However, most people (including @troyhunt ) would enormously benefit.

Like all the other deaf and blind trolls, you trash a proposal because it may be useless for SOME, you provide zero solutions and you keep bashing me.

What part of "get lost" do you not understand?

@aral @EUCommission @letsencrypt @nlnet

Screenshot from part of https://www.virustotal.com/gui/ip-address/188.114.96.0/relations showing domain names of malicious websites, like the following ones (do not visit them): mondialrelay-client-fr[.]com oxfun-rpcdebug.pages[.]dev usps.paytollike[.]vip at-tmailler.typedream[.]app ycoficial[.]com productreview.myappgurus[.]com stonenumber[.]icu api.sulek[.]dev badaidrop[.]live
#Authentication#Impersonation#Spoofing
Replied in thread
Public
Erik van Straten

@aral :

I don't want to pay a cent. Neither donate, nor via taxes.

infosec.exchange/@ErikvanStrat

@TheDutchChief @EUCommission @letsencrypt @nlnet

Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)Attached: 1 image @aral@mastodon.ar.al : most Let's Encrypt (and other Domain Validated) certificates are issued to junk- or plain criminal websites. They're the ultimate manifestation of evil big tech. They were introduced to encrypt the "last mile" because Internet Service Providers were replacing ads in webpages and, in the other direction, inserting fake clicks. DV has destroyed the internet. People loose their ebank savings and companies get ransomwared; phishing is dead simple. EDIW/EUDIW will become an identity fraud disaster (because of AitM phishing atracks). Even the name "Let's Encrypt" is wrong for a CSP: nobody needs a certificate to encrypt a connection. The primary purpose of a certificate is AUTHENTICATION (of the owner of the private key, in this case the website). However, for human beings, just a domain name simply does not provide reliable identification information. It renders impersonation a peace of cake. Decent online authentication is HARD. Get used to it instead of denying it. REASONS/EXAMPLES 🔹 Troy Hunt fell in the DV trap: https://infosec.exchange/@ErikvanStraten/114222237036021070 🔹 Google (and Troy Hunt!) killed non-DV certs (for profit) because of the stripe.com PoC. Now Chrome does not give you any more info than what Google argumented: https://infosec.exchange/@ErikvanStraten/114224682101772569 🔹 https:⧸⧸cancel-google.com/captcha was live yesterday: https://infosec.exchange/@ErikvanStraten/114224264440704546 🔹 Stop phishing proposal: https://infosec.exchange/@ErikvanStraten/113079966331873386 🔹 Lots of reasons why LE sucks: https://infosec.exchange/@ErikvanStraten/112914047006977222 (corrected link 09:20 UTC) 🔹 This website stopped registering junk .bond domain names, probably because there were too many every day (the last page I found): https://newly-registered-domains.abtdomain.com/2024-08-15-bond-newly-registered-domains-part-1/. However, this gang is still active, open the RELATIONS tab in https://www.virustotal.com/gui/ip-address/13.248.197.209/relations. You have to multiply the number of LE certs by approx. 5 because they also register subdomains and don't use wildcard certs. Source: https://www.bleepingcomputer.com/news/security/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/ @EUCommission@ec.social-network.europa.eu @letsencrypt @nlnet@nlnet.nl #Authentication #Impersonation #Spoofing #Phishing #DV #GoogleIsEvil #BigTechIsEvil #Certificates #httpsVShttp #AitM #MitM #FakeWebsites #CloudflareIsEvil #bond #dotBond #Spam #Infosec #Ransomware #Banks #CloudflareIsEvil #FakeWebsites
#Authentication#Impersonation#Spoofing
Replied in thread
Public *
Erik van Straten

@aral : most Let's Encrypt (and other Domain Validated) certificates are issued to junk- or plain criminal websites.

They're the ultimate manifestation of evil big tech.

They were introduced to encrypt the "last mile" because Internet Service Providers were replacing ads in webpages and, in the other direction, inserting fake clicks.

DV has destroyed the internet. People loose their ebank savings and companies get ransomwared; phishing is dead simple. EDIW/EUDIW will become an identity fraud disaster (because of AitM phishing atracks).

Even the name "Let's Encrypt" is wrong for a CSP: nobody needs a certificate to encrypt a connection. The primary purpose of a certificate is AUTHENTICATION (of the owner of the private key, in this case the website).

However, for human beings, just a domain name simply does not provide reliable identification information. It renders impersonation a peace of cake.

Decent online authentication is HARD. Get used to it instead of denying it.

REASONS/EXAMPLES

🔹 Troy Hunt fell in the DV trap: infosec.exchange/@ErikvanStrat

🔹 Google (and Troy Hunt!) killed non-DV certs (for profit) because of the stripe.com PoC. Now Chrome does not give you any more info than what Google argumented: infosec.exchange/@ErikvanStrat

🔹 https:⧸⧸cancel-google.com/captcha was live yesterday: infosec.exchange/@ErikvanStrat

🔹 Stop phishing proposal: infosec.exchange/@ErikvanStrat

🔹 Lots of reasons why LE sucks:
infosec.exchange/@ErikvanStrat (corrected link 09:20 UTC)

🔹 This website stopped registering junk .bond domain names, probably because there were too many every day (the last page I found): newly-registered-domains.abtdo. However, this gang is still active, open the RELATIONS tab in virustotal.com/gui/ip-address/. You have to multiply the number of LE certs by approx. 5 because they also register subdomains and don't use wildcard certs. Source: bleepingcomputer.com/news/secu

@EUCommission @letsencrypt @nlnet

Screenshot from the top of https://www.virustotal.com/gui/ip-address/13.248.197.209/relations The page had already redreshed when I copied the following domain names, so this is just to get an idea: tiles-35312.bond sleepwear-14660.bond prostate-cancer-treatment-95682.bond diet-98948.bond electric-cars-94009.bond packing-jobs-44721.bond dental-implants-48408.bond mattress-19892.bond breast-reduction-mammoplasty-surgery-24489.bond dental-implants-76071.bond rv-camper-motorhomes-90728.bond roofing-services-61345.bond maid-service-26172.bond
#Authentication#Impersonation#Spoofing
Replied in thread
Public
Erik van Straten

@BjornW :

I've stopped doing that after a lot of people called me an idiot and a liar if I kindly notified them. I stopped, I'll get scolded anyway.

Big tech and most admins want everyone to believe that "Let's Encrypt" is the only goal. Nearly 100% of tech people believe that.

And admins WANT to believe that, because reliable authentication of website owners is a PITA. They just love ACME and tell their website visitors to GFY.

People like you tooting nonsense get a lot of boosts. It's called fake news or big tech propaganda. If you know better, why don't you WRITE BETTER?

It has ruined the internet. Not for phun but purely for profit. And it is what ruins people's lives and lets employees open the vdoor for ransomware and data-theft.

See also infosec.exchange/@ErikvanStrat (and, in Dutch, security.nl/posting/881296).

