On 10/2/2019 2:47 PM, Paul Walsh via dev-security-policy wrote:
On Oct 2, 2019, at 1:16 PM, Ronald Crane via dev-security-policy
<[email protected]> wrote:
On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote:
New tools such as Modlishka now automate phishing attacks, making it virtually
impossible for any browser or security solution to detect - bypassing 2FA.
Google has admitted that it’s unable to detect these phishing scams as they use
a phishing domain but instead of a fake website, they use the legitimate
website to steal credentials, including 2FA. This is why Google banned its
users from signing into its own websites via mobile apps with a WebView. If
Google can prevent these attacks, Mozilla can’t.
I understand that Modlishka emplaces the phishing site as a MITM. This is yet
another reason for browser publishers to help train their users to use only
authentic domain names, and also to up their game on detecting and banning
phishing domains. I don't think it says much about the value, or lack thereof,
of EV certs. As has been cited repeatedly in this thread, most phishing sites
don't even bother to use SSL, indicating that most users who can be phished
aren't verifying the correct domain.
Ronald - it’s virtually impossible for anyone to spot well designed phishing
attacks. Teaching people to check the URL doesn’t work - I can catch out 99%
with a single test, every time.
"Virtually impossible"? "Anyone"? Really? Those are big claims that need
real data. I'm pretty sure I haven't been phished yet.
In any case, have we ever really tried to teach users to use the correct
domain? As I noted in a recent response, many site owners do things --
such as using multiple domains for a single entity, using URL-shortening
services, using QR codes, etc. -- that habituate users to the idea that
there's more than one correct domain, and/or that they can get it from
untrustworthy sources. Once they have that idea, phishing is easy.
It’s the solution if users had a reliable way to check website identity as I’ve
explained....
And EV certs do this how? Please address https://stripe.ian.sh .
Perhaps you can comment on my data about users who do rely on a new visual
indicator and the success that has seen?
Please post a link to a paper describing it, including the methodology
you used.
Any opinion I’ve read is just that, opinion, with zero data/evidence to
substantiate anything cited. The closest I’ve seen is exceptionally old
research that’s more than 10 years old.
Um,
https://casecurity.org/wp-content/uploads/2017/09/Incidence-of-Phishing-Among-DV-OV-and-EV-Websites-9-13-2017-short-ve....pdf
(see table on p.2) is from 2017. That is not "more than 10 years old"
nor just "opinion, with zero data/evidence to substantiate anything
cited". Let's debate the merits with more light and less heat.
According to Webroot 93% of all new phishing sites have an SSL certificate.
According to MetaCert it’s more than 96%. This is increasing as Let’s Encrypt
issues more free certs.
Please link the surveys you cite. In any case, the Lets Encrypt issue
*does* appear to be a problem, as you noted elsewhere. Does Google Safe
Browsing automatically add these (fake Paypal and similar) domains to
its probable-phish list? They should.
If you want to talk about certificate issuance that’s broken, look at how Let’s
Encrypt has issued more than 14,000 DV certs to domains with PayPal in it.
I'm agnostic on the EV UI, but have seen little evidence that it's
useful. Maybe your paper will help convince me otherwise.
-R
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
