On Wed, 15 Jul 2009, Andrew Sullivan wrote: > > Just because I know how to avoid going to phishing and malware sites > does not mean it is within the competence of the average user.
A better way for ISPs to address that problem is to run an intercepting web proxy that traps connections to infested web servers. The proxy can then intercept HTTP requests to malware-carrying URLs. (The UK's IWF blacklist is often implemented this way.) The intercept can be made specific to particular ports so it doesn't affect non-web protocols. It is consistent with what RFC 4084 calls "firewalled internet connectivity". Even better would be for users to upgrade to a browser that implements its own safe browsing checks, and which has a decent user interface when DNS lookups fail. It's probably cheaper for ISPs to provide a local download site for a supported web browser than to implement a lying DNS resolver. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. MODERATE OR GOOD. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