@troyhunt @letsencrypt

Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)🌘DV-CERT MIS-ISSUANCES & OCSP ENDING🌒 🧵#1/3 On Jul 23, 2024, Josh Aas of Let's Encrypt wrote, while his nose was growing rapidly: <<< Intent to End OCSP Service [...] We plan to end support for OCSP primarily because it represents a considerable risk to privacy on the Internet. [...] CRLs do not have this issue. >>> https://letsencrypt.org/2024/07/23/replacing-ocsp-with-crls.html 🚨 On THAT SAME DAY, Jul 23, 2024, LE (Let's Encrypt) issued at least 34 certs (certificates) for [*.]dydx.exchange to cybercriminals, of which LE revoked 27 mis-issued certs approximately 6.5 hours later. Note that falsified DNS records may instruct DNS caching servers to retain entries for a long time; therefore speedy revocation helps reducing the number of victims. Apart from this mis-issuance *blunder*, CRL's have HUGE issues that Josh does not mention: they are SSSLLLOOOWWW and files are potentially huge - while OCSP is instantaneous and uses little bandwith. 🌘NO OCSP INCREASES INTERNET RISKS🌒 If LE quits OCSP support, the average risk of using the internet will *increase*. 🌘LIES🌒 Furthermore, the privacy argument is mostly moot, as nearly every website makes people's browsers connect to domains owned by Google (and even let's those browsers execute Javascript from third party servers, allowing nearly unlimited espionage). In addition, IP-addresses are sent in the plain anyway (📎). (📎 When using a VPN, source and destination IP-addresses *within the tunnel* are not visible for anyone with access to the *outside* of the tunnel - but they are sent in the plain between the end of the tunnel and the actual server.) Worse, the remote endpoint of your E2EE https connection increasingly often is *not* the actual server (that website was moved to sombody else's server in the cloud anyway), but a CDN proxy server which has the ability to monitor everything you do (unencrypting your data: three letter agencies love it, FISA section 702 grants them unlimmited access - without anyone informing you). 🤷 LE may try to blame others for their mis-issuance blunder, but *THEY* chose to use old, notoriously untrustworthy, internet protocols (BGP and DNS, including database records - that DNSSEC will never protect) as the basis for authentication. By making that choice, LE and other DV cert suppliers were simply ASKING for trouble. 🔓 In fact, the promise that Let's Encrypt would make the internet safer was misleading from the start: domain names are mostly meaningless to users, 100% fault intolerant, unpredictable and easily forgotten. If your browser is communicating with a malicious server, encryption is pointless. Josh, stop lying to us; your motives are purely economical. 🌘CORRUPT: BIG TECH FACILITATES CRIME🌒 DV-certs were heavily promoted by Google (not for phun but for profit) after their researchers "proved" that it was possible to show misleasing identification information in the browser's address bar after certificate mis-issuance (the "Stripe, Inc" incident, https://arstechnica.com/information-technology/2017/12/nope-this-isnt-the-https-validated-stripe-website-you-think-it-is/). This message was repeated by many specialists (e.g. https://www.troyhunt.com/paypals-beautiful-demonstration-of-extended-validation-fud/) with stupid arguments: certificates do NOT directly warrant reliable websites. OV and EV certificates, and QWAC's, more or less reliably, warrant *WHO OWNS* a domain name. That means that users know *who* they're doing business with, can depend on their reputation and can sue them if they violate laws. "Of course" Google recently lost trust in Entrust for mis-issuing certificates (https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html). Meanwhile the internet has become a corrupt and criminal mess; its users get to see misleading identification info in their browser's address bar WAY MORE OFTEN, e.g. https:⁄⁄us–usps–ny.com (for loads of examples see https://www.virustotal.com/gui/ip-address/188.114.96.0/relations; tap ••• a couple of times). Supporting DN's like "ing–movil.com" and "m–santander.de" *is* facilitating cybercrime, by repeatedly mis-issuing certs for them (see https://crt.sh/?q=ing-movil.com and https://crt.sh/?q=m-santander.de) and by letting them hide behind a CDN (see https://www.virustotal.com/gui/domain/ing-movil.com/details and https://www.virustotal.com/gui/domain/m-santander.de/details). In addition, *thousands* of DV-certs have been mis-issued - without *their* issuers getting distrusted by Google, Microsoft, Apple and Mozilla. People have their bank accounts drained and companies get slammed with ransomware because of this. But no Big Tech company (including the likes of Cloudflare) takes ANY responsibility; they make Big Money by facilitating cybercrime. Not by issuing "free" DV-certs, but by selling domain names, server space and CDN functionality, and by letting browsers no longer distinguish between useful and useless certs. They've deliberately made the internet insecure *FOR PROFIT*. 🌘CERT MIS-ISSUANCE ROOT CAUSE🌒 The mis-issuance of LE certs was caused by the unauthorized modification of customer DNS records managed by SquareSpace; this incident was further described in https://www.bleepingcomputer.com/news/security/defi-exchange-dydx-v3-website-hacked-in-dns-hijack-attack/. Note that a similar attack, also affecting SquareSpace customers, occurred on July 11, 2024 (see https://www.bleepingcomputer.com/news/security/dns-hijacks-target-crypto-platforms-registered-with-squarespace/). Even if it *looks like* that no certs were mis-issued during the July 11 incident, because (AFAIK) none of them have been revoked, this does not warrant that none of them were mis-issued; such certs can still be abused by attackers, albeit on a smaller scale. 🌘MORE INFO🌒 Please find additional information in two followups of this toot: 🧵#2/3 Extensive details regarding Mis-issued dydx.exchange certs on 2024-07-23; 🧵#3/3 Links to descriptions of multiple other DV-cert mis-issuance issues. 🌘DISCLAIMER🌒 I am not (and have never been) associated with any certificate supplier. My goal is to obtain a safer internet, in particular for users who are not forensic experts. It is *way* too hard for ordinary internet users to destinguish between 'fake' and 'authentic' on the internet. Something that, IMO, can an must significantly improve ASAP. Edited 08:16 UTC to add people: @troyhunt @dangoodin @BleepingComputer @agl #DV #LE #LetsEncrypt #Certificates #Certs #Misissuance #Mis_issuance #Revocation #Revoked #Weaknessess #WeakCertificates #WeakAuthentication #Authentication #Impersonation #Identification #Infosec #DNS #DNSHijacks #SquareSpace #Authorization #UnauthorizedChanges #UnauthorizedModifications #DeFi #dydx_exchange #CryptoCoins
#DV#Impersonation#AnonymousCertificates
Replied in thread
Public *
Erik van Straten

