On 6/9/2012 5:24 PM, Jean-Marc Desperrier wrote:
But actually I believe domain name based white-listing is
intrinsically weak, because weaknesses that allow an attacker to upload
his own file somewhere on the web server appear too frequently.
Er, yes.
See our list of "Major domains being exploited by active phishing
scams". This shows phishing pages being hosted by major domains.
Phishers do this to steal the credibility of the major site.
This helps get their links through spam filters.
Some sites are free hosting services, some are URL redirectors, and some
are break-ins. Here's the list.
http://www.sitetruth.com/reports/phishes.html
Unless you're willing to routinely kick sites off the whitelist
when they're corrupted, whitelisting will not work.
There are, suprisingly, only 43 domains on that list. It's
created every 3 hours by intersecting PhishTank with DMOZ.
So the threshold for a "major site" is very low; there are
over a million. Yet only 43 are on the list. Most sites
don't stay on the list for long, since by now most major
sites have reasonable abuse operations and clean up their
act quickly. It's quite common, though, for a big name to
be on the list for a day or two. For example, "flickr.com"
and "tinyurl.com" were on the list for a few hours recently.
"charter.com" was on for a week. Is Mozilla willing to pull
a mzjor site from a whitelist when something like that happens?
John Nagle
SiteTruth
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
