On 10/3/2019 2:09 PM, Ryan Sleevi via dev-security-policy wrote:
[snip]
I guess I wasn't specific enough. I am looking for a good study that
supports the proposition that the Internet community has (1) made a
concerted effort to ensure that there is only one authentic domain per
entity (or, at most, per entity-service, e.g, retail brokerage
services); and (2) has made a concerted effort to educate users to use
only that domain; and (3) that those steps have failed to significantly
reduce the successful phishing rate of the users that steps (1) and (2)
targeted.
Was it intentional to presume that (1) is correct or desirable? It’s
unclear if you believe it is, but if it isn’t (and for many reasons, it
isn’t), then naturally one might assume (2) and (3) don’t exist.
Yes, I do believe that (1) is desirable. It has a long history in the
context of brand identity (e.g., "Coke" in red and white script), where
virtually all consumers use it to identify authentic products and reject
counterfeits. Entities also vigorously promote and protect their brand
identities via trademarks and related litigation, and authorities even
sometimes investigate and prosecute counterfeiters.
Basically, many internet-based entities appear to have brought phishing
upon themselves by failing to extend the above to their internet
presences. Instead, they've trained their users to accept as authentic
any domain that has a passing resemblance to their rat's-nest of
legitimate domains.
-R
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
