Ask HN: What's to prevent someone from spoofing a website?
I just got an email from Backblaze about resetting my credentials, because they detected they were not secure enough. And I thought -- why can't the entire thing be done from a website with a very similar unicode character somewhere in there, such as a or the russian "B"?
The entire website can be cloned (or just that one page).
But they'll just ask you to enter your existing password, before changing it.
Many people would fall for it. They see the green lock, the https://secure.Backblaze.com or whatever. And then what?
Sites can mitigate this by sending a "magic link" to your email to authorize any important actions, like a password change. That way they won't be able to make use of "what you know", without also getting into your email ("what you have").
But instead, many sites ask you to confirm it on your authenticator app by entering a number on the site. The problem with this is that the attacker can just proxy this while having you on the line with some real-time some social engineering and enter the number themselves.
How much protection is there, really, against this? I ended up copying the link, deleting the domain and typing it myself just in case.
Yev from Backblaze here -> Interestingly we thought about this kind of thing. That's partially why we left the link "naked" instead of hyperlinking text and added alternative instructions underneath it for the password reset to give security-minded folks a way to take the action without clicking anything.
Kudos to you for thinking about this stuff!
Goofy question, I also got this email and am trying to go through the process. However no emailed ever make it to my inbox.
Is Blackblaze getting flooded with these requests? I'm also a bit confused at the decision here. :)
My protections:
1. Firefox with the following addons: 1.1 idn safe 1.2 ublock origin 1.3 cookieblock 1.4 ublacklist with domains that scam you or are trash. 2. An verifying DNS resolver, dnssec is enabled in my "critical" domains, so those domains will get errors if someone tries to give me wrong answers
Passkeys, as they are tied to the domain (relying party ID).