On 10/2/2019 3:50 PM, Paul Walsh via dev-security-policy wrote:
sɑlesforce[.com] is available for purchase right now.
I was going to suggest banning non-Latin-glyph domains, since they are yet another useful
phishing weapon. FF converts all such domains into Punycode when typed or pasted into the
address bar, though the conversion is displayed below the address bar, not in it. So your
example becomes "http://xn--slesforce-51d.com/".
Just providing an example of a URL that uses .com. I can provide more without
using special characters to demonstrate the same point.
Well, I'm sure that many domains containing "salesforce" presently are
unregistered, e.g., "salesforcecorp.com". This fact supports the idea
that internet entities should make a concerted effort to clean up their
namespaces as I noted previously. Of course, that should be one among
many other approaches to reducing phishing....
Elsewhere in this thread I proposed a foundation-run *whitelist* of
authentic domains that browsers could use to warn users about potential
phishing sites (e.g., "paypal.com" is in the whitelist, but the ~20,000
other nonauthentic domains containing "paypal" are not). This approach
would reduce the need for users to examine domains to determine
authenticity. What's your view on it?
dev-security-policy mailing list