On 10/9/2019 2:24 PM, Paul Walsh via dev-security-policy wrote:
On Oct 9, 2019, at 1:07 PM, Ronald Crane via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
On 10/8/2019 7:16 PM, Paul Walsh via dev-security-policy wrote:
[PW] Ronald, I don’t believe better detection and prevention is the answer for
anti-phishing - but not trying isn’t an option, obviously. With billions of dollars
being invested in this area, and with hundreds of millions changing hands through
M&A every year, the problem is getting worse. Every week we read about yet
another security company with anti-phishing [insert fancy words here]. It’s ain’t
work’n.
I believe I demonstrated in a previous message, with data and techniques, why
it’s impossible for any company to detect every phishing URL or website.
The point isn't to detect "every" phishing URL, but to put a big dent in the
problem, and to keep denting it indefinitely.
[PW] Here’s the kink Ronald. I agree with you. Mozilla’s decision to implement
DoH is going to make everything much worse for the security world - it’s
insanely bad ....
This is off-topic.
Incumbent security systems do help to provide a “dent” in the problem. But the
dent isn’t good enough as per my previous commentary.
As far as I can tell, absolutely nothing different has been tested in the past
10 years (sure, AI and other fancy words have been added, but not really
helping much). Attacks and breaches are increasing, not decreasing.
If Firefox had a new separate icon for website identity it would be the single
biggest improvement to internet safety we’ve seen in the past 10 years - way
bigger than encryption - in my opinion - I don’t have data to substantiate that
particular assertion.
Since a foundation-supported whitelist would work without much user
training or intervention, I'd suspect it'd work better than any UI. But
that, also, is supposition.
It’s impossible to properly verify the domain by looking at it - you need to
carry out other checks.
"Impossible" is false. I would accept that "difficult for most users" is true,
though my view is based more on intuition than data. That doesn't mean that we shouldn't make it
easier to verify domains, nor does it mean that we shouldn't try other tacks in addition, such as
the foundation-supported whitelist I proposed, and better means of site-identity verification, as
you have proposed.
[PW] You’re right - it’s false. Let’s say that it’s exceptionally difficult for
almost everyone in the world....
OK.
It’s simply not solving the problem.
I provided data and insight to how website identity UI can work
Please cite a specific URL of a paper showing the data on this. It should have
a description of its hypothesis, methods, and quantitative results data.
Something like that really could help push this conversation forward. Please do
not cite marketing papers like
https://www.metacertprotocol.com/assets/metacert_white_paper.pdf .
[PW] I’m confused. I never cited that paper. There is zero evidence to suggest
that the paper we wrote can or will success. We believe it can and will, but
there’s no evidence in there. Why are you asking me not to cite something that
I didn’t cite.
I did however, provide a massive amount of data and referenced many companies I
would consider to be a competitor of sorts. If you go through the threads you
will also see company-specific data on a product but that’s not even referenced
in the old white paper to which you refer. That’s not even our company website
- it’s a blockchain project.
I'm confused. You said that "I provided data and insight to how website
identity UI can work" and "I did however, provide a massive amount of
data..." then when I asked for a paper showing the data (on the
effectiveness of "how [your proposed] website identity UI can work") and
how you got it -- so I can understand what you're proposing and what
effect it might have -- you seem to have told me that there's no paper
to cite?
To return to a different phishing-related topic I mentioned earlier,
does anyone know why registrars are registering obvious phishing
domains? Does anyone know how (if?) registrars are regulated, and by whom?
-R
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy