Hachyderm.io

1 post1 participant1 post today

Erik JonkerRapport van AFM over EU Digital Identity Wallet. Ontwikkeling met grote impact, niet alleen op de financiele sector overigens. <a href="https://www.afm.nl/nl-nl/sector/actueel/2025/mrt/nieuwe-digitale-ID" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.afm.nl/nl-nl/sector/actueel/2025/mrt/nieuwe-digitale-ID</a> <a href="https://mastodon.social/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a> <a href="https://mastodon.social/tags/digitalidentity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#digitalidentity</a> <a href="https://mastodon.social/tags/wallet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#wallet</a> <a href="https://mastodon.social/tags/AFM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AFM</a>

Frank HerrmannJust for the record, this is the text that <a href="https://respublicae.eu/@europarl_en" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@europarl_en</a> and <a href="https://respublicae.eu/@EUCouncil" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@EUCouncil</a> have agreed on:<a href="https://ec.social-network.europa.eu/@EUCommission" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@EUCommission</a> <a href="https://social.tchncs.de/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a> <a href="https://social.tchncs.de/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eID</a> <a href="https://social.tchncs.de/tags/digitalidentity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#digitalidentity</a> <a href="https://social.tchncs.de/tags/privacy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#privacy</a> <a href="https://social.tchncs.de/tags/unlinkability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#unlinkability</a><a href="https://www.europarl.europa.eu/doceo/document/TC1-COD-2021-0136_EN.html" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.europarl.europa.eu/doceo/document/TC1-COD-2021-0136_EN.html</a>

Frank HerrmannOne of the most important, if not >the< most important term in the legislative act on the European Digital Identity Wallet is 'unlinkability' and even if the initiators of the original <a href="https://social.tchncs.de/tags/wallet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#wallet</a> concept don't like it, they should endorse it. It’s the law, stupid. <a href="https://ec.social-network.europa.eu/@EUCommission" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@EUCommission</a><a href="https://social.tchncs.de/tags/typo" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#typo</a> <a href="https://social.tchncs.de/tags/eIDAS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eIDAS</a> <a href="https://social.tchncs.de/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a> <a href="https://social.tchncs.de/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eID</a> <a href="https://social.tchncs.de/tags/digitalidentity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#digitalidentity</a> <a href="https://social.tchncs.de/tags/privacy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#privacy</a> <a href="https://social.tchncs.de/tags/unlinkability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#unlinkability</a><a href="https://eur-lex.europa.eu/eli/reg/2024/1183/oj" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://eur-lex.europa.eu/eli/reg/2024/1183/oj</a>

Erik van Straten"The world is under siege. This is not news. State-sponsored cybercriminals and a growing army of newbies using powerful tools from the dark web are exploiting every weak link in our cybersecurity chains, which is first and foremost our users."Aldus John Gunn in <a href="https://www.bleepingcomputer.com/news/security/mfa-failures-the-worst-is-yet-to-come/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/mfa-failures-the-worst-is-yet-to-come/</a>.John Gunn heeft gelijk. Het internet is veel te onveilig en niemand die daar iets tegen doet.Terwijl websites steeds anoniemer worden, moet *U* steeds betrouwbaarder authenticeren (<a href="https://www.security.nl/posting/872694/VK+verplicht+vanaf+juli+%27robuuste%27+online+leeftijdsverificatie+voor+pornosites" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.security.nl/posting/872694/VK+verplicht+vanaf+juli+%27robuuste%27+online+leeftijdsverificatie+voor+pornosites</a>). Aanvankelijk gebruikmakend van hersenloze technieken, zoals het opsturen van een scan van uw paspoort. Alsof degene die zo'n kopie in handen krijgt (op legale of illegale wijze) niet *OOK* kan bewijzen dat zij of hij u is. Echter:BINNENKORT HOEFT ZO'N SCAN NIET MEER!Dan krijgt "iedereen" namelijk "geheel vrijwillig" een elektronisch paspoort op haar of zijn telefoon. Wat zou *DAAR* nou mis mee kunnen gaan?Ik waarschuw er al heel lang voor dat het internet veel te onveilig wordt. Maar dat is tegen dovemansoren, of zo'n artikel wordt simpelweg weggecensureerd. Zélfs als je zo'n artikel met verifieerbare feiten onderbouwt - middels links naar pagina's van VirusTotal (een dochterbedrijf van Google).(Mijn artikel valt overigens nog hier te lezen - voor zolang als dát duurt (Big Tech duldt geen kritiek): <a href="https://archive.is/3UwWn" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://archive.is/3UwWn</a> - zie ook <a href="https://infosec.exchange/@ErikvanStraten/113837934294209517" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113837934294209517</a>). John Gunn gaat verder met:"Multi-Factor Authentication (MFA), once celebrated as an unbreakable defense, is crumbling under the weight of its outdated technology. Phishing attacks, ransomware, and sophisticated exploits are bypassing legacy MFA with astonishing ease."Ook daar waarschuw ik al jááren voor.Fix: <a href="https://www.security.nl/posting/840236/Veilig+inloggen" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.security.nl/posting/840236/Veilig+inloggen</a> (eigenlijk ben ik gek dat ik nog naar die site verwijs, waar ik al vele jaren -voor nop- aan bijdraag; stank voor dank).Daarin ook "plaatjes" waarin te zien is waarom 2FA/MFA middels SMS of "Authenticator" app geen zier helpt tegen AitM (Attacker in the Middle of MitM: <a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://en.wikipedia.org/wiki/Man-in-the-middle_attack</a>) aanvallen; u bent kansloos als u alle informatie op een nepwebsite invoert.Hetzelfde risico loopt u straks met uw EDIW - nog een veilige dag gewenst.<a href="https://infosec.exchange/tags/Calimero" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Calimero</a> <a href="https://infosec.exchange/tags/Censuur" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Censuur</a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#GoogleIsEvil</a> <a href="https://infosec.exchange/tags/UBentHetProduct" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#UBentHetProduct</a> <a href="https://infosec.exchange/tags/BigTech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BigTech</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MitM</a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MFA</a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#2FA</a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#TOTP</a> <a href="https://infosec.exchange/tags/AuthenticatorApp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AuthenticatorApp</a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eID</a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDIW</a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a> <a href="https://infosec.exchange/tags/LeeftijdsVerificatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LeeftijdsVerificatie</a> <a href="https://infosec.exchange/tags/Authenticatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Authenticatie</a> <a href="https://infosec.exchange/tags/Impersonatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Impersonatie</a> <a href="https://infosec.exchange/tags/IdentiteitsFraude" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#IdentiteitsFraude</a>

Erik JonkerEU's Digital Identity Systems - Reality Check and Techniques for Better Privacy. <a href="https://media.ccc.de/v/38c3-eu-s-digital-identity-systems-reality-check-and-techniques-for-better-privacy#t=0" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://media.ccc.de/v/38c3-eu-s-digital-identity-systems-reality-check-and-techniques-for-better-privacy#t=0</a> <a href="https://mastodon.social/tags/eu" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eu</a> <a href="https://mastodon.social/tags/eudiw" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eudiw</a> <a href="https://mastodon.social/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://mastodon.social/tags/digitalidentity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#digitalidentity</a>

Erik van Straten<a href="https://infosec.exchange/@patrickcmiller" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@patrickcmiller</a> : and the digital passport (or other government-provided eID) will wreak havoc - because fake (AitM) websites will steal the identity of many unsuspecting people.<a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Authentication</a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Impersonation</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MitM</a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FakeWebsites</a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eID</a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDIW</a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a>

Erik JonkerIf you want to understand what EU digital identity wallet is all about and are not afraid of a bit technical description, the "European Digital Identity Wallet Architecture and Reference Framework" is an excellent and up-to-date resource. <a href="https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/blob/main/docs/arf.md" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/blob/main/docs/arf.md</a> <a href="https://mastodon.social/tags/EU" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EU</a> <a href="https://mastodon.social/tags/digitalidentity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#digitalidentity</a> <a href="https://mastodon.social/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a> <a href="https://mastodon.social/tags/wallet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#wallet</a> <a href="https://mastodon.social/tags/architecture" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#architecture</a>

Erik JonkerImportant step forward with regard to digital wallets. <a href="https://digital-strategy.ec.europa.eu/en/news/commission-adopts-technical-standards-cross-border-european-digital-identity-wallets" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://digital-strategy.ec.europa.eu/en/news/commission-adopts-technical-standards-cross-border-european-digital-identity-wallets</a> <a href="https://mastodon.social/tags/eu" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eu</a> <a href="https://mastodon.social/tags/digitalidentity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#digitalidentity</a> <a href="https://mastodon.social/tags/eudiw" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eudiw</a> <a href="https://mastodon.social/tags/wallet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#wallet</a> <a href="https://mastodon.social/tags/standards" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#standards</a>

Erik van Straten<a href="https://mastodon.nl/@yivi_privacybydesign" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@yivi_privacybydesign</a> : betrouwbare online leeftijdsverificatie bestaat niet.Waarom online leeftijdsverificatie onbetrouwbaar en onwenselijk is, herhaalde ik recentelijk in <a href="https://www.security.nl/posting/861643/NSC+en+CU+komen+met+motie+voor+%27privacyvriendelijke+leeftijdsverificatie%27#posting861777" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.security.nl/posting/861643/NSC+en+CU+komen+met+motie+voor+%27privacyvriendelijke+leeftijdsverificatie%27#posting861777</a>.Ook met Yivi niet, want *niet jij* maar *de verifieerder* bepaalt welke gegevens hij van jou wil. Je hebt twee keuzes: verstrekken wat gevraagd wordt, of het opgeven.Onderstaand plaatje is de huidige stand van een enquête op security.nl.<a href="https://infosec.exchange/tags/OnlineLeeftijdsVerificatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OnlineLeeftijdsVerificatie</a> <a href="https://infosec.exchange/tags/Authenticatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Authenticatie</a> <a href="https://infosec.exchange/tags/Impersonatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Impersonatie</a> <a href="https://infosec.exchange/tags/Yivi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Yivi</a> <a href="https://infosec.exchange/tags/Irma" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Irma</a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDIW</a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eID</a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a> <a href="https://infosec.exchange/tags/Privacy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Privacy</a> <a href="https://infosec.exchange/tags/PrivacyVriendelijk" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PrivacyVriendelijk</a> <a href="https://infosec.exchange/tags/NepNietVanEchtKunnenOnderscheiden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NepNietVanEchtKunnenOnderscheiden</a> <a href="https://infosec.exchange/tags/EchtNietVanNepKunnenOnderscheiden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EchtNietVanNepKunnenOnderscheiden</a>

Erik van Straten<a href="https://chaos.social/@necrosis" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@necrosis</a> : hat Nancy die Liste mit alle Europäischen Bürger-Identifikationsnummer schon bekommen?Daß wäre 'nen Datenleck...<a href="https://infosec.exchange/tags/VerzeiheDuitseSpelFouten" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#VerzeiheDuitseSpelFouten</a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDIW</a> <a href="https://infosec.exchange/tags/NichtNurVideoIdent" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NichtNurVideoIdent</a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MitM</a>

Erik van StratenHoe de Politiehack precies heeft plaatsgevonden, weet ik niet.Wel weet ik dat veel "experts"hun kop in het zand steken of mij zelfs voor gek verklaren als ik schrijf dat:1) Het opzet is dat mensen op internet nep niet van echt kunnen onderscheiden (<a href="https://security.nl/posting/859906/Speculatie_over_Politie-hack" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://security.nl/posting/859906/Speculatie_over_Politie-hack</a>), en dat daar *dringend* iets aan gedaan moet worden;2) Zij aanraden om zwakke MFA (<a href="https://security.nl/posting/859561/MFA-2FA_is_als_peniciline" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://security.nl/posting/859561/MFA-2FA_is_als_peniciline</a>) te gebruiken in plaats van een wachtwoordmanager die op domeinnamen checkt;3) Onder hen er *zelfs* zijn die stellen dat we, op *dit* internet, EDIW veilig zouden kunnen gebruiken (reactie op een posting van Ivo Jansch, één van de architecten van EDIW: <a href="https://tweakers.net/nieuws/204138/#r_18249704" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://tweakers.net/nieuws/204138/#r_18249704</a>). Welliswaar met de opmerking dat er alternatieven moeten blijven bestaan (die er nu ook niet meer zijn voor communicatie met de overheid of met uw bank).Zie ook <a href="https://www.security.nl/posting/827137/Kopie-ID-Kap-Ermee#posting833162" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.security.nl/posting/827137/Kopie-ID-Kap-Ermee#posting833162</a>, bovenaan die pagina en <a href="https://www.security.nl/posting/833217/Internet-toenemende_impersonatie" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.security.nl/posting/833217/Internet-toenemende_impersonatie</a>.<a href="https://infosec.exchange/tags/Politiehack" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Politiehack</a> <a href="https://infosec.exchange/tags/Politie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Politie</a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MFA</a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#2FA</a> <a href="https://infosec.exchange/tags/ZwakkeMFA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ZwakkeMFA</a> <a href="https://infosec.exchange/tags/Zwakke2FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Zwakke2FA</a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DV</a> <a href="https://infosec.exchange/tags/Certificaten" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Certificaten</a> <a href="https://infosec.exchange/tags/LetsEncrypt" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LetsEncrypt</a> <a href="https://infosec.exchange/tags/LetsAuthenticateTheWebsiteFirst" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LetsAuthenticateTheWebsiteFirst</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MitM</a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Phishing</a> <a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EvilProxy</a> <a href="https://infosec.exchange/tags/PhaaS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PhaaS</a> <a href="https://infosec.exchange/tags/Evilginx2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Evilginx2</a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDIW</a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a> <a href="https://infosec.exchange/tags/EC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EC</a> <a href="https://infosec.exchange/tags/KopieID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#KopieID</a> <a href="https://infosec.exchange/tags/KopietjePaspoort" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#KopietjePaspoort</a> <a href="https://infosec.exchange/tags/VideoIdent" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#VideoIdent</a> (Bron van onderstaand plaatje: <a href="https://www.maxvandaag.nl/sessies/themas/media-cultuur/waarom-steken-we-ons-hoofd-in-het-zand-als-het-lastig-wordt/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.maxvandaag.nl/sessies/themas/media-cultuur/waarom-steken-we-ons-hoofd-in-het-zand-als-het-lastig-wordt/</a>)

Erik van Straten<a href="https://infosec.exchange/@tasket" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@tasket</a> : thank you for a friendlier response.Unfortunately letting organizations know that they should do a better job is pointless (I tried - a lot).And educating people, in an attempt to let everyone become a digital forensic expert (<a href="https://framapiaf.org/@pmevzek" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@pmevzek</a> : who knows what a CNAME is and uses 'dig' all the time), is going to fail as well.Phishing is a gigantic and increasing problem - leading to enormous financial losses by organizations and individuals. It enables cybercriminals to penetrate networks of organizations and their cloud accounts. It is followed up by more BEC based phishing, the exfiltration of confidential data, encryption of files, databases and backups, and the demand for ransoms. Since some will pay anyway it has become a booming business. Big tech and domain name parking guys make big bucks.In Europe soon we'll have EDIW (aka EUDIW, European Digital Identity Wallet) where one creates a digital copy of their passport on their smartphone - making "strong" online authentication of citizens possible.To order booze online or visit a pornsite people will have to prove they're old enough (which will not work because it's easy to evade).However, such authentication is going to be a lot weaker than predicted. Worse, it will fail miserably because citizens will be phished into authenticating on *fake* websites. Those websites will act as AitM's (Attacker in the Middle) to *authentic* websites, posing as the citizen.Authentication mandates a trustworthy verifier. The first step to find out whether a verifier is trustworthy, is to know *who exactly* they are. A domain name simply does not suffice.It is insane to demand from people that they use increasingly stonger authentication, while the reliability of the authentication of verifiers decreases every day.P.S. I was writing a much longer toot with additional examples, but pressed a wrong button or so and lost the text. I'll reproduce the examples if you'd like me to.<a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Phishing</a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DV</a> <a href="https://infosec.exchange/tags/DomainNames" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DomainNames</a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDIW</a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Authentication</a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Impersonation</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MitM</a> <a href="https://infosec.exchange/tags/WeakAuthentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WeakAuthentication</a> <a href="https://infosec.exchange/tags/OnlineAuthentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OnlineAuthentication</a> <a href="https://infosec.exchange/tags/Authenticatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Authenticatie</a> <a href="https://infosec.exchange/tags/Impersonatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Impersonatie</a> <a href="https://infosec.exchange/tags/OnlineAuthenticatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OnlineAuthenticatie</a>

Erik van Straten<a href="https://retro.pizza/@textualdeviance" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@textualdeviance</a> wrote, among other things:« Sudden revolutions come with obscenely high body counts of innocent civilians. »That is not necessarily true, in for example the following cases:🔸 <a href="https://en.wikipedia.org/wiki/Velvet_Revolution" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://en.wikipedia.org/wiki/Velvet_Revolution</a>🔸 A revolution that STOPS killing must take place <a href="https://infosec.exchange/tags/NOW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NOW</a>. The anihilation of Palestinians is simply unacceptable, in particular because western countries condone, support or even encourage it. At some point the governments of the USA, NL and others must stop following orders from their Zionist sponsors, in order to not make them EVEN MORE complicit to genocide.🔸 Personally I'm "fighting" for a safer internet; fixing tech does not have to involve bloodshed at all (although big tech and leeches like <a href="https://safer.io/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://safer.io/</a> will lose income). Such as:• By insisting on a system where internet users can distinguish betwee fake and authentic websites (see <a href="https://infosec.exchange/@ErikvanStraten/113079966331873386" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113079966331873386</a>);• By providing strong arguments why "Chatcontrol" (governments scanning every smartphone looking for Child Sexual Abuse Material - and what not) will not protect a single child - on the contrary (<a href="https://infosec.exchange/@ErikvanStraten/113075518670257012" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113075518670257012</a>; chatcontrol is *not* just a privacy risk);• By warning for passkeys (<a href="https://infosec.exchange/@ErikvanStraten/113058944497262936" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113058944497262936</a>) and suggesting better alternatives;• By warning for risks such as when unlocking the screen of an iPhone/iPad with a PIN (<a href="https://infosec.exchange/@ErikvanStraten/113053761440539290" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113053761440539290</a>);• By warning for security measures that are easily bypassed, such as 2FA/MFA (using SMS, voice, or TOTP "Authenticator" apps including Microsoft's using "number matching");• Et cetera.<a href="https://infosec.exchange/@0xabad1dea" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@0xabad1dea</a> <a href="https://infosec.exchange/tags/AIPAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AIPAC</a> <a href="https://infosec.exchange/tags/CIDI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CIDI</a> <a href="https://infosec.exchange/tags/Gaza" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Gaza</a> <a href="https://infosec.exchange/tags/Westbank" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Westbank</a> <a href="https://infosec.exchange/tags/EthnicCleansing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EthnicCleansing</a> <a href="https://infosec.exchange/tags/Genocide" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Genocide</a> <a href="https://infosec.exchange/tags/Palestinians" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Palestinians</a> <a href="https://infosec.exchange/tags/BigTech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BigTech</a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DV</a> <a href="https://infosec.exchange/tags/Fake" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Fake</a> <a href="https://infosec.exchange/tags/Real" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Real</a> <a href="https://infosec.exchange/tags/Authentic" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Authentic</a> <a href="https://infosec.exchange/tags/Impostors" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Impostors</a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Authentication</a> <a href="https://infosec.exchange/tags/CyberCrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberCrime</a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eID</a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDIW</a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a> <a href="https://infosec.exchange/tags/ChatControl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ChatControl</a> <a href="https://infosec.exchange/tags/CSS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CSS</a> <a href="https://infosec.exchange/tags/CSAM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CSAM</a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#2FA</a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MFA</a> <a href="https://infosec.exchange/tags/NumberMatching" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NumberMatching</a> <a href="https://infosec.exchange/tags/PhaaS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PhaaS</a> <a href="https://infosec.exchange/tags/Evilginx2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Evilginx2</a> <a href="https://infosec.exchange/tags/HSTS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HSTS</a> <a href="https://infosec.exchange/tags/httpvshttps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#httpvshttps</a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Certificates</a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DV</a> <a href="https://infosec.exchange/tags/OV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OV</a> <a href="https://infosec.exchange/tags/EV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EV</a> <a href="https://infosec.exchange/tags/QWAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#QWAC</a> <a href="https://infosec.exchange/tags/passcode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#passcode</a> <a href="https://infosec.exchange/tags/iPhone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iPhone</a> <a href="https://infosec.exchange/tags/iPad" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iPad</a> <a href="https://infosec.exchange/tags/Android" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Android</a> <a href="https://infosec.exchange/tags/iOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iOS</a> <a href="https://infosec.exchange/tags/iPadOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iPadOS</a>

