On 10/8/2019 7:16 PM, Paul Walsh via dev-security-policy wrote:
[PW] Ronald, I don’t believe better detection and prevention is the answer for 
anti-phishing - but not trying isn’t an option, obviously. With billions of dollars 
being invested in this area, and with hundreds of millions changing hands through 
M&A every year, the problem is getting worse. Every week we read about yet 
another security company with anti-phishing [insert fancy words here]. It’s ain’t 
work’n.

I believe I demonstrated in a previous message, with data and techniques, why 
it’s impossible for any company to detect every phishing URL or website.
The point isn't to detect "every" phishing URL, but to put a big dent in the problem, and to keep denting it indefinitely.
And I’m afraid you’re incorrect about SSL certs. According to Webroot, over 93% 
of all new phishing sites use an SSL certificate. And according to MetaCert 
it’s over 95%.
Perhaps my data is outdated, since it was from 2017, which is mostly before Let's Encrypt became big in DV certs.... Anyway, do you have a specific URL for those stats?
And of those with a DV cert, over 95% come from Let’s Encrypt - because they’re 
automatically issued for free and they have a near-zero policy for detection, 
prevention or cert revocation. This is why over 14,000 SSL certs were issued by 
Let’s Encrypt for domains with PayPal in it - so if you believe in better 
detection and prevention, why don’t you/we request this of Let’s Encrypt?

Why isn’t anyone’s head blowing up over the Let’s Encrypt stats? If people 
think “EV is broken” they must think DV is stuck in hell with broken legs.

Not exactly, since DV exists only to verify domain control. The real problem is that *registrars* are registering obvious phishing domains. Why is this happening? Who (if anyone) regulates registrars?

It’s impossible to properly verify the domain by looking at it - you need to 
carry out other checks.
"Impossible" is false. I would accept that "difficult for most users" is true, though my view is based more on intuition than data. That doesn't mean that we shouldn't make it easier to verify domains, nor does it mean that we shouldn't try other tacks in addition, such as the foundation-supported whitelist I proposed, and better means of site-identity verification, as you have proposed.
It’s simply not solving the problem.

I provided data and insight to how website identity UI can work

Please cite a specific URL of a paper showing the data on this. It should have a description of its hypothesis, methods, and quantitative results data. Something like that really could help push this conversation forward. Please do not cite marketing papers like https://www.metacertprotocol.com/assets/metacert_white_paper.pdf .

-R



_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to