In the wake of the revelation that a major SSL certificate provider suffered a serious breach
, Chris Palmer from the Electronic Frontier Foundation has analysis of the common practice of issuing certificates for unqualified domain names, such as "mail" and "www" and "localhost" (an unqualified domain is one that consists of a single word, without a top- and second-level domain, e.g., "www" instead of "www.boingboing.net"). These unqualified names should never
be issued certificates, as doing so leaves anyone who makes a practice of using them within a company network vulnerable to man-in-the-middle attacks. Palmer found tens of thousands of these certificates, and sounds the alarm that if you're not using fully qualified domains for secure connections, you're very vulnerable.
Although signing "localhost" is humorous, CAs create real risk when they sign other unqualified names. What if an attacker were able to receive a CA-signed certificate for names like "mail" or "webmail"? Such an attacker would be able to perfectly forge the identity of your organization's webmail server in a "man-in-the-middle" attack! Everything would look normal: your browser would use HTTPS, it would show a the lock icon that indicates HTTPS is working properly, it would show that a real CA validated the HTTPS certificate, and it would raise no security warnings. And yet, you would be giving your password and your email contents to the attacker.
Unqualified Names in the SSL Observatory
To test the prevalence of the validated, unqualified names problem, I queried the Observatory database for unqualified names similar to "exchange". (Microsoft Exchange is an extremely popular email server, and servers that run it commonly have "exchange" or "exch" in their names. Likely examples include "exchange.example.net" and "exch-01.example.com".) My results show that unqualified "exchange"-like names are the most popular type of name, overall, that CAs are happy to sign.
Flexispy (previously) is the creepy, sketchy stalkerware company that makes tools that allow jealous, abusive spouses track their partners, and then hides their profits in offshore money-laundries.
When United CEO Oscar Munoz lied about Dr David Dao, slandering the passenger that was beaten unconscious as a direct result of his employees enacting the policies he put in place, he was acting in the knowledge that he would shortly be elevated to the Chairmanship of United’s board of directors.
Motherboard’s Joseph Cox continues his excellent reporting on Flexispy, a company that make “stalkerware” marketed to jealous spouses through a network of shady affiliates who feature dudes beating up their “cheating girlfriends” after catching them by sneaking spyware onto their devices.
“Gets stuff done,” is a good way to be described by anybody. Especially by coworkers or bosses. Because whether you’re in finance or a children’s librarian, stuff needs to get done. But how do you make sure stuff gets done? You definitely can’t do all the stuff yourself, unless your company/organization/government office consists entirely of you. And […]
Even the most expensive pair of hi-fi headphones can’t match the feeling of bass rumbling through your body at a live show. That’s why music aficionados designed The Basslet, an accessory that reproduces that sensation from your wrist. Does it make your whole body shake with deep subs? Not really, because that would be terrifying, but […]
They probably just sleep a lot. But still, you can remotely keep an eye on them when you’re at work and missing them deeply with this HD monitor from Kodak.If you have a new puppy that destroys everything in sight, or you just want to be a little more security-conscious, this WiFi camera is a […]