On 8/13/2020 3:18 PM, Tobias S. Josefowitz via dev-security-policy wrote:
On Thu, Aug 13, 2020 at 11:48 PM Ronald Crane via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
On 8/13/2020 2:25 PM, Tobias S. Josefowitz via dev-security-policy wrote:
Detecting phishing domains by "looking at them as strings" may thus be
futile, and "blocking obvious phishing domains" may be a not so
entertaining but ultimately pointless game of whack a mole for CAs;
and that is especially since there is not that much to actually
suggest that CAs are the best place to whack moles *to prevent users
from being phished* **in their webbrowsers**, which I believe is
actually what we are discussing here anyway.
But it could be that examining domains as strings usefully impedes
(though of course does not eliminate) phishing. Impeding internet
malefactors is _always_ a game of whack-a-mole. If it become harder
successfully to phish with official-appearing domains, phishers will try
something else, and the guardians of the internet (such as there are)
will have to counter that tactic. [1] It is not a question of what's
"the best place" to counter phishing, but whether it's useful for
registrars, CAs, and hosts to do some of the work.
So then, assuming we don't know, I don't think it would be appropriate
to just wish for the best, task the CAs to do it anyway, with the
option of threatening them with distrust later on if they are just!
not! good! enough! at it for some reason.
Given the origin of this thread (report of CA issuing cert for obvious
phishing domain that could be used to cause extensive damage to many
people), this is rather facile. You seem to be arguing that because some
edge cases will arise that will cause CAs (and domain registrars) some
heartburn , we should not require CAs (and domain registrars) to avoid
issuing certs (and domains) that are obviously useful for phishing.
Clearly this phisher thought that it was useful to register a "phishy"
domain rather than a non-"phishy" domain. This is some evidence that
"phishy" domains are bad. Should CAs and registrars filter them?
Possibly. I see no reason to discard this idea out of hand.
Even if examining domains as
strings usefully *should* impede phishing, that still leaves the
questions of why browsers would have the CAs do that for them as
opposed to running the phish-decider themselves.
Maybe because more than one layer of protection is usually better than
only one? Maybe because registrars and CAs profit from the internet, and
so they should also help proactively to improve its safety, rather than
doing only the bare minimum that the BRs can be read to require?
When it comes to whack-a-moling in general, on the internet, I
disagree. Not with the fact that it is maybe predominantly how
problems are attacked necessarily, but I do disagree in playing
whack-a-mole being the best, or even a good enough idea....
In the same sense I believe we must seek to make improvements to
internet security that are fundamental, not an arms race, as an arms
race never really gets you far from where you started out anyway but
consumes tremendous resources.
It would be wonderful to have a single sovereign remedy for all the
internet's problems. We haven't so far, and I doubt very much that we
ever will (but please write an RFC if you think you do). The physical
world is awash in whack-a-mole problems, and the internet, to all
appearances, is the same.
-R
Along those lines, do you know of any research on whether "phishy"
domains are more effective than non-"phishy" ones?
I do not currently have any publicly available and/or sufficiently
"just the data/analysis we needed"-type material to reference,
unfortunately.
Tobi
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy