@robinadams : OTOH, if you click on a search result, Google could also send your browser to a runtime generated webpage, like Google Transate does.

For example, if I enter (I've replaced // by Unicode ⧸⧸ to prevent Mastodon from shortening the URLs and hiding "https://"):

🔗 https:⧸⧸www.security.nl/posting/929685/FCC+verbiedt+verkoop+van+nieuwe+routers+van+buitenlandse+fabrikanten+in+VS

into

🔗 https:⧸⧸translate.google.com/?sl=nl&tl=en&op=websites

the eventual URL turns into:

🔗 https:⧸⧸www-security-nl.translate.goog/posting/929685/FCC+verbiedt+verkoop+van+nieuwe+routers+van+buitenlandse+fabrikanten+in+VS?_x_tr_sl=en&_x_tr_tl=nl&_x_tr_hl=en&_x_tr_pto=wapp

In case of AI manipulation, such a link could read, for example,

🔗 https:⧸⧸www-security-nl.ai.goog/posting/929685/FCC+verbiedt+verkoop+van+nieuwe+routers+van+buitenlandse+fabrikanten+in+VS

Nomalizing this will result in even more people to fall for #phishing (replacing dots by dashes). The only thing reasonably trustworthy, the domain name of a website, becomes even more messy.

Apart from the fact that Google may charge websites for this "service" and/or insert their own ads.

@petealexharris @grammasaurus @SteveRudolfi

#DVsucks #GoogleIsEvil #LetsEncryptIsEvil #TLSisBroken #httpsIsBroken #E2EE #E2EEisBroken #DomainNamesSuck

@robinadams : I hope that it's limited to that (your browser's address bar reads https:⧸⧸google.com).

But space for search results is limited. So my speculation is that if you click the search result in order to open the actual website, you _still_ get to see AI-manipulated content.

Once Chrome reads https:⧸⧸example.com in its address bar while the page shows altered content of said website, this means that Google FULLY destroyed TLS.

Note: "Google Trust Services" (and others) already partially breaks TLS by handing out DV certificates to Cloudflare proxy servers. You DO NOT have an E2EE connection to the actual website, proven by https://todon.nl/@ErikvanStraten/116263229585961944 (Dutch text, tap translate for English).

Summarizing: your browser has an E2EE connection with a Cloudflare server. Cloudflare can always see and manipulate anything you think you exchange with the actual website. They can read your passwords and hijack any of your accounts even if WebAuthn (FIDO2 hardware key or passkey) is used to log in.

Google already broke https years ago - to prevent ISP's from altering ads or inserting fake clicks on ads. Let's Encrypt was never meant to protect YOU. #DVsucks

@petealexharris @grammasaurus @SteveRudolfi

#TLSisBroken #httpsIsBroken #Authenticity #GoogleIsEvil #CloudflareIsEvil #BigTechIsEvil

Voor degenen die nog denken dat Google niet evil is.

(Aanvulling: meer info in https://www.security.nl/posting/912153).

#Phishing #CloudflareIsEvil #GoogleIsEvil #LetsEncryptIsEvil #LetsEncrypt #DVsucks #BrowsersSuck #CyberCrime #InfoSec

🧵7 (laatste) Voorbeelden van de evilness van Cloudflare, o.a. een domeinnaam (websitenaam) die met "paypal-sign-in." begint - gevolgd door "pages.dev".

Dit zijn allemaal sites met zeer korte levensduur. Er komen voortdurend nieuwe bij terwijl oudere worden verlaten of geblokkeerd.

In https://crt.sh/?q=paypal-sign-in.pages.dev ziet u dat zo'n duidelijk voor phishing bestemde domeinnaam bij herhaling certificaten krijgt van "Google Trust Services" en van Let's Encrypt.

Klik op een plaatje om de kleine lettertjes te kunnen lezen. Tip: als je langer op een plaatje drukt kun je voor "open in nieuw venster" kiezen. Dan kun je veel eenvoudiger zoomen en "pannen" (naar een deel scrollen).

#CloudflareIsEvil #GoogleIsEvil #LetsEncryptIsEvil #DVcertsAreEvil #DVcerts #DVcertsArePointless #DVcertsAreWorthless #LetsEncrypt #DVsucks #LetsEncryptSucks

@halvar : #CloudflareIsEvil as well; they make big money from proxying malicious websites.

Example: https://www.bleepingcomputer.com/news/security/fake-inflation-refund-texts-target-new-yorkers-in-new-scam/ mentions a scamsite in a text message (I've replaced some ASCII chars by Unicode to prevent accidental opening):

https:⧸⧸revenue․payvem․cc⧸notice

The RELATIONS tab of https://www.virustotal.com/gui/domain/revenue.payvem.cc/relations reveals 2 Cloudflare IP-addresses:
• 104.21.75.60
• 172.67.214.249

Both IP-addresses proxy mostly the same websites. On both, more than 22% are detected as malicious by at least one anti-malware product.

The left screenshot provides a simplified view of https://www.virustotal.com/gui/ip-address/104.21.75.60/relations - where I've removed all domains with zero detection (which does not mean that they're not malicious).

This result is quite common for most Cloudflare proxy servers (188.114.96.* and 188.114.97.* are a lot worse; see for example https://www.virustotal.com/gui/ip-address/188.114.96.0/relations).

After opening mentioned malicious site, Cloudflare *today* warns for phishing - with the ability to ignore the warning and open the website (this warning already proves that Cloudflare is MitM'ing the connection).

Tapping "Ignore & Proceed" opens the page in the screenshot at the right.

"Google Trust Services" issued the DV certificate to Cloudflare (https://crt.sh/?id=21315266720&opt=ocsp).

@cwebber @ifrik

#Phishing #DV #GoogleIsEvil #BigTechIsEvil #DVsucks