On 8/13/2020 1:08 PM, Kurt Roeckx via dev-security-policy wrote:
On Thu, Aug 13, 2020 at 12:43:01PM -0700, Ronald Crane via dev-security-policy
wrote:
I'd argue that domain registrars, CAs, and hosting services _should_ have an
obligation to deny services to obvious phishing domains. [1] (This is
independent of what (if any) obligations they might currently have.)
Phishing continues to be epidemic. It is not enough that some user agents
attempt to prevent users from following suspected phishing links.
How this obligation should be implemented is an involved question that I'm
not prepared to address. The first step, though, is establishing the
principle that registrars, CAs, and hosting services are not mere pipe
utilities with no obligations to prevent obvious malefactors from injecting
sewage into them.
-R
[1] No, electric utilities, etc., should not also be obligated to deny them
electricity, etc. This would require an impractical (and privacy-invading)
level of investigation. An electric-utility customer does not submit a list
of domain(s) to the electric utility to obtain service. A phisher _does_
submit such a list to its registrar, CA, and host.
It's possible that the host does not know the anything related to
the DNS name, for instance because it rents virtual machines and
assigns them an IP address. The registrar might be hosting the
DNS.
This is a good point, as far as it goes. Requirements need to be
practical, and should avoid invading privacy. Registrars (and CAs) are
in excellent positions to impede the use of phishing domains, since they
hand them out (registrars) or issue certificates for them (CAs). As you
point out, VPS hosts would have a more difficult time discerning whether
a given phishing domain is resolving to a VM on their servers. On the
other hand, most hosts maintain their own DNS, so they practically can
(and should) weed out known phishing domains, or at least ones that
their DNS indicates that they also host.
-R
You could also argue that the TLDs should be responsible for it.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy