On 10/3/2019 2:09 PM, Ryan Sleevi via dev-security-policy wrote:
I guess I wasn't specific enough. I am looking for a good study that
supports the proposition that the Internet community has (1) made a
concerted effort to ensure that there is only one authentic domain per
entity (or, at most, per entity-service, e.g, retail brokerage
services); and (2) has made a concerted effort to educate users to use
only that domain; and (3) that those steps have failed to significantly
reduce the successful phishing rate of the users that steps (1) and (2)

Was it intentional to presume that (1) is correct or desirable? It’s
unclear if you believe it is, but if it isn’t (and for many reasons, it
isn’t), then naturally one might assume (2) and (3) don’t exist.

Yes, I do believe that (1) is desirable. It has a long history in the context of brand identity (e.g., "Coke" in red and white script), where virtually all consumers use it to identify authentic products and reject counterfeits. Entities also vigorously promote and protect their brand identities via trademarks and related litigation, and authorities even sometimes investigate and prosecute counterfeiters.

Basically, many internet-based entities appear to have brought phishing upon themselves by failing to extend the above to their internet presences. Instead, they've trained their users to accept as authentic any domain that has a passing resemblance to their rat's-nest of legitimate domains.


dev-security-policy mailing list

Reply via email to