On Thu, Oct 03, 2019 at 05:36:50PM -0700, Ronald Crane via dev-security-policy wrote: > > On 10/3/2019 2:09 PM, Ryan Sleevi via dev-security-policy wrote: > > [snip] > > > I guess I wasn't specific enough. I am looking for a good study that > > > supports the proposition that the Internet community has (1) made a > > > concerted effort to ensure that there is only one authentic domain per > > > entity (or, at most, per entity-service, e.g, retail brokerage > > > services); and (2) has made a concerted effort to educate users to use > > > only that domain; and (3) that those steps have failed to significantly > > > reduce the successful phishing rate of the users that steps (1) and (2) > > > targeted. > > > > > > > > > Was it intentional to presume that (1) is correct or desirable? It’s > > > unclear if you believe it is, but if it isn’t (and for many reasons, it > > > isn’t), then naturally one might assume (2) and (3) don’t exist. > > Yes, I do believe that (1) is desirable. It has a long history in the > context of brand identity (e.g., "Coke" in red and white script), where > virtually all consumers use it to identify authentic products and reject > counterfeits.
This is a valuable analogy, but I'm not sure how it advances the argument you appear to be making. To take the specific example you've provided, there is more than one product made under the general brand of "Coke", most -- but not all -- involving the word "Coke" in way or another. If we take the "domain name per product" analogy, there would be a bunch of different "domains" for these products: coke, newcoke, cocacolaclassic, dietcoke, cokezero, vanillacoke, caffeinefreecoke, and so on. That's before we start considering other products produced and marketed by the same company under different names. There's a bunch of other carbonated beverages, plus uncarbonated beverages, and even non-beverage foodstuffs, that are all produced and/or marketed by the company that produces and markets "Coke", at least in the country I'm from. Contrariwise, neither the word "Coke", nor white writing on a red background, nor even the specific font used, unambiguously identify one particular brand -- and even then, it is only in the context of beverages (attempts by trademark-maximalists notwithstanding). Further, as the rather extensive examples of counterfeit goods demonstrate, the mere existence of a trademark, or even active measures, does not stop counterfeiting, nor does it even attempt to -- it only tries to make counterfeiting commercially unattractive. Where the analogy breaks down is that in the case of phishing, people don't typically try to "counterfeit" the domain name, merely "confuse". If I make a product called "Matt's Coke" and sell it, I may certainly find myself in some legal hot water, but it won't be because of "counterfeiting", but rather a more nebulous form of trademark infringement around confusion. > Basically, many internet-based entities appear to have brought phishing upon > themselves by failing to extend the above to their internet presences. > Instead, they've trained their users to accept as authentic any domain that > has a passing resemblance to their rat's-nest of legitimate domains. While there's a certain amount of truth to that, I think quite a lot of it is users just not checking *anything* about the link they're clicking. The amount of spam I get inviting me to login to various banking websites using a link to yevgeniysflowershoppe.ua or the like would suggest that phishing doesn't not absolutely rely on confusion. Your hypothesis relies on the idea that users can be trained in any meaningful fashion, which the research seems to not support at all. - Matt _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy