> On Oct 2, 2019, at 3:41 PM, Ronald Crane via dev-security-policy > <firstname.lastname@example.org> wrote: > > On 10/2/2019 3:00 PM, Paul Walsh via dev-security-policy wrote: >> On Oct 2, 2019, at 2:52 PM, Ronald Crane via dev-security-policy >> <email@example.com> wrote: > [snip] >>> Some other changes that might help reduce phishing are: >>> 1. Site owners should avoid using multiple domains, because using them >>> habituates users to the idea that there are several valid domains for a >>> given entity. Once users have that idea, phishers are most of the way to >>> success. Some of the biggest names in, e.g., brokerage services are >>> offenders on this front. >> [PW] Companies like Google own so many domains and sub-domains that it’s >> difficult to stay ahead of them. I think this is an unrealistic expectation. >> So if other browser vendors have the same opinion, they should look inward. > It is not unrealistic to expect, e.g., Blahblah Investments, SIPC, to use > only "www.blahblahinvestments.com" for everything related to its retail > investment services. It *is* unreasonable to habituate users to bad practices.
[PW] I hear you Ronald. And I agree. My point was that it’s unrealistic for us to expect this pattern of domain use to change. I can’t see how any stakeholder can force or encourage organizations to use a single domain name or even a small number of them for a given purpose. So there’s little point in directing energy to something we can’t change. >>> 2. Site owners should not use URL-shortening services, for the same reason >>> as (1). >> Site owners using shortened URLs isn’t the problem in my opinion. Even if >> shortened URLs went away, phishing wouldn’t stop. Unless you have research >> to provides more insight? > Where did I say that phishing would "stop" if URL shortening services > disappeared? I said avoiding them would be helpful, since it would reinforce > the idea that there is one correct domain per entity, or at least per entity > service. Probably all the entity services should be subdomains of the one > correct domain, but alas it will take a sustained security campaign and a > decade to make a dent in that problem. [PW] I apologize if I gave the impression that you were saying something that you were not. That wasn’t my intention. We can try to encourage companies to stop using shortening services, but we’re not likely to have much of an impact. People who don’t belong to a brand or organization will continue to use shortening services too. I have some ideas for shortening services. They can implement better trust. Example: a URL that belongs to a site with website identity verified, could look like https://verified.tinyurl.com/345kss or they could direct to a TinyURL webpage where it informs the user of the verified destination. >>> 3. Site owners should not use QR codes, since fake ones are perfect for >>> phishing. >> Same as above. You don’t need to mask URLs to have a successful phishing >> campaign. > No, you don't "need" to do it. It is, however, a very useful weapon in > phishers' quivers. [PW] I totally agree. I’d like to add, of the hundred million apps with a WebView, many don’t display the URL at all. We also have Google’s AMP project which does little to help. And then we also have social media cards and previews where it’s possible to trick the system by displaying the og metadata from the real website while linking to the malicious destination. Rabbit hole… >> sɑlesforce[.com] is available for purchase right now. > > I was going to suggest banning non-Latin-glyph domains, since they are yet > another useful phishing weapon. FF converts all such domains into Punycode > when typed or pasted into the address bar, though the conversion is displayed > below the address bar, not in it. So your example becomes > "http://xn--slesforce-51d.com/“. > >> >>> 4. Browser publishers should petition ICANN to revoke most of the gTLDs it >>> has approved, since they provide fertile ground for phishing. >> Petitioning them won’t work. gTLDs are here to stay, even if we dislike >> them. Also, most phishing sites use .com and other well known TLDs. I’m not >> saying gTLDs aren’t used, they are. But they’re not needed. > Of course they're not "needed" for phishing. They are, however, useful for > phishing. >> So, bringing it back to Mozilla. I’d still love to see recent research/data >> to back up Mozilla’s decision to remove identity UI in Firefox. By promoting >> the padlock without education about phishing, browser vendors are actually >> making the web more dangerous. > > I also would like to see more research. - Paul > > -R > > > _______________________________________________ > dev-security-policy mailing list > firstname.lastname@example.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy