I thought this was interesting:
http://media.timewarner.com/media/newmedia/cb_press_view.cfm?release_num=55254369
The basic summary: AOL will try to block AOL members' attempts to connect to phishing sites, using a blacklist of suspected phishing sites provided by Cyota <http://www.cyota.com/>.
Some brief comments:
* In theory this approach is not dependent on any browser features, since at a minimum AOL as an ISP could just block connection attempts "in the cloud". However it may be that AOL is planning some special UI in the AOL client to support phishing-specific warning messages. The press release is not clear on whether this feature will work with non-AOL clients connecting through the AOL network.
* This approach is also not dependent on SSL, much less on CA revocation of SSL certs. It's also presumably significant faster to detect and shutdown sites than an approach based on OCSP validation of certs, since IIRC the current state of OCSP is that the timeframe for revocation is driven by the schedule for issuance of CRLs, i.e., the results of an OCSP check are not necessarily any more up to date than the results of a CRL check.
* This approach is obviously analogous to anti-spam blacklists. Whether it will be more effective in practice than anti-spam blacklists is an open question; I can think of points both for and against this. However certainly anything that limits the expected lifetime of a phishing site is a good thing, and if browsers and other factors were to force phishing sites to use domain names (as opposed to IP addresses) and SSL certificates (even domain-validated ones) then this puts a minimum cost in place per phishing site to weigh against the expected revenue for the few hours a site might be up before being blocked.
* Apparently Cyota originally marketed their FraudAction anti-phishing service to banks, presumably to support banks' effort to shut down phishing sites impersonating them. Clearly if I were Cyota I would be trying to market this now to every major ISP, since it would clearly be a feature ISPs could market to their users (as AOL is doing), at least until every ISP implements something like this.
* It is interesting to contemplate Cyota or someone else offering an analogous service to individual users, e.g., implemented through an IE add-on or Firefox extension that does real-time checks of the blacklist. Implementation issues aside, this would directly provide information to phishers as to whether or not their sites were on the blacklist yet, but I presume they could determine that anyway just by trying to connect to it through AOL or another ISP offering the service.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
