________________________________________________________________________________
While this is a legitimate problem, the article seems to be a disguised advertisement for NordVPN and 1Password, who Troy Hunt is partnered with [1] [2]. There is a clear bias towards suggesting that the solution to the problem is that everyone signs up and pays for these services.
[1]
https://www.troyhunt.com/im-partnering-with-nord-as-a-strate...
[2]
https://www.troyhunt.com/have-i-been-pwned-is-now-partnering...
And this is not the first time [1], either. I feel it's unethical to not disclose in the article that he's affiliated with the services he's advertising.
[1]
https://news.ycombinator.com/item?id=24544195
> Please don't use HN primarily for promotion. It's ok to post your own stuff occasionally, but the primary use of the site should be for curiosity. —
https://news.ycombinator.com/newsguidelines.html
I wish I could downvote this submission. I wonder whether I should flag it.
Neither the parent link nor the post I linked are from accounts with an inordinate number of posts for Troy Hunt's blog (I count 1 each). I don't think he's breaking HN rules, I just think he's being deceptive and unethical.
Right, I don’t want to take the accounts’ karma (certainly not more than they’ve gained from the submissions), I just want to lower the prominence of the links funneling traffic to the unethical and deceptive post.
Also take note of the latest post on author's blog, "I've Joined the 1Password Board of Advisers"
https://www.troyhunt.com/ive-joined-the-1password-board-of-a...
He loses my respect with that. NordVPN isn't without its problems and he's also selling a VPN that monitors your browsing to detect this stuff. A VPN that grows by underselling itself all over youtube isn't one I want to be a customer of.
If he wants to use his rep to write fluff pieces for his corporate sponsor, so be it. But he discredits himself for doing so.
You can't blame a company for doing its business and wanting to grow mate. It's part of company evolution, as soon as the produit is built, you can promote it, thats one way to earn money. It's just the growing cycle. And look at how competitive this industry is.
> A VPN that grows by underselling itself all over youtube
You're avoiding a service because it sponsors content you enjoy?
Yes.
I dont want to be devil's advocate as a quote says, but I see Troy Hunt implication in Nordvpn as a huge step. His authority and reputation are very good so I believe his straightforward will keep improvements ongoing. I still think being inside of the industry remains the best way to improve it.
I like to read all sorts of opinions and I will be in your side this time. I do understand the disappointment of some but I am convinced this is for the best.
Many initiatives have been taken since the beginning, as well as efforts. For example the Trust Initiative or the bug bounty. One way or another, they have a positive impact on the whole VPN industry although there is some room for improvements.
I don't blame the guy trying to earn some extra money for the work he puts in. You can't expect him to spend time creating useful content and getting nothing out of it. The products are relevant, so I don't see a problem.
Honestly, it wasn’t much of a disguise. Not subtle.
A password manager helps simply because it "remembers" exactly what sites you've been to in the past and if you go to a different site with a same looking url it won't auto-fill.
Well, your browser also has a history of all the sites you've been to in the past, and people tend not to go to a lot of random sites. It would be pretty simple to display something when you go to a site you've never been to before. Just an unobtrusive, but not too unobtrusive, "this is your first visit to this site.". So when you see that on googie.com you might double check where you are. If the site url is similar to one you've been to in the past it could even say "Did you mean to go to one of these sites with similar looking names?...."
I'm not sure what the deal is with shilling for a vpn, or how that helps. It doesn't.
> Well, your browser also has a history of all the sites you've been to in the past, and people tend not to go to a lot of random sites. It would be pretty simple to display something when you go to a site you've never been to before. Just an unobtrusive, but not too unobtrusive, "this is your first visit to this site.".
Whoa, that seems like a _shockingly_ good idea! It could look similar to what happens when you enter data into a password field on a non-https website. The browser can pop up a little box under the input when you start typing, which says something like "this is your first time visiting this website. Only enter passwords on websites you trust."
Are there any major downsides I'm missing? Signing up for accounts on new sites would certainly create false-positives, but if the warning is properly coded that doesn't seem like such a problem.
Hell, that warning could be helpful even on signups to new sites: “This is your first time visiting this website. Only enter passwords on websites you trust, and don’t reuse passwords from other sites. We recommend you use this securely-generated password:”
Idk, I’d get a little nervous extending it too much. Browsers and sites have far too many use-our-new-feature-plz popups. This shouldn’t look like that, or it’s more likely to be ignored.
I might keep your first addition but nix the final paragraph, as good a suggestion as it may be.
To be fair, my browser (Firefox) already suggests a secure random password on password dialogs for sign-ups; I believe they are either using the heuristic of "no password saved on the site" or "password confirmation box exists". I was more-or-less simply thinking of extending that particular message.
Finally a way to know if you should try to reset your password before creating a new account. It sometimes happens that I don't remember I've already signed up for some site and forgot about it entirely.
Several people are suggesting this on this post, but it won't work for input. The phishers will just stop using password forms. And if you make it for all forms, well that can probably be faked trivially with javascript.
It _would_ work for first time visits, but I propose that it will be too common that people will ignore it or brainlessly click through it, providing little to no security benefit.
Phishing is an artifact of the bad design of the system of remembering a password, and will likely continue until we design and widely deploy a better alternative.
You could trigger on any keypress on a first-time site.
Hopefully being careful with TAB or anything else somebody might be using for navigation. God help you if you use vimium in that world.
The issue with solving this problem is the incentives are mostly "how can we get Google/Apple/Microsoft/Facebook users to not get phished" since they are the strongest voices in the room when this kind of thing happens, but then half the time we get solutions like "what if we pre-registered a list of 'popular' companies and flagged everything else" which of course hurts everyone that doesn't make the list. And the other half of the time you get "what if we kept a 'bad list' of websites people should't go to" and you have the constant issue of scammers staying one step ahead of these things and/or benign websites being flagged. There still doesn't seem to be a good way to have people associate their identity with a domain on the web.
Just like in real life, I think the answer is not prevention but accountability. The only thing stopping a random person from bashing in my head on the sidewalk (besides moral decency) is their understanding of the consequences. They can do it, but they'll go to jail for a long, long time.
Similarly, the answer on the net is not to stop bad actors from being bad. It's to punish and hold accountable those that do bad things. That avoids the "thoughtcrime" problem, and makes space for actual freedom.
The only thing we have to lose is privacy for domain owners. Seems like a trade-off worth considering.
A lot of phishing, and other online financial crime, is perpetrated by groups operating with the support of their home governments. There's no way to hold North Korean state-backed phishing/criminal hacking groups accountable without disconnecting North Korea from the Internet or going to war with them. Similar issues apply to curtailing online crime committed by Russian mafia entities, as they are well connected to the Russian government.
An alternative strategy would be to crack down on the money laundering channels used by criminal entities to get money from their victims, but this would be politically difficult as it would involve shutting down grey-market banks that are well used by the ultra wealthy to evade taxes and pay bribes.
Are there any sources for this? I'm not saying what you're saying is true, but I have a hard time believing the majority of scams and spam out there is state-sponsored as opposed to independent bad actors, and if accountability can at least weed those out then that's still a win.
North Korean state-sponsored criminal fraud activities:
https://www.zdnet.com/article/north-korea-s-apt38-hacking-gr...
https://www.cnn.com/2019/03/01/politics/north-korea-cyberatt...
Connections between _specific_ Russian financial crime organizations and the Russian government are much harder to pin down as people who try to investigate ties between the Russian mob and the Russian government often wind up dead. However, the Russian government is well known to be tightly linked connected to Russian organized crime[0]. Given the sheer scale of Russian financial fraud operations--Carbanak stole upwards of a billion USD[1]--the balance of probabilities suggest these operations exist with the tacit approval of the Russian government.
[0]
https://bpr.berkeley.edu/2019/12/16/gangs-and-gulags-how-vla...
[1]
https://securityintelligence.com/carbanak-how-would-you-have...
Seems like something functioning governments should be able to resolve with extradition treaties, and sanctions for those who do not abide by them.
North Korea is already under severe economic sanctions for its nuclear weapons program and other geopolitical issues[0]. Russia is also under economic sanctions for invading Ukraine. There's very little the rest of the world can do to hold either of them accountable for sanctioning organized fraud groups in their territories.
Hopefully the consequences are not the only thing.
I think you're supposed to read "a random person" as "any random malicious person".
What prevents the violent psychopath from killing the child they see to get their lollipop when they want something sweet? The fact that there are repercussions. What prevents those that have no qualms about stealing from a store from doing so most of the time (even those that steal don't do it every time they enter a store)? The same.
Besides moral decency, I said. What else do you think there is?
It seems like consequences are the only language that bad actors understand, unfortunately.
> The only thing we have to lose is privacy for domain owners.
This is a huge downside. Anonymous publishing is a very important right.
_> > The only thing we have to lose is privacy for domain owners._
_> This is a huge downside. Anonymous publishing is a very important right._
It also wouldn't work. Or rather, at _best_ it would only work as well as political campaign message attribution does (and that's with considerable enforcement muscle aimed at it).
Somehow "dark money" often manages to evade these efforts, and evade the consequences of violations, and I wouldn't expect transnational phishing and scams to be any different.
Which isn't to say that we should stop trying, but sacrificing the capability of the general public for anonymous speech in return for dubious-at-best attribution by well-heeled actors seems like a poor tradeoff.
Must speech be anonymous to be free?
Yes. Think of countries with a mandatory "impressum" (Germany and Austria)
Yes. That’s why voter anonymity is so important, for example.
I would posit that for normal run-of-the-mill communications, anonymity is overrated. What is this edge case of politically sensitive communications that you think is at risk?
Most HNers here including yourself are writing comments with the comfort of anonymity. I don't want to worry about anything I have to say being tied to my identity, whether it's even my thoughts that there's nothing wrong with a "master" branch much less my much more unsavory thoughts in the tech space.
Isn't it possible that people become more comfortable attacking common sense opinions like that because they are only expressed in pseudonymity? If the veil were lifted, we'd all have to stand behind our opinions, and people who wanted to disagree would have to do it to our faces. Maybe removing humanity from the internet is not the panacea it seems?
I lose my job for supporting the wrong candidate?
What isn’t “politically sensitive”?
If you create a git repo, the first branch’s name is a controversial political issue.
“Everything’s political” ~ What’s-his-face the communist in _Fiddler on the Roof_ after introducing “Will you marry me?” as “a political question.”
Why must there be exactly one solution that solves everything? We don't expect that anywhere else in life.
Obviously it's best if there was a simple automated solution that worked in all cases, but there is no such thing. Password managers are great, but they don't counter disinformation from sites you don't have a password with. Preventing access to malicious sites only works if it's known to be malicious; new sites will always slip through (and attackers can keep creating new sites), false positives are a problem, and not everyone can afford them. Reputation systems can be gamed.
In many cases you try to make it so that an attacker has to pass multiple barriers, instead of pinning your hopes on a single perfect solution. Usually there isn't one.
So yes, DO display the URL; use fonts, lowercased domains, colorize each character by Unicode region, or whatever you have to do to help users detect when there could be a problem. Then let users check. Some URLs will slip through, but I'll note that a LOT of people picked up the "googIe.com" in the survey - it wasn't randomly distributed.
DO use a password manager. That will dramatically help if you've previously logged into that site.
I'm less excited about filtering domains, especially because some implementations are privacy disasters. But if done in a privacy-respecting way, I can see some value. But only SOME value - they are NOT a panacea. And many will not use them.
The goal isn't to find the one true answer; the goal is to make it unlikely for an exploit attempt to work. If you CAN come up with a perfect automated defense that's affordable, great, do that. In most circumstances you need multiple defensive mechanisms so that the attacker has to overcome multiple very different barriers.
A few years ago, I had this idea of using identicons to visualize the host part of URLs:
https://vorba.ch/2018/url-security-identicons.html
I still think this could help people realize when they are being phished at least for their most important sites in a privacy-respecting way, even if they don't use a password manager for those sites. I don't use my password manager for my banking account, for instance, since I don't want those credentials to be synced anywhere.
Attackers will then work to find domain names that generate similar identicons.
But maybe the identicons don't need to be meaningful or the same for everyone. You could hash the domain with another value, like a computer name or username, then show some interesting pattern. Then it would have a different pattern. Not perfect, but yet another user cue.
Yes, agreed. This could only be one of many factors.
For firefox, you can disable IDN in the urlbar with:
user_pref("network.IDN_show_punycode", true);
in your user.js. Then all URLs will appear in their punycode form, eg apple.com with the cyrillic glyphs will show as:
https://www.xn--80ak6aa92e.com/
Is this good enough? Probably not in general.
- It relies on you to notice the URL bar after you've clicked a link. Worse, it relies on you to notice the URL bar after you've clicked a link _and_ after the website has begun loading long enough so that firefox changes the URL to the target.
- If you're someone who does actually visit websites with punycoded domains regularly, then this conversely makes it harder for you to know you're on the right domain.
- Even if you notice the URL is wrong, you've already started loading the page. Best case your IP is now known to that server. Worst case it had a malicious payload for your browser / OS / hardware and your content blocker wasn't configured / able to block it.
It's good enough for me, at any rate.
I'm honestly surprised at Firefox's behavior here. I thought all of the browsers years ago identified homoglyph attacks and deployed defenses. For example, in Safari, this domain does render as
https://www.xn--80ak6aa92e.com
because Safari decided this was a homoglyph attack. My impression was all the browsers did this for any domain that used a homoglyph of a latin character, so why is Firefox failing?
As far as I can recall, Firefox (and maybe Chrome) will still display the original glyphs if they are all from the same character set. So for example, all Cyrillic apple will display as apple, but apple where only the a is Cyrillic will display punycode for the a.
Edge does display punycode, but not sure if it's an Edge thing or a Chromium (and therefore Chrome) thing.
Firefox wontfix'd it because it would be racist to not show phishy IDNs.
https://bugzilla.mozilla.org/show_bug.cgi?id=1332714
Sadly, this solution makes the situation worse for people who browse sites that aren't trying to run IDN spoofing because punycode URLs all look the same.
Yes. The second point I made.
In chrome for me this happened automatically with the cyrillic apple.com. However doesn't happen with any other website. Seems pretty smart.
It's a hard problem, but I don't think there's any solution that doesn't make the web measurably worse.
We have consolidation and the exclusion of bit players and new entrants in real life already, and I don't like it. Now we're talking about solving these problems on the internet in a way that seems like it will lead to the same place.
I definitely don't want Google to solve this problem for me. Then again, I don't use their search engine nor primarily their browser, so then we end up with "solutions" that are very unevenly distributed.
The root issue is that the internet is a very hostile environment, and trying to make it safe seems like a losing cause, a denial of reality.
Why not display a warning if the character set is different from users?
A browser-based password manager mostly solves the confusables problem. If your password manager matches by domain name, and someone tries to phish you, it will immediately clue you in that something's not right.
Unfortunately this doesn't solve the problem in general, because most people don't use password managers.
And I frequently need to add alternative trusted URLs to 1Password so that auto fill works on the same authentication across different domains (this I find I need often for like banks)
Airline sites are the worst in this regard. United, American, Delta, etc. bounce you around between multiple phishy-looking domains to redeem miles or use their benefits. And none of them use their own site as a proper OpenID connect or OAUTH IDP and require re-logging in with your airline username and password on different domains!
What if the attack is targeted at new users. Work on signing people up for Netflix then drain their bank account.
Submitting your password to a site isn't the only concern. Downloading executables, for example.
I always wondered why don't browsers highlight the address bar with the color sourced from the domain hash? If my bank's site is always pink but after clicking a link it's suddenly teal, could it get any easier?
When https green shields and locks appeared at first I thought it's something like that, only to be disappointed.
I don’t think there are enough unique human distinguishable colors to make this worthwhile. I imagine it wouldn’t be too hard to find a “collision”.
C'mon, just add a simple shape or an emoji to the color or something, besides, it has to be a collision AND a visually similar domain.
Troy's blog provides good value, the info is easy enough to understand and talks about problems that sometimes slips through the cracks. I would appreciate if he would be more succinct in his articles, but overall he's doing a pretty good job.
This article, despite being an obvious advertisement, was informative. But I’m a bit confused about why this is considered a tricky problem, and why we need technological solutions. I’m no computer security expert, but I don’t think I will be affected. I don’t click on links in emails or (good lord) in text messages. I don’t download executables. I suppose I could end up on a counterfeit site by following a link, say, from Twitter. But I wouldn’t be following a link from Twitter to my banking site. So where is the vector? Am I being naive?
https://www.schneier.com/blog/archives/2006/02/petnames.html
Great link. In a broader context this is makes me wonder whether the development in-group nomenclature (slang) developed for similar reasons, to defend against collisions in terminology with others where misunderstandings could lead to disagreements and fights. You can still speak the same language, but if someone overhears you (tries to interpret what you type into a url bar) they don't understand unless you have intentionally specified the mapping to the global nomenclature. Of course this would require that browsers stop trying to redirect you to who knows where when you type in a single word in the url bar so that not typing in the local name would lead to a failure.
VPNs aren't a good solution
https://gist.github.com/joepie91/5a9909939e6ce7d09e29
I wonder if one can create a browser plugin that judges the similarity of a domain to a set of well-known domains and warns the user when the URL they clicked on has a domain that is very similar but not the same? Maybe use levenshtein distance or some kind of visual similarity measurement? The downside is that it would obviously punish a legit website like googie.com but perhaps one can whitelist it if one explicitly enters the URL?
This would be a kind of augmented Soundex code that could be useful is many contexts.
The problem is your browser or DNS cache would basically have to have a copy of the root zones OR contact a special name resolver that would return...what? in the case of a collision.
More than the root zone; it would have to have all of the TLD zones, and even deeper in some cases.
I dunno if it'd be worth the effort, either it would miss a ton of stuff, be complaining all the time, or require a massive whitelist.
I think we should have a mechanism to keep a list of "sites that need extra trust". Browser should warn about all sites whose url seems to be mimicking them.
These would be all the sites on which you think you need extra amount of trust. Say all sites where you do financial transactions, and ones like gmail which are used for identity verification.
Any opinions on re-configuring / modifying workflows "in-flight". and configuration in general. While using JIRA as a developer is generally pleasant when workflows are well configured, configuration of JIRA as a team manager is an absolute pig.
And if you look at configurations from API perspective, you understand that JIRA is full of fuck (and their api is a veeeery leaky abstraction)
I’m confused. I think Troy has been pretty open about his relationship with 1Password and NordVPN.
So, he writes an article about a service related to these companies which helps to solve a real issue.
So, why all the hate?
I wish DNS-level domain blocking were are more normal thing to do. So many people are using uBlock these days that blocklists shouldn't sound too advanced. Also it's free, of course.
and now if 1password would only go back to the non-cloud based SaaS subscription version and put the client side "user syncs however they want" version as a first class citizen
I'm thinking we could at least implement a whitelist for banks, and show a banking symbol in the url bar. Then educate people about this.
There are over 10,000 financial institutions in the USA alone. The FDIC and OTS have lists of them all, but none contain their approved internet domain names. This isn’t as easy as you’d think.
Can anyone tell me why 1Password is specifically suggested over, say, literally any other password manager?
Why is 1Password better than your browser’s own, free, preconfigured manager?
Why it's suggested and why it's better are separate questions. It's suggested because the author has a vested interest in 1Password.
As for why it's better than the browser's password manager... for an individual, it probably isn't. For me, I will say that I like that 1Password allows my partner and me to share passwords to joint accounts, which iCloud Keychain can't do without getting out of sync when a password changes. (iCloud Keychain also only works on Apple devices, of course.)
Because the article is an ad for 1password quite literally, hes on board of advisors. Same with nordvpn that he is shilling.
This is one of the reasons why I think it was a mistake for the web browsers to de-emphasize EV certificates.
Precisely because they are expensive and difficult to get automatically, they can be a an extra protection against phishing.
I fear that because of these kind of URL issues, and with the deemphasis of EV certificates which would have provided a somewhat decentralized solution, we will end up in a world where the author of the browser becomes the ultimate authority on what is a trustworthy URL. That means for most of the users, Google will be the arbiter of what is and is not a trust worthy URL.
> Precisely because they are expensive and difficult to get automatically, they can be a an extra protection against phishing.
And the requirement for an EV certificate is that it has to be registered specifically in the corporate name, which isn't necessarily the well-known trade name. Furthermore, anyone could choose to register their company as, say, "Microsoft" if it's not in the same jurisdiction as the actual Microsoft, and you get this lovely verified checkmark saying that the phishing site is, indeed, Microsoft. (Just not the Microsoft they were expecting).
The concept of TLS certs validating the identity of a business entity--rather than just ownership of a domain name--has merit even though the implementation of EVs was poorly considered.
A system that presented the end user with a business card of _relevant_ information regarding a given website could be very effective if done properly. Presenting a list of industries and trademarks that the site does business under in the user's current jurisdiction would be a good start.
"specifically in the corporate name, which isn't necessarily the well-known trade name"
If you 'verifying' without knowing the legal identity, what on earth have you verified? Perhaps we could include trademarks somehow, but at the end of the day having weired names is down to the firm.
The example with google blogs was particularly apt - all URLs are legit, but only one belongs to Google. I want to know which one.
Even better: Rather than all the red-tape, you can just use an indicator between `
That is essentially what you used to be paying for with certs back in the day. You bought yourself a $500, $1000, or $1500 cert based on the level of liability insurance you needed if someone "broke the encryption". The extra money does help pay for extra betting by the issuing authority, theoretically.
The thing is, just charging extra money would probably work for the most part, even if it isn't all that fair. Also, how do I set myself up as the authority you need to pay $$$ to for a certificate? That seems like a pretty sweet market to be in. ;)
Sadly research has proven otherwise:
1. Users do not understand the difference between an EV and a DV cert. We spent a decade training users that the padlock is all you need.
2. Company registration norms are not standardised across the world, and you can easily get a certificate for Microsoft Corp, see
https://news.ycombinator.com/item?id=15904513
for eg.
An EV cert basically screams you have no idea what you are doing in the security realm. "We can't make our site secure, but we can make it look secure.". Like when people put those little "security seal" gifs all over the place.
t.co/Ati2ndKvGI
Case sensitive identifiers should have been never allowed.
For one thing, I blocked that foolish kid who tweeted that browsers should warn about "googie.com" (a term that refers to a style of architecture
https://en.wikipedia.org/wiki/Googie_architecture
). Knee jerk response make things worse.
I love this style and didn’t know there was a term for it. Thanks!
I mean what if the world was completely different to what it actually is and people understood visual security indicators?
The article is full of tweets by people, including Hunt himself, that use visual security indicators
Note: biased. Worked on a web verification startup for 4 years. Including campaigning for better indicators.
A solution could be displaying the credibility of the page. For example: age of URL, how many users have been using it, how reputable is the domain, and so on. Even if a bank changes their login URL, the old domain will point to it.
The issue with this is that it requires a crawler that determines this. In a way, the existing safe browsing mechanisms already offer the infrastructure.
Good discussion of the issue, but Troy needs to run his blog through a grammar/diction checker.
Something key he alluded to but didn't get into is that browsers should remember (a hash of) your history and warn you when you visit a site (like googleblog.com) that you never visited before and isn't known to be owned by the owner of a site you have visited before.
So this means you'll get a warning before going to anyone's blog for the first time?
Perhaps when submitting a password on a domain you've never been on before? I think that'd be super useful, actually.
On Venmo when you send money to a new person they say "This is the first time you've sent money to so-and-so" and recommend you confirm the receiver's phone number (though you can also skip it).
I think a similar warning could be fine for passwords and auto-fill information: "This is the first time you're sending a password to googie.com, which is registered to the Googie Real Estate Corporation. Is that what you mean to do?"
For passwords, sure. For regular browsing, I don't think I would want such a thing.
I don’t understand why you don’t want to blame the victim. My own father entered his bank password into a random site he received via SMS. The url wasn’t even similar.
The only solution to this is to tell users to look at the URL bar and make _that_ work well. If they don’t, you can’t do much.