Watch a Dying Business Thrash Desperately

I will go so far as to say that Let’s Encrypt revolutionized the Transport Layer Security (TLS) certificate market. While there were some free sources of certificates, the general rule remained that you had to pay if you wanted to implement a secure connection for you website. Then Let’s Encrypt was released. Now anybody can implement a secure connection for their website for free. On top of that, Let’s Encrypt greatly simplified the process of managing certificates. So it’s no surprise that certificate vendors are feeling the squeeze and responding desperately:

The fact that Let’s Encrypt is now being used to make phishing sites look legit is a total burn for us, and a potential house fire for users who rely on simple cues like the green padlock for assurance. According to certificate reseller The SSL Store, “between January 1st, 2016 and March 6th, 2017, Let’s Encrypt has issued a total of 15,270 SSL certificates containing the word ‘PayPal.'”

Keep in mind that the SSL Store is a provider of those incredibly overpriced certificates, so Let’s Encrypt’s mission isn’t necessarily in their interests. Even still, their post points out that the “vast majority of this issuance has occurred since November — since then Let’s Encrypt has issued nearly 100 ‘PayPal’ certificates per day.” Based on a random sample, SSL Store said, 96.7 percent of these certificates were intended for use on phishing sites.

The reseller added that, while their analysis has focused on fake PayPal sites, the firm’s findings have spotted other SSL phishing fakers, including Bank of America, Apple IDs, and Google.

The SSL Store paints a frightening picture. But the picture requires ignoring two facts.

First, TLS doesn’t verify if a website is legitimate. TLS verifies that the URL you’re connecting to matches the name in the certificate provided by the server and that the certificate was issued by a trusted authority. For example, if you connect to https://paypaltotallyascam.com, TLS will verify that the URL in the certificate is for https://paypaltotallyascam.com and that the certificate was issued by a trusted authority. However, TLS is not magical and cannot determine whether the site is a scam or not.

Second, you can’t even pull a certificate with Let’s Encrypt unless you have a registered URL. So why is Let’s Encrypt getting all of the blame but not the Domain Name System (DNS) registrar that allowed the domain to be registered in the first place? Because DNS registrars aren’t a threat to The SSL Store’s business model, Let’s Encrypt is.

This report by The SSL Store is nothing more than the desperate thrashings of a dying business model.

Accidental Gun Deaths Dropped

If you listen to proponents for gun control you’d believe that accidental gun deaths are directly correlated with the number of guns available to the public. Strangely enough, even though gun sales have been at record highs, accidental gun deaths have been falling:

Gun sales are up, and accidental gun injuries are down, according to a report released this month by the National Safety Council.

The NSC’s “Injury Facts -2017 Edition” shows a 17 percent decrease in accidents involving firearms from 2014 to 2015, a period when gun sales soared.

There were 489 unintentional firearms-related fatalities during that time period, the lowest total since record-keeping began in 1903, accounting for less than 1 percent of accident deaths. This decrease, which was the largest percentage decline of any category cited in the NSC’s report, came in a year that saw record-high firearm sales.

I’m sure the proponents of gun control will continue to claim that accidental gun deaths are rising but the truth has never been their forte. Either way, it’s nice to see the number of accidental deaths decreasing. If I were to hazard a guess I’d credit this decrease to improving firearm education.

Department of Justice Drops More Child Pornography Charges

With all of the work the Federal Bureau of Investigations (FBI) went through, including hosting and upgrading a child pornography site, you would think that the Department of Justice (DoJ) would be eager to start the nailing suspects to the wall. But the agency has decided to drop yet more charges because it doesn’t want to explain how the FBI caught the suspect:

In Tippens, the government decided to make such a move rather than allow attorneys for the defendant to present still-classified material discovered on WikiLeaks as trial exhibits. In March, during trial, the defense attorneys told the court they wished to present exhibits showing the government’s ability to, as the judge summarized earlier this month, “hack into a computer without leaving any trace that it had been hacked or that an exploit had been placed on it.”

The result is that Tippens “would not be able to determine whether child pornography had been planted or whether security settings had been modified.”

During trial, prosecutors acknowledged that the material the defense wished to present was classified and that the materials therefore should be excluded. Because of that declaration, and the inability to present classified material that may possibly be helpful to the defense, the defense asked the judge to dismiss Counts 1 (receipt of child pornography) and 3 (transportation of child pornography).

This tendency for the DoJ to drop charges because it doesn’t want to reveal any evidence about how the FBI caught the suspects really makes me wonder what the FBI’s exploit actually did. I’m starting to wonder if it was doing something shady (as in shadier than normal for the FBI) that would prevent the evidence from holding up in court because the agency seems to be pulling out all of the stops to keep it secret.