On Thu, Aug 13, 2020 at 10:31 PM Ronald Crane via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > [...] Registrars (and CAs) are > in excellent positions to impede the use of phishing domains, since they > hand them out (registrars) or issue certificates for them (CAs). [...]
Things are rarely this static. The rise of new, efficient strategies usually change how a game is played. Suppose [software] and thus CAs/registrars, really any interested party, could decide the question "Is X a phishing-domain?" with true or false reasonably well. What would be the consequence? I for one am reasonably convinced it is not "no phishing", but instead (this may sound paradoxical at first) ... phishing will be conducted from non-phishing-domains instead. One of the more relevant questions in this regard is what influence to phishing success "more phishy" domain names have over "less phishy" domain names. We can probably assume that most phishing operations do not apply bona fide scientific user testing for phishing success, as well as that deeper psychological studies are not usually a precursor to phishing campaigns. A "natural" starting point for one's first phishing campaign might thus rather be to reproduce the experience of the mimicked site as close as possible, explaining a drive for "more phishy" domains to be used in phishing campaigns (if even). It is not actually a given that "more phishy" domains increase a phishing campaign's success. For example, you may remember hearing from the general direction of Google/Chrome, "People have a really hard time understanding URLs. They’re hard to read, it’s hard to know which part of them is supposed to be trusted, and in general I don’t think URLs are working as a good way to convey site identity.". It also is the case that phishing victims often fall victim to selective attention - i.e. clicking a link in a malicious mail and entering information/credentials/... mostly on autopilot without ever even checking the URL! Detecting phishing domains by "looking at them as strings" may thus be futile, and "blocking obvious phishing domains" may be a not so entertaining but ultimately pointless game of whack a mole for CAs; and that is especially since there is not that much to actually suggest that CAs are the best place to whack moles *to prevent users from being phished* **in their webbrowsers**, which I believe is actually what we are discussing here anyway. Tobi _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy