On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote:
New tools such as Modlishka now automate phishing attacks, making it virtually impossible for any browser or security solution to detect - bypassing 2FA. Google has admitted that it’s unable to detect these phishing scams as they use a phishing domain but instead of a fake website, they use the legitimate website to steal credentials, including 2FA. This is why Google banned its users from signing into its own websites via mobile apps with a WebView. If Google can prevent these attacks, Mozilla can’t.
I understand that Modlishka emplaces the phishing site as a MITM. This is yet another reason for browser publishers to help train their users to use only authentic domain names, and also to up their game on detecting and banning phishing domains. I don't think it says much about the value, or lack thereof, of EV certs. As has been cited repeatedly in this thread, most phishing sites don't even bother to use SSL, indicating that most users who can be phished aren't verifying the correct domain.
-R _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy