On Thu, Aug 13, 2020 at 12:43:01PM -0700, Ronald Crane via dev-security-policy wrote: > I'd argue that domain registrars, CAs, and hosting services _should_ have an > obligation to deny services to obvious phishing domains. [1] (This is > independent of what (if any) obligations they might currently have.) > Phishing continues to be epidemic. It is not enough that some user agents > attempt to prevent users from following suspected phishing links. > > How this obligation should be implemented is an involved question that I'm > not prepared to address. The first step, though, is establishing the > principle that registrars, CAs, and hosting services are not mere pipe > utilities with no obligations to prevent obvious malefactors from injecting > sewage into them. > > -R > > [1] No, electric utilities, etc., should not also be obligated to deny them > electricity, etc. This would require an impractical (and privacy-invading) > level of investigation. An electric-utility customer does not submit a list > of domain(s) to the electric utility to obtain service. A phisher _does_ > submit such a list to its registrar, CA, and host.
It's possible that the host does not know the anything related to the DNS name, for instance because it rents virtual machines and assigns them an IP address. The registrar might be hosting the DNS. You could also argue that the TLDs should be responsible for it. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy