DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th April 2017
amphibious
-Guest-
 
Posts: n/a
Default Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

April 14th, 2017

Very interesting reading, Please read through, because this article shows you how you can spoof a website and have it show as secure. I tried it, and yes, it's true.

They set up their own fake site of a healthcare company, with certificate, and yes, you can actually have the same address, with a secure certificate display from firefox and chrome, but it will be a fake website. There is a fix for Firefox, but apparently, there is no fix for Chrome, and I assume that goes for Chromium as well.

https://www.wordfence.com/blog/2017/...code-phishing/

Last edited by amphibious; 19th April 2017 at 03:17 PM.
Reply With Quote
  #2   (View Single Post)  
Old 19th April 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,794
Default

Per the link -- which must have been updated -- the fix for Chrome is already in their Canary test release, with production rollout expected in the next several days.
Reply With Quote
  #3   (View Single Post)  
Old 19th April 2017
GarryR's Avatar
GarryR GarryR is offline
Real Name: Garry Ricketson
Package Pilot
 
Join Date: Jul 2015
Location: Durango, Mx.
Posts: 144
Default

That is interesting, it seem like they would have made the default setting true, and then the users that
need to use would /could change it,
__________________
My best friends are parrots
Reply With Quote
  #4   (View Single Post)  
Old 20th April 2017
cynwulf cynwulf is offline
Package Pilot
 
Join Date: Mar 2014
Posts: 198
Default

Quote:
Originally Posted by GarryR View Post
That is interesting, it seem like they would have made the default setting true, and then the users that
need to use would /could change it,
If you refer to firefox, then unfortunately that doesn't seem to be how things work. Many useful UI options have been removed over the years (e.g. javascript "master off switch") and now have to be configured via "about:config" or have vanished altogether - plus the defaults are not always in the end users best interests in terms of privacy and security. The google spyware and geo-location is on by default for example.
Reply With Quote
  #5   (View Single Post)  
Old 20th April 2017
e1-531g e1-531g is offline
VPN Cryptographer
 
Join Date: Mar 2014
Posts: 344
Default

Quote:
Many useful UI options have been removed over the years (e.g. javascript "master off switch")
A lot of Websites (especially WebApps) today are based on Javascript and disabling Javascript renders these Websites broken and unusable. For some sites there are just small scripts written in Javascript, but for some others major component is Javascript-based program which is communicating with service using HTTP(S) protocol and exchanging data in JSON format.
A lot of Mozilla Firefox users are not IT professionals and don't know what is Javascript, but they want to use them. These users would blame not themselves, but Mozilla for broken Websites.
It is rather understandable why Mozilla has hidden this switch.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase

Last edited by e1-531g; 20th April 2017 at 09:43 AM.
Reply With Quote
  #6   (View Single Post)  
Old 20th April 2017
Maxnix's Avatar
Maxnix Maxnix is offline
Port Guard
 
Join Date: Feb 2016
Posts: 23
Default

Quote:
Originally Posted by e1-531g View Post
A lot of Mozilla Firefox users are not IT professionals and don't know what is Javascript, but they want to use them. These users would blame not themselves, but Mozilla for broken Websites.
It is rather understandable why Mozilla has hidden this switch.
No, this could be a good reason for having javascript on by default, but not for removing from the user interface a switch to turn javascript off entirely for who don't want it.
__________________
The world doesn't live off jam and fancy perfumes - it lives off bread and meat and potatoes. Nothing changes. All the big fancy stuff is sloppy stuff that crashes. I don't need dancing baloney - I need stuff that works. -- Theo de Raadt
Reply With Quote
  #7   (View Single Post)  
Old 20th April 2017
e1-531g e1-531g is offline
VPN Cryptographer
 
Join Date: Mar 2014
Posts: 344
Default

Quote:
Originally Posted by Maxnix View Post
No, this could be a good reason for having javascript on by default, but not for removing from the user interface a switch to turn javascript off entirely for who doesn't want it.
I think that anybody who understands what he is doing disabling Javascript can found about "about:config" settings page or at least be informed enough to install NoScript extension.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Attackers trick 162,000 WordPress sites into launching DDoS attack J65nko News 0 12th March 2014 06:00 PM
Security DNS flaw reanimates slain evil sites as ghost domains J65nko News 0 16th February 2012 10:06 PM
Phishing email used in serious RSA attack surfaces J65nko News 1 27th August 2011 09:16 PM
Open Source E-commerce sites under attack! CyberJet News 0 29th July 2011 02:07 PM
Java vulnerability - when lyric sites attack J65nko News 0 15th April 2010 07:49 PM


All times are GMT. The time now is 06:08 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick