Broken Web

Introduction to web SSL certificates

Last year I wrote about how I used Letsencrypt to handle the SSL certificates for this site. In this entry I’m going to take a step back and discuss the basics of what an SSL certificate is and the steps involved in managing them. There’s a lot of jargon involved, which can make this seem more complicated than it already is. Note that in this post I’m likely to use the words “SSL” and “TLS” interchangeably.

Phishing and Certificate Transparency

Many people are at a large risk of a phishing attack. In this scenario the person may receive an email that looks like it came from a legitimate source (e.g. their bank) and encourages them to click a link that presents them with their bank login page. The user then attempts to login… Except that site isn’t their banking site. It’s a mockup that looks like the real one. And they’ve now told their banking password to the attacker.

How does the web still work?

I hit a web page which, naturally, refused to work properly. So I looked at the NoScript report. This one page ws pulling in scripts from (hand-typed so maybe tpyos) adobedtm.com cdna-assets.com chartbeat.com cloudfront.net criteo.com disqus.com disquscdn.com doubleclick.net dunhilltraveldeals.com effectivemeasure.net facebook.com gigya.com google.com googlesyndication.com googletagservices.com imrworldwide.com inksinmedia.com krxd.net mediavoice.com mmcdn.us ooyala.com optimizely.com outbrain.com parsly.com quantserve.com qubitproducts.com revsci.net scorecardresearch.com skimresources.com visualrevenue.com whistleout.com Boggle!