@troyhunt : if we open a website that we've never visited before, we need browsers to show us all available details about that website, and warn us if such details are not available.

We also need better (readable) certificates identifying the responsible / accountable party for a website.

We have been lied to that anonymous DV certificates are a good idea *also* for websites we need to trust. It's a hoax.

Important: certificates never directly warrant the trustworthyness of a website. They're about authenticity, which includes knowing who the owner is and in which country they are located. This helps ensuring that you can sue them (or not, if in e.g. Russia) which *indirectly* makes better identifiable websites more reliable.

More info in infosec.exchange/@ErikvanStrat (see also crt.sh/?Identity=mailchimp-sso).

Note: most people do not understand certificates, like @BjornW in mastodon.social/@BjornW/114064:

@letsencrypt offers certificates to encrypt the traffic between a website & your browser.

2x wrong.

A TLS v1.3 connection is encrypted before the website sends their certificate, which is used only for *authentication* of the website (using a digital signature over unguessable secret TLS connection parameters). A cert binds the domain name to a public key, and the website proves possession of the associated private key.

However, for people a domain name simply does not suffice for reliable identification. People need more info in the certificate and it should be shown to them when it changes.

Will you please help me get this topic seriously on the public agenda?

Edited 09:15 UTC to add: tap "Alt" in the images for details.

Screenshot of https://www.virustotal.com/gui/domain/mailchimp-sso.com/relations It shows that mailchimp-sso[.]com is "hosted" (actally proxied) by Cloudflare IP-addresses.
Screenshot of https://www.virustotal.com/gui/domain/mailchimp-sso.com/details It shows that mailchimp-sso[.]com has a DV-certificate issued by "Google Trust Services".
#DVcerts#Authentication#Impersonation
Public
Mikel Forcada EA5IYL

My memory fails, can you folks help me? What's the name of a novel suite of python programs that implements both digital voice and a new (?) keyboard-to-keyboard text modes in a single GUI? I installed it in a hard disk that died, and I don't remember. Thank you very much!

#DV#python
Replied in thread
Public *
Erik van Straten

@0xF21D : Cloudflare is evil anyway.

Cloudflare reverse-proxies (or -proxied):

-
cloudflare.com.save-israel·org
-
ns.cloudflare.com.save-israel·org
-
albert.ns.cloudflare.com.save-israel·org
-
sydney.ns.cloudflare.com.save-israel·org
-

I don't know whether any of these domains were or are malicious, but such domain names are insane; expect evilness.

See also:
crt.sh/?Identity=save-israel.o

Tap "Alt" in the images for more info.

@malanalysis

Screenshot from part of https://www.virustotal.com/gui/ip-address/188.114.96.0/relations Visible in the screenshot (using '-' on a line on itself as line separator, and replaced the last dot in domain names by "[.]" to prevent accidental opening): - 2025-03-17 0/94 Mandiant albert.ns.cloudflare.com.save-israel.org - 2025-03-17 19/94 Mandiant allegro.pl-oferta5260043.shop - 2025-03-17 19/94 Mandiant allegro.pl-ogloszenia78517.shop - 2025-03-17 6/94 Mandiant allegrolokalnie.8124-4912-9124.rest - 2025-03-17 17/94 Mandiant allegrolokalnie.d9llje3ubkij00gv.shop - 2025-03-17 21/94 Mandiant allegrolokalnie.oferta-3156512.shop - 2025-03-17 19/94 Mandiant allegrolokalnie.oferta-8681986.sbs - 2025-03-17 19/94 Mandiant allegrolokalnie.ogloszenie-9908905.shop -
Screenshot from part of https://www.virustotal.com/gui/domain/cloudflare.com.save-israel.org/relations Visible in the screenshot (using '-' on a line on itself as line separator, and replaced the last dot in domain names by "[.]" to prevent accidental opening): - Passive DNS Replication (2) - Date resolved Detections Resolver IP - 2024-07-31 0/94 VirusTotal 172.67.169.79 - 2024-07-31 0/94 VirusTotal 104.21.87.91 - Subdomains (1) - ns.cloudflare.com.save-israel.org 0/94 172.67.169.79 104.21.87.91 - Siblings (2) - com.save-israel.org 0/94 172.67.169.79 104.21.87.91 - www.save-israel.org 0/94 63.250.43.12 63.250.43.11 -
Screenshot from part of https://www.virustotal.com/gui/domain/ns.cloudflare.com.save-israel.org/relations A bit more text than visible in the screenshot (using '-' on a line on itself as line separator, and replaced the last dot in domain names by "[.]" to prevent accidental opening): - Passive DNS Replication (2) - Date resolved | Detections | Resolver | IP - 2024-07-31 | 0/94 | VirusTotal | 172.67.169.79 - 2024-07-31 | 0/94 | VirusTotal | 104.21.87.91 - Subdomains (2) - albert.ns.cloudflare.com.save-israel[.]org 0/ 94 188.114.96.0 188.114.97.0 188.114.96.9 ... - sydney.ns.cloudflare.com.save-israel[.]org 0/94 188.114.96.0 188.114.97.0 188.114.96.9 ... - Siblings (2) - com.save-israel[.]org 0/94 172.67.169.79 104.21.87.91 - www.save-israel[.]org 0/94 63.250.43.12 63.250.43.11 -
#CloudflareIsEvil#BigTechIsEvil#AitM
Public *
Erik van Straten

@maartjeS :

👍🏻 nee, dat is beslist niet stom! Er zijn maar weinig mensen die hier iets van snappen, en dat is precies het probleem.

🥸 Ook ervaren idioten zoals ik moeten te vaak diep graven om te zien of een website echt is of nep, en soms blijkt dat onmogelijk (zoals bij sommige webshops).

🏫 Als we naar het centrum gaan en daar een pand zien waarop "ING" of "HEMA" staat, dan zijn we *GEWEND* dat daar géén oplichtersbende in zit.

🚔 Ons risico om te worden belazerd is laag, omdat kwaadwillenden niet eenvoudig een pand kunnen huren, zoiets snel aan het licht komt en de pakkans groot is.

🏧 Maar zou jij geld pinnen uit een Geldmaat bevestigd aan de buitengevel van een pand van de Hells Angels gevestigd tussen een autosloperij en een pallethandel?

👽 Op internet is de *ENIGE* aanwijzing die we hebben over de identiteit van een website, de domeinnaam die we zien in de adresbalk van de browser. We hebben géén idee meer waar een server staat en wat de nationaliteit van de huurder van de domeinnaam is.

🆎 On precies te zijn, een in DNS geldige website-domeinnaam is een (potentieel nietszeggende of juist misleidende) reeks karakters hooguit bestaande uit:

1) kleine letters (a-z);
2) cijfers (0-9);
3) het minteken;
4) de punt als *scheidingsteken*.

🆔 Een domeinnaam is een *alias* voor een IP-adres, net als "Maartje" in mijn lijst met contacten een alias is voor een telefoonnummer (ik vermoed een ander telefoonnummer achter "mijn" Maartje).

☎️ Stel Maartje neemt morgen een ander telefoonnummer, en een ander krijgt haar oude nummer. Als ik vervolgens "Maartje" bel, krijg ik een ander aan de lijn (als ik pech heb is dat iemand die m.b.v. AI de stem van Maartje exact imiteert en mij misleidt). Dit is een van de problemen met domeinnamen: soms vallen ze in verkeerde handen (zie security.nl/search?origin=fron).

