@FransVeldman :

Hopelijk hebben de *meeste* mensen ondertussen hun buik vol van techsolutionisme (ik in elk geval wel).

PS hieronder een (zojuist gemaakte) screenshot van een nep Google Play Store - voorzien van een certificaat uitgegeven door "Google Trust Services" (go figure).

Aanvulling 12:22: u moet niet alles vertrouwen wat u op internet leest (de plaatjes hieronder zijn echt, maar leugenaars zeggen dat ook van hun plaatjes, websites en apps). In het kader van "Certificate Transparency" kunt u o.a. hier: https://crt.sh/?q=google-ivi.com de voor de nepsite uitgegeven certificaten bekijken - zodra die server weer bereikbaar is (down op dit moment). Als alternatief ziet u in https://www.virustotal.com/gui/domain/play.google-ivi.com/details het laatste certificaat. Nb. VirusTotal is een dochterbedrijf van Google, en de nepsite verstopt zich nu achter CDN-servers van Cloudflare.

@GrijzeBeamerNL @miekeroth

@bob_zim : apart from the fact that online age verification can be easily bypassed, I expect online authentication (proving your identity as known by your government) to lead to massive numbers of identity fraud.

Reliable authentication necessitates that the VERIFIER is trustworthy. If not, they can impersonate you to a third party, using the digital proof that you provided.

Suppose you prefer watching sex with elderly women, and google "milf sex".

And suppose google comes up with rollatorbabes dot com. You go there and they demand that you prove you're old enough by sunmitting your electronic ID - and perhaps also a selfie "to prevent fraud". This may happen:

You <-> RollatorBabes <-> Visa

RollatorBabes forwards all auth details, except your home address (RollatorBabes changes that) to Visa - in order for them to obtain a creditcard - showing your name.

To prevent this, the first thing you need to know is WHO the verifier is. Not who they say they are, but reliably verified by a third party who deserves YOUR trust. So you can sue RollatorBabes if they fsck you.

Do you trust THEM, shown below?

See also https://infosec.exchange/@ErikvanStraten/113880125384919871.

@nazokiyoubinbou @evacide

@vwbusguy : non-ACME certs suck big time.

However, now the internet has turned into a malicious phishing mess.

People can no longer determine who is responsible for a website, and nobody cares.

Google hosted fake websites (using ACME certs from Let's Encrypt) on their cloud servers called:
• cancel-google[.]com
• adsupport-google[.]com
• helpdesk-google[.]com

See (Dutch) https://infosec.exchange/@ErikvanStraten/113837934294209517.

Google also doesn't give a fsck about HSTS, see https://infosec.exchange/@ErikvanStraten/113856108585517842.

Worse, last year a phishing site with a domain name containing "google" was proxied by Cloudflare - and had a "GOOGLE TRUST SERVICES" DV certificate.

Did I mention that browsers suck and that Big Tech, making Big Money, is knowingly complicit to cybercrime?

And did I mention that certificates were not invented to please admins?