> On Oct 9, 2019, at 1:07 PM, Ronald Crane via dev-security-policy 
> <dev-security-policy@lists.mozilla.org> wrote:
> On 10/8/2019 7:16 PM, Paul Walsh via dev-security-policy wrote:
>> [PW] Ronald, I don’t believe better detection and prevention is the answer 
>> for anti-phishing - but not trying isn’t an option, obviously. With billions 
>> of dollars being invested in this area, and with hundreds of millions 
>> changing hands through M&A every year, the problem is getting worse. Every 
>> week we read about yet another security company with anti-phishing [insert 
>> fancy words here]. It’s ain’t work’n.
>> I believe I demonstrated in a previous message, with data and techniques, 
>> why it’s impossible for any company to detect every phishing URL or website.
> The point isn't to detect "every" phishing URL, but to put a big dent in the 
> problem, and to keep denting it indefinitely.

[PW] Here’s the kink Ronald. I agree with you. Mozilla’s decision to implement 
DoH is going to make everything much worse for the security world - it’s 
insanely bad - I digress however and don’t really want to open another can of 
worms. Just responding to your point.

Incumbent security systems do help to provide a “dent” in the problem. But the 
dent isn’t good enough as per my previous commentary. 

As far as I can tell, absolutely nothing different has been tested in the past 
10 years (sure, AI and other fancy words have been added, but not really 
helping much). Attacks and breaches are increasing, not decreasing. 

If Firefox had a new separate icon for website identity it would be the single 
biggest improvement to internet safety we’ve seen in the past 10 years - way 
bigger than encryption - in my opinion - I don’t have data to substantiate that 
particular assertion. 

>> And I’m afraid you’re incorrect about SSL certs. According to Webroot, over 
>> 93% of all new phishing sites use an SSL certificate. And according to 
>> MetaCert it’s over 95%.
> Perhaps my data is outdated, since it was from 2017, which is mostly before 
> Let's Encrypt became big in DV certs.... Anyway, do you have a specific URL 
> for those stats?
>> And of those with a DV cert, over 95% come from Let’s Encrypt - because 
>> they’re automatically issued for free and they have a near-zero policy for 
>> detection, prevention or cert revocation. This is why over 14,000 SSL certs 
>> were issued by Let’s Encrypt for domains with PayPal in it - so if you 
>> believe in better detection and prevention, why don’t you/we request this of 
>> Let’s Encrypt?
>> Why isn’t anyone’s head blowing up over the Let’s Encrypt stats? If people 
>> think “EV is broken” they must think DV is stuck in hell with broken legs.
> Not exactly, since DV exists only to verify domain control. The real problem 
> is that *registrars* are registering obvious phishing domains. Why is this 
> happening? Who (if anyone) regulates registrars?
>> It’s impossible to properly verify the domain by looking at it - you need to 
>> carry out other checks.
> "Impossible" is false. I would accept that "difficult for most users" is 
> true, though my view is based more on intuition than data. That doesn't mean 
> that we shouldn't make it easier to verify domains, nor does it mean that we 
> shouldn't try other tacks in addition, such as the foundation-supported 
> whitelist I proposed, and better means of site-identity verification, as you 
> have proposed.

[PW] You’re right - it’s false. Let’s say that it’s exceptionally difficult for 
almost everyone in the world. I’m not being sarcastic here - I’m agreeing with 
you. We need to focus on data instead of intuition Ronald - without data we 
just have opinions. Opinions are important but we have too many of them in this 
debate and not enough data.

>> It’s simply not solving the problem.
>> I provided data and insight to how website identity UI can work
> Please cite a specific URL of a paper showing the data on this. It should 
> have a description of its hypothesis, methods, and quantitative results data. 
> Something like that really could help push this conversation forward. Please 
> do not cite marketing papers like 
> https://www.metacertprotocol.com/assets/metacert_white_paper.pdf .

[PW] I’m confused. I never cited that paper. There is zero evidence to suggest 
that the paper we wrote can or will success. We believe it can and will, but 
there’s no evidence in there. Why are you asking me not to cite something that 
I didn’t cite.

I did however, provide a massive amount of data and referenced many companies I 
would consider to be a competitor of sorts. If you go through the threads you 
will also see company-specific data on a product but that’s not even referenced 
in the old white paper to which you refer. That’s not even our company website 
- it’s a blockchain project. 

- Paul

> -R
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

dev-security-policy mailing list

Reply via email to