On 10/2/2019 3:50 PM, Paul Walsh via dev-security-policy wrote:

sɑlesforce[.com] is available for purchase right now.
I was going to suggest banning non-Latin-glyph domains, since they are yet another useful 
phishing weapon. FF converts all such domains into Punycode when typed or pasted into the 
address bar, though the conversion is displayed below the address bar, not in it. So your 
example becomes "http://xn--slesforce-51d.com/";.
Just providing an example of a URL that uses .com. I can provide more without 
using special characters to demonstrate the same point.

Well, I'm sure that many domains containing "salesforce" presently are unregistered, e.g., "salesforcecorp.com". This fact supports the idea that internet entities should make a concerted effort to clean up their namespaces as I noted previously. Of course, that should be one among many other approaches to reducing phishing....

Elsewhere in this thread I proposed a foundation-run *whitelist* of authentic domains that browsers could use to warn users about potential phishing sites (e.g., "paypal.com" is in the whitelist, but the ~20,000 other nonauthentic domains containing "paypal" are not). This approach would reduce the need for users to examine domains to determine authenticity. What's your view on it?


dev-security-policy mailing list

Reply via email to