On 10/2/2019 3:00 PM, Paul Walsh via dev-security-policy wrote:
On Oct 2, 2019, at 2:52 PM, Ronald Crane via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
[snip]
Some other changes that might help reduce phishing are:
1. Site owners should avoid using multiple domains, because using them
habituates users to the idea that there are several valid domains for a given
entity. Once users have that idea, phishers are most of the way to success.
Some of the biggest names in, e.g., brokerage services are offenders on this
front.
[PW] Companies like Google own so many domains and sub-domains that it’s
difficult to stay ahead of them. I think this is an unrealistic expectation. So
if other browser vendors have the same opinion, they should look inward.
It is not unrealistic to expect, e.g., Blahblah Investments, SIPC, to
use only "www.blahblahinvestments.com" for everything related to its
retail investment services. It *is* unreasonable to habituate users to
bad practices.
2. Site owners should not use URL-shortening services, for the same reason as
(1).
Site owners using shortened URLs isn’t the problem in my opinion. Even if
shortened URLs went away, phishing wouldn’t stop. Unless you have research to
provides more insight?
Where did I say that phishing would "stop" if URL shortening services
disappeared? I said avoiding them would be helpful, since it would
reinforce the idea that there is one correct domain per entity, or at
least per entity service. Probably all the entity services should be
subdomains of the one correct domain, but alas it will take a sustained
security campaign and a decade to make a dent in that problem.
3. Site owners should not use QR codes, since fake ones are perfect for
phishing.
Same as above. You don’t need to mask URLs to have a successful phishing
campaign.
No, you don't "need" to do it. It is, however, a very useful weapon in
phishers' quivers.
sɑlesforce[.com] is available for purchase right now.
I was going to suggest banning non-Latin-glyph domains, since they are
yet another useful phishing weapon. FF converts all such domains into
Punycode when typed or pasted into the address bar, though the
conversion is displayed below the address bar, not in it. So your
example becomes "http://xn--slesforce-51d.com/".
4. Browser publishers should petition ICANN to revoke most of the gTLDs it has
approved, since they provide fertile ground for phishing.
Petitioning them won’t work. gTLDs are here to stay, even if we dislike them.
Also, most phishing sites use .com and other well known TLDs. I’m not saying
gTLDs aren’t used, they are. But they’re not needed.
Of course they're not "needed" for phishing. They are, however, useful
for phishing.
So, bringing it back to Mozilla. I’d still love to see recent research/data to
back up Mozilla’s decision to remove identity UI in Firefox. By promoting the
padlock without education about phishing, browser vendors are actually making
the web more dangerous.
I also would like to see more research.
-R
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy