Security issues continue to startle this year; from the Equifax hack on down to new and effective fake tech support scams targeting individuals, recent events have demonstrated that the Internet is still the wild west when it comes to reliable security.
This week I learned of a new and exciting development: a John Hopkins University researcher way back last year published a blog entry with a proof-of-concept web page that can fool the SSL security system into issuing a green padlock for a fake Apple.com web page. When it was originally published, most web browsers would fall for it; at this writing Apple's Safari and Chrome have both been updated -- but the current version of Firefox still falls for it to this day, more than 14 months after this dangerous hack was publicly demonstrated. To see if your browser falls for it, click here; this is a legit proof-of-concept and is not dangerous.
As the original article quotes; "This is a serious vulnerability that can even fool those who are extremely mindful of phishing." I will add on to that, the fact that Mozilla Firefox has still not been updated is shameful. The linked article contains instructions on how you can manually change Firefox's settings to detect this particular hack.
Not to pile on Firefox -- I really want to like the worlds' most popular non-profit-based web browser, really I do -- but for many many many years now, Firefox has offered to store web site passwords in a VERY insecure manner: I can show my clients (who still use Firefox) how in 5 clicks I can have a list of all those passwords on-screen in clear text, without knowing ANY password. That this goes on to this day in Firefox is shameful. Between these two glaring flaws, I find that I can no longer recommend Firefox, and will be recommending that my clients migrate away from that browser.
In my work serving individuals and very small organizations, I have noted a recent (2nd half 2018) rise in the activity levels of bad actors: from robocalls to browser locks to malicious banner ads and back again, I've had multiple clients lose money, and many more lose time and a sense of control of their computers, to these kinds of threats. On Macs and PCs alike, browser search sites are being redirected, ad injectors and key loggers are being installed; people are being told to buy "gift cards" to use as pay to unlock their computer screens.
For the sake of clarity, let me just say this to everyone about that -- it seems necessary in light of recent events:
NO legitimate actors will EVER lock up your screen and tell you to call a phone number to get out of it. Nobody from any reputable company will call you up out of the blue to tell you that there is an urgent security issue: Not Apple, not Microsoft, not Google, not Yahoo, not even the IRS. If you get such a call it is a SCAM. If you get pop-ups "warning" you on your computer to call such a number, it is a SCAM.
Be safe out there, friends.