On 10/9/2019 11:02 AM, Paul Walsh via dev-security-policy wrote:
On Oct 9, 2019, at 10:42 AM, Ronald Crane via dev-security-policy
On 10/2/2019 3:50 PM, Paul Walsh via dev-security-policy wrote:
sɑlesforce[.com] is available for purchase right now.
I was going to suggest banning non-Latin-glyph domains, since they are yet another useful
phishing weapon. FF converts all such domains into Punycode when typed or pasted into the
address bar, though the conversion is displayed below the address bar, not in it. So your
example becomes "http://xn--slesforce-51d.com/".
Just providing an example of a URL that uses .com. I can provide more without
using special characters to demonstrate the same point.
Well, I'm sure that many domains containing "salesforce" presently are unregistered,
e.g., "salesforcecorp.com". This fact supports the idea that internet entities should
make a concerted effort to clean up their namespaces as I noted previously. Of course, that should
be one among many other approaches to reducing phishing….
[PW] I agree.
Elsewhere in this thread I proposed a foundation-run *whitelist* of authentic domains that browsers
could use to warn users about potential phishing sites (e.g., "paypal.com" is in the
whitelist, but the ~20,000 other nonauthentic domains containing "paypal" are not). This
approach would reduce the need for users to examine domains to determine authenticity. What's your
view on it?
[PW] I agree. And such lists exist already. At MetaCert we aggregate all open
source lists that are available. We have our own community with a few thousand
members who report and validate suspicious links every day,....
I'm proposing a whitelist, not a blacklist, for the very reason that
...It is technically impossible to detect every new dangerous URL or website
[and] It’s so much easier to tell someone what’s safe, than it is to detect
And I'm proposing that it be foundation-supported (by, e.g., a
well-trusted source like Mozilla) so that it also can be (1)
trustworthy; (2) cost-free to end users; (3) as private as possible; and
So, I agree with you Ronald - your suggestion is a great one. But I’m afraid it
doesn’t solve the problem in the same way that website identity does - as I
I am still not clear on how presenting website identity to users reduces
phishing so well. Can you explain? Can you point me to one of your
papers that discusses this idea? I see, e.g., pp. 18-19 of
https://www.metacertprotocol.com/assets/metacert_white_paper.pdf , but
it uses very general marketing-style language ("The feedback on this
product has been overwhelming. Cryptonite gained over 50,000 active
users in the first six weeks of launch. Users want to remain safe when
buying and selling crypto and our user base continues to grow") that
doesn't help me evaluate how well it works.
dev-security-policy mailing list