Nope, this isn’t the HTTPS-validated Stripe website you think it is

For a decade, some security professionals have held out extended validation certificates as an innovation in website authentication because they require the person applying for the credential to undergo legal vetting. That’s a step up from less stringent domain validation that requires applicants to merely demonstrate control over the site’s Internet name. Now, a researcher has shown how EV certificates can be used to trick people into trusting scam sites, particularly when targets are using Apple’s Safari browser.

Researcher Ian Carroll filed the necessary paperwork to incorporate a business called Stripe Inc. He then used the legal entity to apply for an EV certificate to authenticate the Web page https://stripe.ian.sh/. When viewed in the address bar, the page looks eerily similar to https://stripe.com/, the online payments service that also authenticates itself using an EV certificate issued to Stripe Inc.

The demonstration is concerning because many security professionals counsel end users to look for EV certificates when trying to tell if a site such as https://www.paypal.com is an authentic Web property rather than a fly-by-night look-alike page that’s out to steal passwords. But as Carroll’s page shows, EV certs can also be used to trick end users into thinking a page has connections to a trusted service or business when in fact no such connection exists. The false impression can be especially convincing when end users use Apple’s Safari browser because it often strips out the domain name in the address bar, leaving only the name of the legal entity that obtained the EV certificate.

“With enough mouse clicks, you may be able to open a system certificate viewer or get your browser to show you the city and state,” Carroll wrote. “But neither of these are helpful to a typical user, and they will likely just blindly trust the bright green indicator.”

Carroll’s demonstration comes three months after researcher James Burton exposed a different way EV certificates can be used to trick end users. He established a business named “Identity Verified” and showed how the resulting EV certificate might be used to add the air of authenticity a scam site. Both Carroll and Burton said little effort was necessary to create the legal entities. Carroll said the demo cost $177: $100 in incorporation expenses and $77 for the certificate.

The demonstrations are generating productive discussions among developers about the way EV certificates should be treated in browser user interfaces. Security professionals are also openly discussing whether certificate rules should be modified to prevent these types of cases.

For the time being, people should remember that EV certificates aren’t automatically a panacea for online fraud. In some cases, certificates could make an otherwise obvious scam site seem legitimate. When in doubt, end users should carefully inspect the certificate and ensure it was issued to the operator of the trusted site.

Nvidia Corporation Stock Isn’t Bulletproof, But It Might Be Close

Nvidia Corporation (NASDAQ:NVDA) stock continues to soar. On Friday, NVDA’s stock price cleared $200 for the first time. Nvidia shares have nearly doubled just since early May, adding roughly $57 billion in market cap in the process. With NVDA earnings on tap for next week, there’s the potential for more gains.

NVDA Stock Isn't Bulletproof, But It Might Be Close

Source: Shutterstock

Some level of optimism makes sense. Nvidia’s opportunities in gaming and automotive suggest years of revenue and profit growth. Last month, James Brumley highlighted the company’s edge in artificial intelligence as well. With chip stocks showing significant strength (even long-stagnant Intel Corporation (NASDAQ:INTC) has gotten in on the act of late), NVDA news seems to be nothing but good.

 

And yet, valuation and competition questions persist, as I argued a few weeks ago. Of course, NVDA has gained more than 10% since that article, as the stock continues to make a fool of anyone who questions it. At some point, however, the bull run has to come to an end, right?

Are NVDA Earnings a Trap?

InvestorPlace columnist Bret Kenwell asked on Thursday if the post-earnings plunge at Advanced Micro Devices, Inc. (NASDAQ:AMD) might suggest a similar pullback for Nvidia stock after NVDA earnings on November 9. It’s a question worth asking.

NVDA did fall 2%+ on Wednesday in sympathy with AMD, which fell double digits after weak guidance for Q4. And there’s some reason to be concerned about Nvidia stock after reviewing the AMD report.

For one, AMD guided for “some leveling off,” as CEO Dr. Lisa Su put it on the Q3 conference call, of cryptocurrency mining demand. That demand has benefited GPU sales for both AMD and Nvidia, a tailwind that might be moderating. Secondly, AMD’s GPU business had a record quarter in Q3, which might suggest that its Radeon cards are taking share from market leader NVDA.

But there was one piece of good news for Nvidia (and AMD) on the Q3 call. Su cited “significantly improved” selling prices for GPUs as a driver of that company’s record sales. That suggests that both the category is growing and that AMD isn’t yet trying to significantly undercut Nvidia on price.

That’s important. One of the most attractive features of Nvidia’s business model is its exceptional margin profile. And one of the key concerns raised by AMD’s improved competitive position in gaming — far and away the most important business for Nvidia, at least at the moment — was of a potential pricing war, or at least pricing pressure. Without that headwind, there’s less reason to see a profit miss for Nvidia in Q3 earnings, and less reason to predict a post-earnings pullback.

How Much More Upside Is Left for Nvidia Stock?

All told, the quick bounce back in NVDA stock on Thursday and Friday makes some sense. But from a long-term standpoint, the valuation here still looks dicey. The Nvidia stock price today suggests a forward multiple of about 48x, even backing out the $6 per share or so in net cash on the balance sheet.

Next Page

Steve Wozniak isn’t getting iPhone X on launch day

Technically Incorrect offers a slightly twisted take on the tech that’s taken over our lives.


Steve Wozniak press conference in Kiev

Not upgrading? What has the world come to?


NurPhoto

Can it be that the world will be deprived of one of the great Apple traditions?

It seems that on every launch day, the company’s co-founder Steve Wozniak is at an Apple store to add his characteristic bonhomie to the affair, often on his Segway.

On Nov. 3, however, he says he won’t be there.

As CNBC reports, Woz spent Monday at the Money 20/20 conference in Las Vegas.

There, he declared of the iPhone X launch: “I’d rather wait and watch that one. I’m happy with my iPhone 8 — which is the same as the iPhone 7, which is the same as the iPhone 6, to me.”

That feels a little like criticism, doesn’t it?

Many might agree with his assessment that these three phones resemble each other rather closely. But the X is supposed to be, in Apple’s words, “the smartphone of the future.”

Why would Woz want to miss out on that? He didn’t seem to fully explain.

“For some reason, the iPhone X is going to be the first iPhone I didn’t — on day one — upgrade to,” he said. Some reason? What reason?

Oddly, he revealed his wife will be upgrading immediately, “so I’ll be close enough to see it.”

The wry might speculate that Woz was merely offering entertainment with his pronouncement.

Still, earlier this year he insisted that though iPhones are expensive — and the 256GB version of the iPhone X will set you back $1,149 — they’re “a safe bet.”

Is this bet not safe enough because of, say, Face ID, which some believe is a security risk?

On the other hand, he also said earlier this year that Apple wouldn’t bring forth the next great tech moonshot. That would be Tesla.

Is he concerned, then, that the iPhone X isn’t all that? Well, it certainly isn’t all screen.

The Apple faithful might not be able to cope with a Woz who’s lost the faith. We’ll see what happens by the time Nov. 3 comes along.

Tech Enabled: CNET chronicles tech’s role in providing new kinds of accessibility.

Technically LiterateOriginal works of short fiction with unique perspectives on tech, exclusively on CNET.

Apple reportedly isn’t producing enough iPhone X units for first weekend sales


According to a new report from KGI Securities analyst Ming-Chi Kuo, Apple is still facing supply chain constraints for the upcoming iPhone X. The company will have around 2 to 3 million units before the launch on November 3rd, which shouldn’t be enough to meet demand.

While Apple didn’t disclose exact numbers for first-weekend sales last year, the company sold 13 million iPhone 6s units during the first weekend, 10 million iPhone 6 units and 9 million iPhone 5s/5c units. The iPhone 8 is already available, which could mitigate demand for the iPhone X, but it sounds like many buyers will be disappointed by Apple’s initial stock.

In many ways, the iPhone X packs more innovative components than your average new iPhone. Apple usually adds cutting-edge components when its suppliers can produce tens of millions of them. But multiple parts of the iPhone X are generating supply chain issues.

According to KGI Securities, Apple now uses a flexible printed circuit board for the antenna. This is not your average circuit board, so Apple has had issues finding suppliers that can produce those components at scale. Murata was supposed to be the main supplier for this part, but it sounds like the company can’t meet Apple’s strong requirements. Since then, Apple has found a new supplier, which created some delays.

On the camera front, Apple is using a different circuit board for each sensor. Other phone makers only use one circuit board. This custom design has also been a challenge.

Finally, the iPhone X features a ton of sensors on the front of the device. Apple has packed a tiny Kinect in the notch of the device. One component in particular projects a network of infrared dots to create a 3D map of your face based on the reflection of those dots. Apple has had issues finding a supplier that can produce enough dot projectors for the iPhone X.

iPhone X pre-orders start on Friday, October 27th at midnight Pacific time. If you plan on getting the new phone, you shouldn’t delay your pre-order. Chances are that shipping estimations are going to slip to multiple weeks after just a few minutes.

Production should ramp up in the coming weeks, but it sounds like it could take months before you can just walk into an Apple store and buy a new iPhone X. It’s going to be interesting to hear Tim Cook’s comments on those supply chain issues when Apple announces its quarterly earnings in a couple of weeks.