🆒 Domeinnamen hebben een bijzondere eigenschap: ze zijn (als alles goed gaat) wereldwijd uniek - in tegenstelling tot "Maartje" of "Erik van Straten".

📒 DNS is het wereldwijde "telefoonboek" om (onder meer), gegeven een domeinnaam, het huidige IP-adres van de server (waar de website actief op is) op te zoeken. Want computers op internet communiceren met elkaar middels IP-adressen, net zoals mobieltjes daar telefoonnummers voor gebruiken.

👹 Het probleem blijft dat domeinnamen nietszeggend of bewust misleidend kunnen zijn (enkele "verse" voorbeelden in de screenshot onderaan deze toot).

🏦 Precies daarom gebruiken de meeste banken EV (Extended Validation) website-certificaten. Het laatste certificaat voor rabobank.nl zie je in crt.sh/?id=16445752040 (merk op dat dit certificaat geldig is voor maar liefst 155 verschillende domeinnamen, die je vindt door in die pagina te zoeken naar DNS: ).

📄 Een website-certificaat kun je prima vergelijken met een *kopie* van een paspoort. De server stuurt dit ongevraagd naar de browser.

🤝 Er volgt echter een slimme wiskundige truc: de server *bewijst* aan de browser over het *originele* paspoort te beschikken (feitelijk een "private key"). Een crimineel heeft dus niets aan zo'n kopie.

🤔 In dat paspoort kunnen minder of meer gegevens staan (V staat voor Validated):

a) Domain V: alleen de domeinnaam (of meerdere domeinnamen).

b) Organization V: de domeinnaam/namen plus matig betrouwbare identificerende gegevens van de eigenaar van de website.

c) Extended V: de domeinnaam/namen plus redelijk betrouwbare identificerende gegevens van de eigenaar van de website.

d) QWAC (en.wikipedia.org/wiki/Qualifie): de domeinnaam/namen plus maximaal betrouwbare identificerende gegevens van de eigenaar van de website.

🕋 Alles valt of staat met de betrouwbaarheid van de *certificaatuitgever* (een gemeenteambtenaar die valse paspoorten aan criminelen verkoopt kan ook desastreus zijn voor het vertrouwen in het systeem, voorbeeld: security.nl/posting/800253/Amb).

——————

🤪 Technisch uitstapje (als je nog zin hebt):

🌐 DNS snapt niets van IDN's (International Domain Names). Punycode is een truc in browsers om toch met "nep" domeinnamen zoals

münchen.de
en
βιβλιοχαρτοπωλειον.ελ (een Griekse "domeinnaam")

te kunnen werken. "Onder water" wordt daarvoor Punycode gebruikt, volgens charset.org/punycode zijn dat resp.

xn--mnchen-3ya.de
en
xn--mxabanrbcmcwrbdkn2c8b1b.xn

🤬 In certificaten voor IDN's vind je (stom genoeg) uitsluitend de Punycode representatie. Het is allemaal zo gemaakt dat het simpel *lijkt* - maar niet is, en dat is meestal iets waar criminelen van profiteren.

👹 Ten slotte nog een wijdverbreid fabeltje: "met een certificaat wordt de https:// verbinding versleuteld". Dat is, al vele jaren, pertinente onzin.

🆔 Een (server- of client-) certificaat wordt uitsluitend gebruikt voor authenticatie (van de server of de client), het leveren van *bewijs* van identiteit.

🔐 Bij de moderne TLS v1.3 (waar steeds meer servers gebruik van maken voor https://) wordt de verbinding zelfs éérst versleuteld; pas dáárna stuurt de server diens kopie-paspoort (een kopie van het certificaat) naar de browser - over de reeds versleutelde verbinding dus.

P.S. emojies toegevoegd in een poging om de droogte van het technische geneuzel te beperken 🥱

@ErikSchouten73

Een screenshot uit een stukje van https://www.virustotal.com/gui/ip-address/193.143.1.14/relations met rechts domeinnamen van nepwebsites, zoals: www.ukgovret·com 639125-cb·com 851732-coinbase·com (ik heb steeds .com gewijzigd in ·com om onbedoeld openen te voorkómen).
#Certificaten#DV#DVCerts
ExploreLive feeds
About