On 10/8/2019 7:16 PM, Paul Walsh via dev-security-policy wrote:
The point isn't to detect "every" phishing URL, but to put a big dent in
the problem, and to keep denting it indefinitely.
[PW] Ronald, I don’t believe better detection and prevention is the answer for
anti-phishing - but not trying isn’t an option, obviously. With billions of dollars
being invested in this area, and with hundreds of millions changing hands through
M&A every year, the problem is getting worse. Every week we read about yet
another security company with anti-phishing [insert fancy words here]. It’s ain’t
I believe I demonstrated in a previous message, with data and techniques, why
it’s impossible for any company to detect every phishing URL or website.
Perhaps my data is outdated, since it was from 2017, which is mostly
before Let's Encrypt became big in DV certs.... Anyway, do you have a
specific URL for those stats?
And I’m afraid you’re incorrect about SSL certs. According to Webroot, over 93%
of all new phishing sites use an SSL certificate. And according to MetaCert
it’s over 95%.
And of those with a DV cert, over 95% come from Let’s Encrypt - because they’re
automatically issued for free and they have a near-zero policy for detection,
prevention or cert revocation. This is why over 14,000 SSL certs were issued by
Let’s Encrypt for domains with PayPal in it - so if you believe in better
detection and prevention, why don’t you/we request this of Let’s Encrypt?
Why isn’t anyone’s head blowing up over the Let’s Encrypt stats? If people
think “EV is broken” they must think DV is stuck in hell with broken legs.
Not exactly, since DV exists only to verify domain control. The real
problem is that *registrars* are registering obvious phishing domains.
Why is this happening? Who (if anyone) regulates registrars?
"Impossible" is false. I would accept that "difficult for most users" is
true, though my view is based more on intuition than data. That doesn't
mean that we shouldn't make it easier to verify domains, nor does it
mean that we shouldn't try other tacks in addition, such as the
foundation-supported whitelist I proposed, and better means of
site-identity verification, as you have proposed.
It’s impossible to properly verify the domain by looking at it - you need to
carry out other checks.
It’s simply not solving the problem.
I provided data and insight to how website identity UI can work
Please cite a specific URL of a paper showing the data on this. It
should have a description of its hypothesis, methods, and quantitative
results data. Something like that really could help push this
conversation forward. Please do not cite marketing papers like
dev-security-policy mailing list