Erik van Straten🟡 INTRODUCTION/BACKGROUND It has become *way too easy* and cheap, to anonymously (or lying about identity) register a domain name, hire or hack a server and obtain a valid DV (Domain Validated) server certificate.Furthermore, possibly *stimulated* by the fact that most servers now use DV-certificates, (web) browsers have made it increasingly hard for internet users to view certificate details, without providing any alternatives for those users to distinguish between misleading fake and real (authentic) setvers.A steadily increasing number of internet servers is now *anonymous* (it has been *deliberately* made impossible to reliably find out who is responsible), which has lead, and still leads, to huge amounts of unneccesary victims of phishing.This causes enormous financial losses to individuals, companies, governmental and healthcare organizations - while most of that money flows into the pockets of criminals who often operate from regimes that are our enemies. Thereby, indirectly or directly, enriching those regimes (the rest of the stolen money flows into the pockets of hosting-, cloud- and CDN providers, as well as DNS registrars and domain name parking services).Note: a server certificate never directly warants reliability of the owner of a domain name. However, in order to distinguish between fake and real servers or websites, it is essential that users know who is *responsible* and in which country they are established or live. Eventually, if neccessary, to be able to sue them.🟡 From <a href="https://www.theregister.com/2024/09/03/white_house_bgp_security/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.theregister.com/2024/09/03/white_house_bgp_security/</a>: « White House thinks it's time to fix the insecure glue of the internet: Yup, BGP 3 Sep 2024, 22:34 utc - Thomas Claburn [...] "As initially designed and commonly operating today, BGP does not provide adequate security and resilience features for the risks we currently face," the report (<a href="https://whitehouse.gov/wp-content/uploads/2024/09/Roadmap-to-Enhancing-Internet-Routing-Security.pdf" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://whitehouse.gov/wp-content/uploads/2024/09/Roadmap-to-Enhancing-Internet-Routing-Security.pdf</a>) [PDF] says. "Concerns about fundamental vulnerabilities have been expressed for more than 25 years." »🟡 IMO, to not *first* fix WebPKI is plain *stupid* because:➡️ If the *combination* of: 🔸 A *decent* WebPKI {1}, *and* 🔸 Improved browsers {2}, *and* 🔸 User education {3}, *enables* internet users to reliably distinguish between fake and real (authentic) servers, then the necessity for RPKI decreases enormously {4};➡️ Apart from the fact that RPKI is fully hidden for internet users (they *neither* know whether it's used for their current IP-connections, and if that happens to be the case, *nor* how reliable the authentication of the parties involved took place), RPKI does *not* solve a much bigger problem: DNS-hijacks.➡️ A decent WebPKI effectively mitigates the following vulnerabilities (in the order of most to least occuring): 🔸 People not knowing who is responsible for a given (often misleading) domain name; 🔸 DNS hijacks/attacks; 🔸 BGP hijacks; 🔸 AitM's {5} "near" the real server who unrightfully obtain DV-certificates.Edited to add 2024-09-05 21:59 { WebAuthn (as used by FIDO2 hardware keys and by passkeys) *ONLY* protects against the first vulnerability (in people who don't know that a given domain name does not belong to the apparent owner, but instead to an impostor). WebAuthn's phishing-resistance ceases to exist if a fake website obtains any type of certificate. However, while it's extermely easy for an attacker to obtain a DV-certificate, more trustworthy certificates should make that *a lot* harder. }🟡 {1} WHAT IS A DECENT WEBPKI A *decent* WebPKI means that:1️⃣ We must get rid of the current (effectively Google owned) CA/B forum, simply because server certificates exist primarily in the interest of *internet users* (not even represented in the CA/B forum) instead of it's current members: *commercial* cloud providers, browser makers, CA's (Certificate Authorities) and/or CSP's (Certificate Service Providers).2️⃣ The world needs a new, independent, organization that supervises requirements of certificates, CA's and CSP's, as well as all requirements for (web) browsers related to certificates. For easy referencing I'll call it the WPKIF (Web Public Key Infrastructure Forum) in this toot. It is essential that internet users are strongly represented in the WPKIF. The WPKIF must be repeatedly audited by independent auditors (based on clear predefined requirements and/or controls).3️⃣ Each *critical* server {6} *must* use a server certificate that, more or less reliably, uniquely defines the person, people or organization responsible for the server(s) (and content, security etc.) referenced by the server's domain name(s) included in the certificate.4️⃣ The layout of server certificates needs an update to better serve internet users. Most of those users are *not* interested in technical details such as long serial numbers or hexadecimal public key values (such data must remain accessible for experienced users). So some sort of split between technical and *human readable" (not "CN=") information must be made.5️⃣ Each server certificate must also contain a standardized indicator that reveals the *minimum* reliability of the authentication of the person, people or organization responsible for all domain names, and all servers referenced by all domain names (included in the certificate). In short: how certain is it that the owner of a website is who they claim to be.6️⃣ Each server certificate must also contain a reference to a WPKIF website with a standardized indicator that reveals the *reliability* of the least reliable link in the chain starting at the applicable CA and ending with the CSP (including both ends plus intermediate certificates and their owners). In short: how reliable is the information in the certificate, as determined by the WPKIF.7️⃣ The WPKIF must immediately and objectively take action against any CA, intermediate or CSP that violates the rules and requirements as defined by the WPKIF. Such by decreasing their reliability rating upto canceling their right to issue certificates.🟡 {2} Web browsers (and perhaps other clients) must make it a lot easier for users to determine who is responsible for a server or website. IMO, at the very least when an internet user visits a website with a specific domain name *for the first time* (using that browser), *OR* when the server sends a new certificate, the browser should first show full details of the owner of the domain name *before* fetching any content - and let the user decide whether they want to continue and open the website. (Note: I've not given it enough thought how to handle third party websites - where CSS, JavaScript, images and/or analytics stuff is downloaded from).🟡 {3} Internet users need to be educated about the importance of knowing who owns a domain name (and thus server and/or website). Browsers must play a role by offering tutorials. Current "awareness trainings" are simply insufficient (as notably Google found out, see <a href="https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html</a> - more info, in Dutch: <a href="https://infosec.exchange/@ErikvanStraten/113045136092456532" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113045136092456532</a>).🟡 {4} RPKI vs WebPKI Increasingly cybercriminals succeed into hijacking cryptocurrency websites, and they may do so by hijacking BGP and subsequently acquiring a DV certificate for their fake server (examples can be found here: <a href="https://infosec.exchange/@ErikvanStraten/112914050216821746" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/112914050216821746</a>). However, BGP hijack attacks are not easy to accomplish and often detected soon. In particular it will be hard for the attackers to obtain *trustworthy* server certificates. 🟡 {5} AitM = Attacker in the Middle. A server in a hosting center may be AitM'ed in the same center without touching the actual server itself and without requiring DNS- or BGP hijacks (because the AitM and the real server are both comnected to an internal network), as for example happened to "jabber.ru" in a German hosting center (see <a href="https://therecord.media/jabber-ru-alleged-government-wiretap-expired-tls-certificate" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://therecord.media/jabber-ru-alleged-government-wiretap-expired-tls-certificate</a>, full details in <a href="https://notes.valdikss.org.ru/jabber.ru-mitm/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://notes.valdikss.org.ru/jabber.ru-mitm/</a>).🟡 {6} A critical server is one whose *authenticity* and/or *indistinguishability from fake sites* are important upto (thtough) essential for internet users. I don't care if a home NAS uses a DV-cert, but banks, goverments (in particular those that do *not* use a specific domain name ending, such as .gov), insurances, websites showing and/or receiving medical/patient data etc. - any server related to PII or needs to otherwise prove their identity.🟡 MORE INFORMATION 🔸 Let's Encrypt certificates mis-issuances & ocsp ending: <a href="https://infosec.exchange/@ErikvanStraten/112914047006977222" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/112914047006977222</a>🔸 Untrustworthy HSTS and lack of "https only" in many browsers: <a href="https://infosec.exchange/@ErikvanStraten/113045241408077702" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113045241408077702</a>🔸 Why awareness trainings fail (in Dutch): <a href="https://infosec.exchange/@ErikvanStraten/113045136092456532" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113045136092456532</a>🔸 Why the physical location of an offline service provider (like a bank office or a town hall) is a hugely underestimated authentication factor (in Dutch): <a href="https://security.nl/posting/855557" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://security.nl/posting/855557</a>🔸 Why Google lied when they killed EV certs, and why it's insane to introduce digital identity wallets (eID's) for strong online authentication of people on the current, highly crminalized, internet, with more anonymous servers every day (in Dutch): <a href="https://infosec.exchange/@ErikvanStraten/113031344934186250" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113031344934186250</a>🔸 How Google became evil by facilitating cybercrime, renting them hosting services for domain names such as NNoutlook.com, NNNNoutlook.com and ecbeuropa[.]eu, even providing them with server certificates for free: <a href="https://www.virustotal.com/gui/ip-address/35.241.18.84/relations" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.virustotal.com/gui/ip-address/35.241.18.84/relations</a>Internet reliability needs to be restored, and further improved upon, ASAP.<a href="https://infosec.exchange/tags/RPKI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RPKI</a> <a href="https://infosec.exchange/tags/PKI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PKI</a> <a href="https://infosec.exchange/tags/WebPKI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WebPKI</a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://infosec.exchange/tags/BGP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BGP</a> <a href="https://infosec.exchange/tags/BGPHijack" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BGPHijack</a> <a href="https://infosec.exchange/tags/DNS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DNS</a> <a href="https://infosec.exchange/tags/DNSHijack" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DNSHijack</a> <a href="https://infosec.exchange/tags/Websites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Websites</a> <a href="https://infosec.exchange/tags/Real" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Real</a> <a href="https://infosec.exchange/tags/Fake" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Fake</a> <a href="https://infosec.exchange/tags/Authentic" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Authentic</a> <a href="https://infosec.exchange/tags/Authenticity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Authenticity</a> <a href="https://infosec.exchange/tags/Impostors" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Impostors</a> <a href="https://infosec.exchange/tags/CABForum" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CABForum</a> <a href="https://infosec.exchange/tags/Commercialization" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Commercialization</a> <a href="https://infosec.exchange/tags/Independant" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Independant</a> <a href="https://infosec.exchange/tags/UserRepresentatives" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#UserRepresentatives</a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Certificates</a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DV</a> <a href="https://infosec.exchange/tags/OV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OV</a> <a href="https://infosec.exchange/tags/EV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EV</a> <a href="https://infosec.exchange/tags/QWAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#QWAC</a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDIW</a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eID</a> <a href="https://infosec.exchange/tags/eIDAS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eIDAS</a> <a href="https://infosec.exchange/tags/WebAuthn" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WebAuthn</a> <a href="https://infosec.exchange/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FIDO2</a> <a href="https://infosec.exchange/tags/Yubikey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Yubikey</a> <a href="https://infosec.exchange/tags/Yubico" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Yubico</a> <a href="https://infosec.exchange/tags/Titan" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Titan</a> <a href="https://infosec.exchange/tags/GoogleTitan" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#GoogleTitan</a> <a href="https://infosec.exchange/tags/Feitian" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Feitian</a>

Erik van StratenPersoneelstrainingen om phishing te herkennen werken slecht en soms averechts, schreef Matt Linton, Chaos Specialist bij Google, afgelopen mei (<a href="https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html</a>).Uit zijn betoog maak ik niet eenduidig op "HOE DAN WEL" - terwijl het notabene Google zelf is die GÉÉN veiliger internet wil (<a href="https://infosec.exchange/@ErikvanStraten/113031344934186250" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113031344934186250</a>).🔸Mijn "HOE DAN WEL" 🔸 Onder ander in <a href="https://security.nl/posting/855797" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://security.nl/posting/855797</a> (met diverse links naar meer) schreef ik zojuist hoe *ik* denk "HOE DAN WEL".Commentaar (ook onderbouwde kritiek!) stel ik, zoald altijd, zéér op prijs.<a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Phishing</a> <a href="https://infosec.exchange/tags/BigTech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BigTech</a> <a href="https://infosec.exchange/tags/Google" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Google</a> <a href="https://infosec.exchange/tags/Cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Cybercrime</a> <a href="https://infosec.exchange/tags/Internet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Internet</a> <a href="https://infosec.exchange/tags/VeiligerInternet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#VeiligerInternet</a> <a href="https://infosec.exchange/tags/InternetVeiliger" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InternetVeiliger</a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DV</a> <a href="https://infosec.exchange/tags/EV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EV</a> <a href="https://infosec.exchange/tags/QWAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#QWAC</a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDIW</a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a> <a href="https://infosec.exchange/tags/NepVanEchtKunnenOnderscheiden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NepVanEchtKunnenOnderscheiden</a> <a href="https://infosec.exchange/tags/EchtVanNepKunnenOnderscheiden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EchtVanNepKunnenOnderscheiden</a>

Sander DijkhuisHow to manage many keys in an identity wallet with high assurance? What started as a question on Cryptography Stack Exchange some months ago is now a 20+ person expert group with a first version 00 spec: <a href="https://datatracker.ietf.org/doc/draft-dijkhuis-cfrg-hdkeys/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://datatracker.ietf.org/doc/draft-dijkhuis-cfrg-hdkeys/</a> <a href="https://mastodon.online/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a> <a href="https://mastodon.online/tags/eIDAS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eIDAS</a>

Erik van Straten<a href="https://social.overheid.nl/@staatssecretarisbzk" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@staatssecretarisbzk</a> :Geachte heer Szabó,Wellicht interesseert het u te weten dat de aangekondigde Europese Digitale Identiteit (EDIW/EUDIW) tot (te?) hoge risico's op identiteitsfraude leidt voor doorsnee burgers, alsmede wat daar de oorzaken van zijn.In <a href="https://infosec.exchange/@ErikvanStraten/113031344934186250" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113031344934186250</a> beargumenteer ik dat.Met vriendeljke groet, Erik van Straten<a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDIW</a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eID</a> <a href="https://infosec.exchange/tags/eIDAS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eIDAS</a> <a href="https://infosec.exchange/tags/Identiteitsfraude" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Identiteitsfraude</a> <a href="https://infosec.exchange/tags/Authenticatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Authenticatie</a> <a href="https://infosec.exchange/tags/Impersonatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Impersonatie</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MitM</a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DV</a> <a href="https://infosec.exchange/tags/EV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EV</a> <a href="https://infosec.exchange/tags/QWAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#QWAC</a> <a href="https://infosec.exchange/tags/EC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EC</a>

