Member-only story
With two recent vulnerabilities making headlines this month, notably CVE-2019–14899, impacting VPNs running on Linux distros and Atlassian’s zero-day flaw reported by SwiftOnSecurity concerning leak of private keys, it should be no surprise anymore as to why encryption merely breeds a feeling of security rather than guaranteeing it.
From Hollywood flicks dropping buzzwords like encryption, VPN, private keys, along with the vendors who must now convince the public to hype up product sales, the ultimate message that gets communicated inadvertently (or deliberately) comprises half-baked distorted assumptions. For example, “if I’m on a public hotspot, flicking one-switch of my VPN equates total security,” or something along those lines conveys the general mindset of an unsavvy user. Likewise, one popular myth is “if a webpage has a padlock icon, that implies it’s secure.” When in reality the page could very well be a phishing setup made to look and feel secure by the hacker using a free SSL (LetsEncrypt) certificate.
Then follows the other side of the issue: legitimate website names sounding like ‘phishing’ domains which are actually being used today by mainstream banks and companies. Just another day when rescheduling my
flight, the Virgin Atlantic representative transferred me to a “secure form” to collect credit card…
