Weekly Update 138

Presently sponsored by: Twilio: Learn what regulations like PSD2 mean for your business, and how Twilio can help you achieve secure, compliant transactions

After a mammoth 30-hour door-to-door journey, I’m back in the USA! It’s Minnesota this week and I’ve just wrapped up a couple of days of Hack Yourself First workshop followed by the opening keynote at NDC followed by PubConf. All great events but combined with the burden of travel, all a bit tiring too (plus, it turns out that emails don’t stop coming in when you’re busy…) There’s a real crypto theme to this week’s update courtesy of some of the contents in my keynote, a really ridiculous article on PC Mag I came across and a lovely meeting with a few of the folks from Let’s Encrypt. There’s also a follow-up to the video I promised to include in this blog post…

After recording this piece, I went and checked what had changed on that PC Mag article about certs. As expected, it turns out it was just promotional content on Sectigo, specifically changing the name from Comodo and also changing some of the content. Here’s a diff of the archive.org version from earlier this month versus today:

card kg-image-card“>

card kg-image-card“>

Gotta keep that “good reputation”! Still in the PC Mag article:

1. “you’re probably best off clicking away from [sites using DV certs] as fast as you can”
2. “most modern web browsers will indicate that an EV certificate is being used by showing a green Uniform Resource Locator (URL) bar”
3. “You usually get what you pay for”

To be clear too: archive.org shows a few edits of that article in October and November last year then nothing until the 6th of May which is the day I tweeted this:

How on earth did @PCMag manage to publish a piece on certificate authorities and only focus on the paid ones without a single mention of @letsencrypt? Can you comment on this @gleefulmischief? To conclude that "You usually get what you pay for" is grossly misleading. https://t.co/9IpPvdHheO

— Troy Hunt (@troyhunt) May 6, 2019

You can see why this sort of thing is so frustrating to folks like Scott and I; imagine what it’s like for people actually trying to figure out what certificate they should acquire! Anyway, all that and more in this week’s update:

References

1. I’m doing another Hack Yourself First workshop in New York next week (we’ve still got tickets available for that one, kicks off on Monday!)
2. PC Mag did an absolute hatchet piece on certificates full of disinformation and clearly motivated by commercial desires (I’ve linked to my tweet as the ensuing discussion makes for “entertaining” reading)
3. Some people remain insistent on arguing about Let’s Encrypt’s success to the fullest extent possible (but they’re easily debunked arguments, which brings me to the next point…)
4. Let’s Encrypt certs are now used by 38% of the Alexa Top 1M sites serving content over HTTPS (that’s based on Scott’s nightly crawler stats)
5. There’s some real upsides to having phishing sites served over HTTPS (that’s Scott’s piece from Jan last year)
6. Varonis is sponsoring my blog this week (they’re talking about insider threats again, courtesy of the course I made for them ?)

Troy Hunt’s Blog