Erik van Straten<a href="https://mastodon.nl/@ellent" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@ellent</a> : De Europese digitale identiteit (<a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDIW</a> aka <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a> voor European Digital Identity Wallet) wordt sowieso een ramp (ik probeer deze toot ook begrijpelijk te maken voor minder ter zake kundige lezers).🔸GROEIEND PROBLEEM: PHISHING Phishing wordt een steeds groter probleem - mede doordat veel e-mailaccounts worden gehacked (bekend als BEC, Business Email Compromise) en misbruikt worden voor het verzenden van nepmails (in dat geval zien ontvangers e-mails die *daadwerkelijk* vanaf een door hen vertrouwd e-mailaccount zijn verzonden).In zo'n phishingmail zit vaak een lokkertje (bijvoorbeeld "vraag nu een gratis creditcard aan en ontvang een krediet van 25 Euro") of iets dreigends ("voorkom blokkade van uw bankrekening, verifieer uw bij ons geregistreerde gegevens"). Overigens hoeft phishing niet iets met banken te maken te hebben, het kan ook gaan om aanvragen van toeslagen, het opvragen van medische gegevens, politieke voorkeur, of seksuele interesses gaan (al dan niet gevolgd door afpersing).Met tevens in zo'n mail een link naar een nepwebsite die als twee druppels water op de echte kan lijken, doch met een (meer of minder) afwijkende domeinnaam.Nb. Met een domeinnaam bedoel ik het "webadres" van de server in de link (een link wordt ook URLgenoemd), zoals "bunq.com" of "nos.nl".Bijvoorbeeld (ik heb er een extra punt tussen gezet om onbedoeld openen te voorkómen - dit zijn domeinnamen van *echte* phishing sites die mogelijk nog, of opnieuw, live zijn):• mijn-bunq-omgeving..com • revolut-mobile..com • identificatie-nl..com • santander-verify-device..com • rabo-bank..com🔸AITM Zo'n website, waarop je straks waarschijnlijk met jouw EDIW moet bewijzen wie *jij* bent, kan dan *jouw* gegevens uit EDIW doorsturen naar de echte website, waarbij de aanvallers het door jou opgegeven afleveradres (voor de creditcard) vervangen door dat van henzelf.Nb. In plaats daarvan, of tevens, kan zo'n AitM (Attacker in the Middle) een app van zo'n bank op hun telefoon installeren en koppelen aan het bankaccount van het slachtoffer en daar volledige toegang tot verkrijgen (vaak wordt het slachtoffer vervolgens buitengesloten).🔸IT TAKES TWO TO TANGO Betrouwbare authenticatie vereist niet alleen dat "de klant" (of burger/patiënt) zich niet eenvoudig als een ander kan voordoen, maar *ook* dat de verifieerder dat niet wil en kan. Zie ook [1] en [2] (te vinden onderaan deze toot).Oftewel, om te voorkómen dat er met jouw identiteit gefraudeerd zal worden, moet je de verifiërende partij kunnen vertrouwen.🔸VERTROUWEN STAP 1: WIE IS HET? Zowel "in real life" als online is vertrouwen niet vanzelfsprekend en kan worden beschaamd. Minimaal moet je voldoende zeker weten *wie* de verifiërende partij is, zodat je, zo mogelijk, kunt afgaan op diens reputatie, doch in elk geval de wetenschap dat je iemand, die jou een poot uitdraait, voor de rechter kunt slepen.🔸OORSPRONKELIJKE PLAN EC Om bovengenoemde reden was het plan van de EC (Europese Commissie) dat:1) Elke website waarop je met EDIW kunt authenticeren, een QWAC {1} zou *moeten* (of zou *kunnen*, hetgeen de risico's al flink vergroot) gebruiken, én2) Webbrowsers (zeker mobiele) zouden duidelijk moeten laten zien *wie* verantwoordelijk is voor een website, in plaats van slechts een (potentieel misleidende) domeinnaam in de adresbalk van de browser te tonen.{1} Een QWAC is een digitaal certificaat dat vermeldt wie de verantwoordelijke voor een website is, waarbij de identiteit van de aanvrager zorgvuldig is vastgesteld (zie [3] onderaan deze toot).🔸DÁT GAAN WE DUS NIET DOEN Beide eisen zijn afgewezen door big tech, naar verluidt omdat QWAC's het risico op overheidsspionage zouden vergroten. Dat sluit ik niet voor 100% uit (wel bijna, en zonder QWAC's gebeurt dat sowieso al). De werkelijke reden dat big tech geen QWAC's wil, is echter een geheel andere.🔸KILLED EXTENDED VALIDATION Big tech heeft eerder, met een smoes, *bewust* sterke websiteauthenticatie middels betrouwbaarder (Extended Validation) certificaten de nek omgedraaid. Dat was naar aanleiding van een door Google onderzoekers "ontdekte" kwetsbaarheid dat de tekst, ofwel:    "Stripe, Inc. [US]"    (zie [4], [5])(of zelfs, afhankelijk van de gebruikte browser):    "Stripe, Inc."    (zie [6])in de adresbalk van een browser niet gegarandeerd *uniek* is. Zij toonden aan dat zij een EV-certificaat konden verkrijgen voor een organisatie _in een andere staat_ in de VS met die naam.[4] <a href="https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/</a> [5] <a href="https://scotthelme.co.uk/the-power-to-revoke-lies-with-the-ca/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://scotthelme.co.uk/the-power-to-revoke-lies-with-the-ca/</a> [6] <a href="https://arstechnica.com/information-technology/2017/12/nope-this-isnt-the-https-validated-stripe-website-you-think-it-is/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://arstechnica.com/information-technology/2017/12/nope-this-isnt-the-https-validated-stripe-website-you-think-it-is/</a>🔸 *GEEN* FOUT IN EV CERTS Dat is echter geen tekortkoming van EV-certificaten, want die bevatten uitgebreide en wel degelijk uniek identificerende gegevens, waaronder een nauwkeurige locatiebepaling (meer informatie is wat mij betreft overigens zeer wenselijk, zoals een verwijzing naar een online KvK record).🔸BROWSER BUG Het is een *DISPLAY* probleem in browsers. De makers daarvan probeerden, voor mensen begrijpelijke, uniek identificerende gegevens in een te veel te kleine ruimte te proppen.Dat dit een oplosbaar probleem is, bijvoorbeeld door een federale KvK in de US in te stellen, of achter "US" de staat toe te voegen, wilde Google niet weten.Maar sowieso is dat dan veel te weinig informatie voor mensen. Op z'n minst als je een website voor het eerst bezoekt, zouden browsers zo uitgebreid mogelijke authentieke identificerende informatie moeten tonen - voordat er überhaupt content van de site wordt gehaald.🔸ONE SHADE OF GREY Doordat browsers uitsluitend nog een domeinnaam (voor zover die geheel past) tonen (en Chrome tegenwoordig zelfs het hangslotje, ten teken van een geauthenticeerde en versleutelde verbinding, weglaat), zien mensen in hun browser, qua *AUTHENTICITEIT*, geen enkel verschil meer tussen de website van jouw bank, een hobbysite zoals <a href="https://mamablogger.nl" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://mamablogger.nl</a> of één van de nep banksites die ik bovenaan deze toot noemde.🔸WINSTOPTIMALISATIE Het doel van big tech is namelijk dat goedkoop gehoste websites (waar er onvoorstelbaar veel van zijn) er niet *MINDER betrouwbaar* uitzien dan websites van banken, overheden en medische zorgverleners. Hoewel er nog steeds banken zijn die EV-certificaten inzetten, kun je daar niets meer van terugvinden in de meeste mobiele browsers.Bovendien, *als* browsers nog informatie uit certificaten tonen, barst het van de (voor de meeste mensen irrelevante en vaak verwarrende) technische gegevens, waarbij bijv. Chrome voor Android een deel van de, voor mensen essentiële, adresgegevens weglaat.Bijvoorbeeld voor <a href="https://stripe.com" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://stripe.com</a> toont Chrome onder Android slechts:• Common Name (CN): stripe.com • Organization (0): Stripe, Inc • Certificate Subject Alternative Name:       stripe.com       www.stripe.comTerwijl het certificaat onder meer de volgende informatie bevat (zie <a href="https://crt.sh/?id=14232500466" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://crt.sh/?id=14232500466</a>):• commonName: stripe.com • organizationName: Stripe, Inc • localityName: South San Francisco • stateOrProvinceName: California • countryName: US • businessCategory: Private Organization • jurisdictionStateOrProvinceName: Delaware • jurisdictionCountryName: US • X509v3 Subject Alternative Name:       DNS:stripe.com       DNS:www.stripe.comGoogle *WIL simpelweg niet* dat jij weet om welke "Stripe, Inc" het gaat. In gangbare andere mobiele browsers kun je überhaupt geen gegevens uit certificaten bekijken.🔸BIG TECH STEUNT CYBERCRIME De massaliteit aan goedkope websites levert big tech bakken geld op - met als prijs dat cybercriminelen hier massaal van profiteren (van enige authenticatie van de verantwoordelijken is geheel geen sprake meer). Zie bijv. <a href="https://arstechnica.com/security/2024/07/cloudflare-once-again-comes-under-pressure-for-enabling-abusive-sites/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://arstechnica.com/security/2024/07/cloudflare-once-again-comes-under-pressure-for-enabling-abusive-sites/</a>; geen enkele partij voelt zich nog verantwoordelijk voor *echtheid* en betrouwbaarheid op internet. Ze claimen geen rechter te willen spelen omdat zij slechts "transporteurs" van informatie zouden zijn.🔸USERS ZIEN TOCH GEEN VERSCHIL Het gevolg hiervan is dat steeds meer *echte* websites niet meer hun best doen (zelfs niet na grootschalige aanvallen op klanten) om zich te onderscheiden van impersonators {2}. Elke internetter "mag" (zou moeten) zelf uitzoeken of een website authentiek en betrouwbaar is, zonder dat hier bruikbare handvatten voor geboden worden. Iedereen wordt verondersteld een soort forensisch expert te zijn om op internet nep van echt te kunnen onderscheiden.{2} Zie bijv. <a href="https://security.nl/posting/768888" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://security.nl/posting/768888</a> voor de phishing-aanval in 2022 op *klanten van* circleci.com, een door software-ontwikkelaars gebruikte website. Dit jaar opnieuw aangevallen zoals ik beschrijf in <a href="https://security.nl/posting/854997" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://security.nl/posting/854997</a> (en noem in <a href="https://security.nl/posting/855095" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://security.nl/posting/855095</a>).🔸CLIENTS WEL, SERVERS NIET? Met EDIW moeten burgers, klanten en patiënten straks met hoge mate van zekerheid bewijzen dat zij zijn wie zij claimen te zijn. Hetgeen onzinnig is indien "de andere kant", d.w.z. de verifiërende partij, potentieel onbetrouwbaar is.Het huidige web is simpelweg veel te onveilig om van gebruikers te eisen dat *zij wel* sterk authenticeren, want dat "bewijs" is dan veel zwakker dan gesuggereerd.🔸RISICO'S EN VANGNETTEN Alle risico's hierbij zijn voor "de klant". Probeer maar eens te bewijzen dat niet jij (maar een identiteitsfaudeur) die lening hebt afgesloten of creditcard hebt ontvangen. Identiteitsfraude wordt mogelijk gemaakt door big tech die niet wil dat jij nep van echt kunt onderscheiden.Waarbij Kifid en andere rechters steeds vaker stellen dat de klant, "in juridische zin" (huh?) "grof nalatig" is geweest. De weinige vangnetten die er waren, worden kapotgeknipt.🔸PRIVACY RISKS Wel zullen door EDIW vaker *meer betrouwbare* persoonsgegevens in verkeerde handen vallen, gelekt en/of verhandeld worden; immers "de klant" kan niet meer doelbewust onjuiste gegevens invullen. En zolang er niet strikt gehandhaafd wordt, is het een illusie om te denken dat websites *minder* persoonsgegevens zullen vereisen (overvragen) dan nu het geval is.🔸CONCLUSIE Indien "EDIW'ers" niet op z'n minst, geholpen door een betrouwbare derde partij (de certificaatuitgever), behoorlijk zeker weten *wie* de verifieerder is, kunnen zij eenvoudig misleid worden door nep-verifieerders die zich (als AitM) vervolgens voordoen als "de klant". We hebben dus veiligere (onderscheid makende en meer metadata tonende) browsers en fatsoenlijke certificaten nodig - of we moeten m.i. überhaupt niet aan EDIW beginnen.Disclaimer: ik heb nooit certificaten verkocht en zal dat hoogstwaarschijnlijk nooit doen. Ik probeer slechts op te komen voor online kwetsbare mensen in onze samenleving.Edits 12:39: diverse verduidelijkingen aangebracht en typo's gerepareerd.Edits 12:44: disclamer toegevoegd.[1] <a href="https://www.security.nl/posting/792391/Authenticatie+en+impersonatie" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.security.nl/posting/792391/Authenticatie+en+impersonatie</a> [2] <a href="https://www.security.nl/posting/833217/Internet%3A+toenemende+impersonatie" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.security.nl/posting/833217/Internet%3A+toenemende+impersonatie</a> [3] <a href="https://en.wikipedia.org/wiki/Qualified_website_authentication_certificate" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://en.wikipedia.org/wiki/Qualified_website_authentication_certificate</a><a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDIW</a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eID</a> <a href="https://infosec.exchange/tags/eIDAS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eIDAS</a> <a href="https://infosec.exchange/tags/Internet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Internet</a> <a href="https://infosec.exchange/tags/Authenticiteit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Authenticiteit</a> <a href="https://infosec.exchange/tags/Authenticatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Authenticatie</a> <a href="https://infosec.exchange/tags/Impersonatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Impersonatie</a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Phishing</a> <a href="https://infosec.exchange/tags/Oplichting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Oplichting</a>

Erik van StratenUit <a href="https://www.vrt.be/vrtnws/nl/2024/08/26/aalter-digitale-klkuis-succes-vlaanderen-uitrol/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.vrt.be/vrtnws/nl/2024/08/26/aalter-digitale-klkuis-succes-vlaanderen-uitrol/</a> (bron = {1}):«Vlaanderen rolt digitale kluis uit die dag en nacht rijbewijzen en reispassen aflevert: "Proefproject in Aalter was succes" »M.i. doodeng. Hoe weet je zeker dat het de *rechtmatige* eigenaar is die afhaalt?Tijdens pilots is de kans op aanvallen klein, om meerdere redenen:• Niet alle (cyber) criminelen hebben er al weet van;• Te kleinschalig (lage winstkans) om de investeringen (onderzoek, opzetten bullet-proof infrastructuur) te rechtvaardigen;• Geduld, laat de pilot vooral slagen; dit gaat straks veel meer winst opleveren.(Alhoewel er altijd snelle jongens tussen kunnen zitten).RISICO'S Een voorzet-touchscreen en ItsMe wordt ItsNotJustMe of ItsNotMeAnymore.Of je krijgt een mes tegen je hals c.q. een pistool tegen je hoofd op het moment dat je zo'n ID "uit de muur trekt".AANVRAGEN WEL AAN DE BALIE? En kun je zo'n ID trouwens al aanvragen middels VideoIdent? (ai ai: AI, AitM en dwang buiten het gemeentehuis).REMOTE IDENTITY PROOFING In hun (Engelstalige) rapport over "Remote Identity Proofing" (dat de risico's van VideoIdent beschrijft), hebben deze "deskundigen" nagelaten (waarom?) om AitM (Attacker in the Middle) aanvallen te benoemen: <a href="https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/ANSSI-BSI-joint-releases/ANSSI-BSI_joint-release_2023.html" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/ANSSI-BSI-joint-releases/ANSSI-BSI_joint-release_2023.html</a> - een techniek die aan populariteit wint onder online bankrovers.VIDEOIDENT: BUNQ / ICSCARDS STYLE Zij sturen een bericht dat stelt dat de wetgever de bank verplicht om klanten opnieuw te laten authenticeren - middels VideoIdent. Zij vragen het aanstaande slachtoffer om op een nepsite, die als "proxy" fungeert voor de echte site, te "VideoIdenten". Daarmee kunnen de aanvallers het bankaccount van het slachtoffer aan *hun* toestel koppelen, om vervolgens de echte eigenaar te buiten te sluiten.ONLINE ID AANVRAGEN Precies datzelfde gaat gebeuren zodra je online een identiteitsbewijs of rijbewijs kunt aanvragen.SORRY Hoewel er altijd kwakzalvers zijn die anders claimen, *kun* je sommige zaken niet betrouwbaar digitaliseren en/of op afstand regelen, zoals stemmen en identiteitsbewijzen aanvragen/afhalen.RISICO'S EN VANGNETTEN Dram je dat toch door, wie draagt dan de risico's? Welke vangnetten (anders dan psychologische "slachtofferhulp") worden er tegelijkertijd opgetuigd?BESPARING - VOOR WIE Ow wacht, het is een *bezuinigingsmaatregel* die de overheid geld moet besparen (en waar leveranciers van, onder meer valse beloftes, vet aan verdienen - betaald uit door u en door mij afgedragen belastingen).MEER INFO • Nepsites: <a href="https://security.nl/posting/855024" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://security.nl/posting/855024</a>• <a href="https://www.security.nl/posting/827137/Kopie-ID%3A+kap+ermee%21" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.security.nl/posting/827137/Kopie-ID%3A+kap+ermee%21</a>• <a href="https://www.security.nl/posting/847095/Digitale+gezichtsopname+moet+papieren+pasfoto+voor+paspoort+vervangen#posting847218" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.security.nl/posting/847095/Digitale+gezichtsopname+moet+papieren+pasfoto+voor+paspoort+vervangen#posting847218</a>• Discussie met "denan", betrokken bij Yivi (voorheen IRMA): <a href="https://tweakers.net/nieuws/216792/eu-wijst-drie-pornowebsites-aan-als-zeer-grote-onlineplatforms-onder-dsa.html?showReaction=19454716#r_19454716" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://tweakers.net/nieuws/216792/eu-wijst-drie-pornowebsites-aan-als-zeer-grote-onlineplatforms-onder-dsa.html?showReaction=19454716#r_19454716</a>• Discussie met Ivo Jansch, archtect van <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDIW</a> aka <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a> : <a href="https://tweakers.net/nieuws/204138/nederland-krijgt-een-paspoort-voor-op-internet-hoe-gaat-dat-werken.html?showReaction=18249704#r_18249704" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://tweakers.net/nieuws/204138/nederland-krijgt-een-paspoort-voor-op-internet-hoe-gaat-dat-werken.html?showReaction=18249704#r_18249704</a>("Anoniem: 1576590": ItWASMe).{1} Bron: een boost door Frank Heijkamp (<a href="https://mastodontech.de/@alterelefant" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@alterelefant</a> ) van <a href="https://bots.defencegeeks.net/@vrtnws/113028170598740687" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://bots.defencegeeks.net/@vrtnws/113028170598740687</a><a href="https://infosec.exchange/tags/Authenticatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Authenticatie</a> <a href="https://infosec.exchange/tags/Impersonatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Impersonatie</a> <a href="https://infosec.exchange/tags/InLevendenLijve" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InLevendenLijve</a> <a href="https://infosec.exchange/tags/IdentiteitsFraude" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#IdentiteitsFraude</a> <a href="https://infosec.exchange/tags/AuthenticiteitsFraude" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AuthenticiteitsFraude</a> <a href="https://infosec.exchange/tags/VideoIdent" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#VideoIdent</a> <a href="https://infosec.exchange/tags/Online" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Online</a> <a href="https://infosec.exchange/tags/OpAfstand" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpAfstand</a> <a href="https://infosec.exchange/tags/RIDP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RIDP</a> <a href="https://infosec.exchange/tags/RemoteIdentityProofing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RemoteIdentityProofing</a> <a href="https://infosec.exchange/tags/KatOpHetSpekBinden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#KatOpHetSpekBinden</a> <a href="https://infosec.exchange/tags/Geld" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Geld</a> <a href="https://infosec.exchange/tags/Bezuinigingen" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Bezuinigingen</a> <a href="https://infosec.exchange/tags/Kortzichtigheid" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Kortzichtigheid</a> <a href="https://infosec.exchange/tags/Devaluatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Devaluatie</a> <a href="https://infosec.exchange/tags/DevaluatieVanAuthenticiteit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DevaluatieVanAuthenticiteit</a> <a href="https://infosec.exchange/tags/AfwaarderingVanAuthenticiteit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AfwaarderingVanAuthenticiteit</a> <a href="https://infosec.exchange/tags/ItsMe" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ItsMe</a> <a href="https://infosec.exchange/tags/ItsNotMe" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ItsNotMe</a> <a href="https://infosec.exchange/tags/ItsNotJustMe" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ItsNotJustMe</a> <a href="https://infosec.exchange/tags/ItWasMe" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ItWasMe</a> <a href="https://infosec.exchange/tags/ItsNotMeAnymore" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ItsNotMeAnymore</a> <a href="https://infosec.exchange/tags/ItWasNtMe" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ItWasNtMe</a> <a href="https://infosec.exchange/tags/Risk" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Risk</a> <a href="https://infosec.exchange/tags/Risks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Risks</a> <a href="https://infosec.exchange/tags/Risicos" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Risicos</a> <a href="https://infosec.exchange/tags/Vangnetten" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Vangnetten</a> <a href="https://infosec.exchange/tags/Burgers" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Burgers</a> <a href="https://infosec.exchange/tags/Slachtoffers" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Slachtoffers</a>

Erik van StratenOver het ontbreken van betrouwbare en voor _MENSEN_ bruikbare authenticatie van websites, uit <a href="https://security.nl/posting/855024" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://security.nl/posting/855024</a>:Door Anoniem: { Zo rolt de IT in bedrijven niet meer, tegenwoordig. } Van mij mag dat allemaal. Mits bedrijven en overheden stoppen met van burgers/klanten/patiënten te eisen dat zij wél, om "economische redenen" steeds vaker beperkt tot uitsluitend online, met toenemende betrouwbaarheidseisen (2FA/MFA, passkeys, paspoortscan, VideoIdent, eIDAS, EDIW) authenticeren. En daarbij steeds meer onvervalsbare privacygevoelige gegevens moeten delen met slecht beveiligde servers beheerd door niet gescreende uitzendkrachten.Dat terwijl eisen voor betrouwbare en zinvolle authenticatie aan de serverzijde zijn afgeschaft, steeds meer operationele (bedrijfs-) risico's op klanten/burgers/patiënten persoonlijk worden afgewenteld, evil proxies welig tieren en steeds meer certificaten onterecht worden uitgegeven (wat ooit nog een doodzonde was ten tijde van Diginotar). Waarbij ook nog eens de weinige bestaande vangnetten door Kifid en rechters kapot worden geknipt.En mensen die in phishing trappen stom worden gevonden door anonieme malloten - terwijl commerciële partijen, die websites uit de grond stampen die alle kenmerken van (pensioen) phishing hebben, door diezelfde (? ik kan ze niet van elkaar onderscheiden) anonieme malloten met hand en tand worden verdedigd.<a href="https://infosec.exchange/tags/Risk" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Risk</a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Phishing</a> <a href="https://infosec.exchange/tags/Authenticatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Authenticatie</a> <a href="https://infosec.exchange/tags/Impersonatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Impersonatie</a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DV</a> <a href="https://infosec.exchange/tags/OV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OV</a> <a href="https://infosec.exchange/tags/EV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EV</a> <a href="https://infosec.exchange/tags/QWAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#QWAC</a> <a href="https://infosec.exchange/tags/Certificaten" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Certificaten</a> <a href="https://infosec.exchange/tags/BigTech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BigTech</a> <a href="https://infosec.exchange/tags/Kapitalisme" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Kapitalisme</a> <a href="https://infosec.exchange/tags/Vermorzelen" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Vermorzelen</a> <a href="https://infosec.exchange/tags/Online" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Online</a> <a href="https://infosec.exchange/tags/Cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Cybercrime</a> <a href="https://infosec.exchange/tags/Cybercriminaliteit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Cybercriminaliteit</a> <a href="https://infosec.exchange/tags/NepVanEchtKunnenOnderscheiden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NepVanEchtKunnenOnderscheiden</a> <a href="https://infosec.exchange/tags/EchtVanNepKunnenOnderscheiden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EchtVanNepKunnenOnderscheiden</a> <a href="https://infosec.exchange/tags/NepVersusEcht" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NepVersusEcht</a> <a href="https://infosec.exchange/tags/EchtVersusNep" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EchtVersusNep</a> <a href="https://infosec.exchange/tags/Domeinnamen" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Domeinnamen</a> <a href="https://infosec.exchange/tags/Domeinnaam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Domeinnaam</a> <a href="https://infosec.exchange/tags/VideoIdent" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#VideoIdent</a> <a href="https://infosec.exchange/tags/KopietjePaspoort" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#KopietjePaspoort</a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDIW</a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a> <a href="https://infosec.exchange/tags/eIDAS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eIDAS</a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#2FA</a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MFA</a> <a href="https://infosec.exchange/tags/Kifid" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Kifid</a> <a href="https://infosec.exchange/tags/Rechters" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Rechters</a>

Recent searches

Search options

Administered by:

Server stats:

#EUDIW