> On Oct 2, 2019, at 3:41 PM, Ronald Crane via dev-security-policy > <[email protected]> wrote: > > On 10/2/2019 3:00 PM, Paul Walsh via dev-security-policy wrote: >> On Oct 2, 2019, at 2:52 PM, Ronald Crane via dev-security-policy >> <[email protected]> wrote: > [snip] >>> Some other changes that might help reduce phishing are: >>> 1. Site owners should avoid using multiple domains, because using them >>> habituates users to the idea that there are several valid domains for a >>> given entity. Once users have that idea, phishers are most of the way to >>> success. Some of the biggest names in, e.g., brokerage services are >>> offenders on this front. >> [PW] Companies like Google own so many domains and sub-domains that it’s >> difficult to stay ahead of them. I think this is an unrealistic expectation. >> So if other browser vendors have the same opinion, they should look inward. > It is not unrealistic to expect, e.g., Blahblah Investments, SIPC, to use > only "www.blahblahinvestments.com" for everything related to its retail > investment services. It *is* unreasonable to habituate users to bad practices.
I agree. >>> 2. Site owners should not use URL-shortening services, for the same reason >>> as (1). >> Site owners using shortened URLs isn’t the problem in my opinion. Even if >> shortened URLs went away, phishing wouldn’t stop. Unless you have research >> to provides more insight? > Where did I say that phishing would "stop" if URL shortening services > disappeared? I said avoiding them would be helpful, since it would reinforce > the idea that there is one correct domain per entity, or at least per entity > service. Probably all the entity services should be subdomains of the one > correct domain, but alas it will take a sustained security campaign and a > decade to make a dent in that problem. I agree. I said, if they disappeared it wouldn’t stop phishing. So it’s still a problem. I wanted to use an extreme example to demonstrate a point. >>> 3. Site owners should not use QR codes, since fake ones are perfect for >>> phishing. >> Same as above. You don’t need to mask URLs to have a successful phishing >> campaign. > No, you don't "need" to do it. It is, however, a very useful weapon in > phishers' quivers. I agree. >> sɑlesforce[.com] is available for purchase right now. > > I was going to suggest banning non-Latin-glyph domains, since they are yet > another useful phishing weapon. FF converts all such domains into Punycode > when typed or pasted into the address bar, though the conversion is displayed > below the address bar, not in it. So your example becomes > "http://xn--slesforce-51d.com/";. Just providing an example of a URL that uses .com. I can provide more without using special characters to demonstrate the same point. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
