On Oct 2, 2019, at 1:16 PM, Ronald Crane via dev-security-policy <[email protected]> wrote: > > On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote: >> New tools such as Modlishka now automate phishing attacks, making it >> virtually impossible for any browser or security solution to detect - >> bypassing 2FA. Google has admitted that it’s unable to detect these phishing >> scams as they use a phishing domain but instead of a fake website, they use >> the legitimate website to steal credentials, including 2FA. This is why >> Google banned its users from signing into its own websites via mobile apps >> with a WebView. If Google can prevent these attacks, Mozilla can’t. > > I understand that Modlishka emplaces the phishing site as a MITM. This is yet > another reason for browser publishers to help train their users to use only > authentic domain names, and also to up their game on detecting and banning > phishing domains. I don't think it says much about the value, or lack > thereof, of EV certs. As has been cited repeatedly in this thread, most > phishing sites don't even bother to use SSL, indicating that most users who > can be phished aren't verifying the correct domain.
Ronald - it’s virtually impossible for anyone to spot well designed phishing attacks. Teaching people to check the URL doesn’t work - I can catch out 99% with a single test, every time. It’s the solution if users had a reliable way to check website identity as I’ve explained. Almost all breaches start with phishing and it’s getting worse. Perhaps you can comment on my data about users who do rely on a new visual indicator and the success that has seen? Any opinion I’ve read is just that, opinion, with zero data/evidence to substantiate anything cited. The closest I’ve seen is exceptionally old research that’s more than 10 years old. According to Webroot 93% of all new phishing sites have an SSL certificate. According to MetaCert it’s more than 96%. This is increasing as Let’s Encrypt issues more free certs. I think people are mixing up spam with phishing. Or they’re just guessing based on what they see personally. It’s time to reference facts from the security world. With billions of dollars being invested in cybersecurity and many billions spent paying for those services, it’s still technically impossible for any company with any solution to detect every new malicious URL - and it will never be possible to detect every new dangerous URL. So, most attacks start with phishing. Most phishing sites have a padlock. Most people trust sites with a padlock. Security companies can’t stop all new threats. What’s the answer? It certainly isn’t removing website identity and promoting the padlock. - Paul > > -R > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
