On Thu, Oct 03, 2019 at 05:36:50PM -0700, Ronald Crane via dev-security-policy 
> On 10/3/2019 2:09 PM, Ryan Sleevi via dev-security-policy wrote:
> > [snip]
> > > I guess I wasn't specific enough. I am looking for a good study that
> > > supports the proposition that the Internet community has (1) made a
> > > concerted effort to ensure that there is only one authentic domain per
> > > entity (or, at most, per entity-service, e.g, retail brokerage
> > > services); and (2) has made a concerted effort to educate users to use
> > > only that domain; and (3) that those steps have failed to significantly
> > > reduce the successful phishing rate of the users that steps (1) and (2)
> > > targeted.
> > > 
> > > 
> > > Was it intentional to presume that (1) is correct or desirable? It’s
> > > unclear if you believe it is, but if it isn’t (and for many reasons, it
> > > isn’t), then naturally one might assume (2) and (3) don’t exist.
> Yes, I do believe that (1) is desirable. It has a long history in the
> context of brand identity (e.g., "Coke" in red and white script), where
> virtually all consumers use it to identify authentic products and reject
> counterfeits.

This is a valuable analogy, but I'm not sure how it advances the argument
you appear to be making.

To take the specific example you've provided, there is more than one product
made under the general brand of "Coke", most -- but not all -- involving the
word "Coke" in way or another.  If we take the "domain name per product"
analogy, there would be a bunch of different "domains" for these products:
coke, newcoke, cocacolaclassic, dietcoke, cokezero, vanillacoke,
caffeinefreecoke, and so on.

That's before we start considering other products produced and marketed by
the same company under different names.  There's a bunch of other carbonated
beverages, plus uncarbonated beverages, and even non-beverage foodstuffs,
that are all produced and/or marketed by the company that produces and
markets "Coke", at least in the country I'm from.

Contrariwise, neither the word "Coke", nor white writing on a red
background, nor even the specific font used, unambiguously identify one
particular brand -- and even then, it is only in the context of beverages
(attempts by trademark-maximalists notwithstanding).  Further, as the rather
extensive examples of counterfeit goods demonstrate, the mere existence of a
trademark, or even active measures, does not stop counterfeiting, nor does
it even attempt to -- it only tries to make counterfeiting commercially

Where the analogy breaks down is that in the case of phishing, people don't
typically try to "counterfeit" the domain name, merely "confuse".  If I make
a product called "Matt's Coke" and sell it, I may certainly find myself in
some legal hot water, but it won't be because of "counterfeiting", but
rather a more nebulous form of trademark infringement around confusion.

> Basically, many internet-based entities appear to have brought phishing upon
> themselves by failing to extend the above to their internet presences.
> Instead, they've trained their users to accept as authentic any domain that
> has a passing resemblance to their rat's-nest of legitimate domains.

While there's a certain amount of truth to that, I think quite a lot of it
is users just not checking *anything* about the link they're clicking.  The
amount of spam I get inviting me to login to various banking websites using
a link to yevgeniysflowershoppe.ua or the like would suggest that phishing
doesn't not absolutely rely on confusion.  Your hypothesis relies on the
idea that users can be trained in any meaningful fashion, which the research
seems to not support at all.

- Matt

dev-security-policy mailing list

Reply via email to