On Oct 2, 2019, at 2:52 PM, Ronald Crane via dev-security-policy <[email protected]> wrote: > > On 10/2/2019 1:16 PM, Ronald Crane via dev-security-policy wrote: >> On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote: >>> New tools such as Modlishka now automate phishing attacks, making it >>> virtually impossible for any browser or security solution to detect - >>> bypassing 2FA. Google has admitted that it’s unable to detect these >>> phishing scams as they use a phishing domain but instead of a fake website, >>> they use the legitimate website to steal credentials, including 2FA. This >>> is why Google banned its users from signing into its own websites via >>> mobile apps with a WebView. If Google can prevent these attacks, Mozilla >>> can’t. >> >> I understand that Modlishka emplaces the phishing site as a MITM. This is >> yet another reason for browser publishers to help train their users to use >> only authentic domain names, and also to up their game on detecting and >> banning phishing domains. I don't think it says much about the value, or >> lack thereof, of EV certs. As has been cited repeatedly in this thread, most >> phishing sites don't even bother to use SSL, indicating that most users who >> can be phished aren't verifying the correct domain. >> >> -R >> > Some other changes that might help reduce phishing are: > > 1. Site owners should avoid using multiple domains, because using them > habituates users to the idea that there are several valid domains for a given > entity. Once users have that idea, phishers are most of the way to success. > Some of the biggest names in, e.g., brokerage services are offenders on this > front.
[PW] Companies like Google own so many domains and sub-domains that it’s difficult to stay ahead of them. I think this is an unrealistic expectation. So if other browser vendors have the same opinion, they should look inward. > > 2. Site owners should not use URL-shortening services, for the same reason as > (1). Site owners using shortened URLs isn’t the problem in my opinion. Even if shortened URLs went away, phishing wouldn’t stop. Unless you have research to provides more insight? > > 3. Site owners should not use QR codes, since fake ones are perfect for > phishing. Same as above. You don’t need to mask URLs to have a successful phishing campaign. sɑlesforce[.com] is available for purchase right now. > > 4. Browser publishers should petition ICANN to revoke most of the gTLDs it > has approved, since they provide fertile ground for phishing. Petitioning them won’t work. gTLDs are here to stay, even if we dislike them. Also, most phishing sites use .com and other well known TLDs. I’m not saying gTLDs aren’t used, they are. But they’re not needed. So, bringing it back to Mozilla. I’d still love to see recent research/data to back up Mozilla’s decision to remove identity UI in Firefox. By promoting the padlock without education about phishing, browser vendors are actually making the web more dangerous. - Paul > There appear to be ~1900 such gTLDs [1]. I doubt that even the largest > corporations have registered their base domains under every such gTLD. Where > does "www.microsoft.somenamethatICANNmightaddasagTLD" go? I sure don't know > where "www.zippenhop.[pick a non-.com gTLD] goes. > > [1] Search for "delegated" status at > https://newgtlds.icann.org/en/program-status/delegated-strings . > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
