Ben Bucksch wrote:
Florian Weimer wrote:
Host names like c1d3q2 are fine, but you shouldn't be allowed to use a
well-known or registered trademark. If I read the Verisign CPS
correctly, I would be able to obtain a EV certificate for
citibank.enyo.de if I incorporated.
Right, that's the current phishing approach.
We are currently looking into the feasibility of using the new effective
TLD service to change the URL bar so it would read (where CAPS indicates
emphasis:
www.citibank.ENYO.DE
www.CITIBANK.COM
which makes the distinction between the two quite a bit more obvious.
Well, the cert would say "Enyo GmbH". Assuming the user looks at that
(we should not discuss UI here, but let's say it's shown in or near the
URLbar). But you're right, a typical phishing victim could just as
easily confused, given that they happily enter their bank login at
http://64.246.35.72/phase3/citibank.html
Indeed. And I agree, as long as people are happy to do that, there's not
all that much browser makers can do to protect them. Just the same as if
people don't wear seatbelts, there's not all that much you can do to
help by making the windscreen a bit more padded ;-)
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
