On 10/9/2019 2:24 PM, Paul Walsh via dev-security-policy wrote:
On Oct 9, 2019, at 1:07 PM, Ronald Crane via dev-security-policy 
<dev-security-policy@lists.mozilla.org> wrote:

On 10/8/2019 7:16 PM, Paul Walsh via dev-security-policy wrote:
[PW] Ronald, I don’t believe better detection and prevention is the answer for 
anti-phishing - but not trying isn’t an option, obviously. With billions of dollars 
being invested in this area, and with hundreds of millions changing hands through 
M&A every year, the problem is getting worse. Every week we read about yet 
another security company with anti-phishing [insert fancy words here]. It’s ain’t 

I believe I demonstrated in a previous message, with data and techniques, why 
it’s impossible for any company to detect every phishing URL or website.
The point isn't to detect "every" phishing URL, but to put a big dent in the 
problem, and to keep denting it indefinitely.
[PW] Here’s the kink Ronald. I agree with you. Mozilla’s decision to implement 
DoH is going to make everything much worse for the security world - it’s 
insanely bad ....
This is off-topic.
Incumbent security systems do help to provide a “dent” in the problem. But the 
dent isn’t good enough as per my previous commentary.

As far as I can tell, absolutely nothing different has been tested in the past 
10 years (sure, AI and other fancy words have been added, but not really 
helping much). Attacks and breaches are increasing, not decreasing.

If Firefox had a new separate icon for website identity it would be the single 
biggest improvement to internet safety we’ve seen in the past 10 years - way 
bigger than encryption - in my opinion - I don’t have data to substantiate that 
particular assertion.

Since a foundation-supported whitelist would work without much user training or intervention, I'd suspect it'd work better than any UI. But that, also, is supposition.

It’s impossible to properly verify the domain by looking at it - you need to 
carry out other checks.
"Impossible" is false. I would accept that "difficult for most users" is true, 
though my view is based more on intuition than data. That doesn't mean that we shouldn't make it 
easier to verify domains, nor does it mean that we shouldn't try other tacks in addition, such as 
the foundation-supported whitelist I proposed, and better means of site-identity verification, as 
you have proposed.
[PW] You’re right - it’s false. Let’s say that it’s exceptionally difficult for 
almost everyone in the world....
It’s simply not solving the problem.

I provided data and insight to how website identity UI can work
Please cite a specific URL of a paper showing the data on this. It should have 
a description of its hypothesis, methods, and quantitative results data. 
Something like that really could help push this conversation forward. Please do 
not cite marketing papers like 
https://www.metacertprotocol.com/assets/metacert_white_paper.pdf .
[PW] I’m confused. I never cited that paper. There is zero evidence to suggest 
that the paper we wrote can or will success. We believe it can and will, but 
there’s no evidence in there. Why are you asking me not to cite something that 
I didn’t cite.

I did however, provide a massive amount of data and referenced many companies I 
would consider to be a competitor of sorts. If you go through the threads you 
will also see company-specific data on a product but that’s not even referenced 
in the old white paper to which you refer. That’s not even our company website 
- it’s a blockchain project.

I'm confused. You said that "I provided data and insight to how website identity UI can work" and  "I did however, provide a massive amount of data..." then when I asked for a paper showing the data (on the effectiveness of "how [your proposed] website identity UI can work") and how you got it -- so I can understand what you're proposing and what effect it might have -- you seem to have told me that there's no paper to cite?

To return to a different phishing-related topic I mentioned earlier, does anyone know why registrars are registering obvious phishing domains? Does anyone know how (if?) registrars are regulated, and by whom?


dev-security-policy mailing list

Reply via email to