On Thu, Oct 3, 2019 at 3:45 PM Ronald Crane via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 10/2/2019 9:44 PM, Peter Gutmann via dev-security-policy wrote: > > Ronald Crane via dev-security-policy < > dev-security-policy@lists.mozilla.org> writes: > > > >> Please cite the best study you know about on this topic (BTW, I am > *not* snidely > >> implying that there isn't one). > > Sure, gimme a day or two since I'm away at the moment. > > > > Alternatively, there's been such a vast amount of work done on this that > a few > > seconds of googling should find plenty of publications. As the first > search > > text that came to mind, "browser ui phishing" returns just under half a > million > > hits. Making it "browser ui phishing inurl:.pdf" to get just papers > (rather than > > web articles, blog posts, etc) reduces that to 30,000 results. > > I guess I wasn't specific enough. I am looking for a good study that > supports the proposition that the Internet community has (1) made a > concerted effort to ensure that there is only one authentic domain per > entity (or, at most, per entity-service, e.g, retail brokerage > services); and (2) has made a concerted effort to educate users to use > only that domain; and (3) that those steps have failed to significantly > reduce the successful phishing rate of the users that steps (1) and (2) > targeted. Was it intentional to presume that (1) is correct or desirable? It’s unclear if you believe it is, but if it isn’t (and for many reasons, it isn’t), then naturally one might assume (2) and (3) don’t exist. > > -R > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
