On 10/9/2019 11:02 AM, Paul Walsh via dev-security-policy wrote:
On Oct 9, 2019, at 10:42 AM, Ronald Crane via dev-security-policy 
<dev-security-policy@lists.mozilla.org> wrote:

On 10/2/2019 3:50 PM, Paul Walsh via dev-security-policy wrote:

sɑlesforce[.com] is available for purchase right now.
I was going to suggest banning non-Latin-glyph domains, since they are yet another useful 
phishing weapon. FF converts all such domains into Punycode when typed or pasted into the 
address bar, though the conversion is displayed below the address bar, not in it. So your 
example becomes "http://xn--slesforce-51d.com/";.
Just providing an example of a URL that uses .com. I can provide more without 
using special characters to demonstrate the same point.
Well, I'm sure that many domains containing "salesforce" presently are unregistered, 
e.g., "salesforcecorp.com". This fact supports the idea that internet entities should 
make a concerted effort to clean up their namespaces as I noted previously. Of course, that should 
be one among many other approaches to reducing phishing….
[PW] I agree.

Elsewhere in this thread I proposed a foundation-run *whitelist* of authentic domains that browsers 
could use to warn users about potential phishing sites (e.g., "paypal.com" is in the 
whitelist, but the ~20,000 other nonauthentic domains containing "paypal" are not). This 
approach would reduce the need for users to examine domains to determine authenticity. What's your 
view on it?
[PW] I agree. And such lists exist already. At MetaCert we aggregate all open 
source lists that are available. We have our own community with a few thousand 
members who report and validate suspicious links every day,....

I'm proposing a whitelist, not a blacklist, for the very reason that

...It is technically impossible to detect every new dangerous URL or website 
[and] It’s so much easier to tell someone what’s safe, than it is to detect 
what’s dangerous.

And I'm proposing that it be foundation-supported (by, e.g., a well-trusted source like Mozilla) so that it also can be (1) trustworthy; (2) cost-free to end users; (3) as private as possible; and (4) simple.

So, I agree with you Ronald - your suggestion is a great one. But I’m afraid it 
doesn’t solve the problem in the same way that website identity does - as I 
described previously.

I am still not clear on how presenting website identity to users reduces phishing so well. Can you explain? Can you point me to one of your papers that discusses this idea? I see, e.g., pp. 18-19 of https://www.metacertprotocol.com/assets/metacert_white_paper.pdf , but it uses very general marketing-style language ("The feedback on this product has been overwhelming. Cryptonite gained over 50,000 active users in the first six weeks of launch. Users want to remain safe when buying and selling crypto and our user base continues to grow") that doesn't help me evaluate how well it works.


dev-security-policy mailing list

Reply via email to