- From: Ian Fette <ifette@google.com>
- Date: Fri, 31 Aug 2007 11:13:39 -0700
- To: "Dan Schutzer" <dan.schutzer@fstc.org>
- Cc: michael.mccormick@wellsfargo.com, public-wsc-wg@w3.org, todd.inskeep@bankofamerica.com, dixonom@wellsfargo.com, rudolphm@wellsfargo.com
- Message-ID: <bbeaa26f0708311113y15efeb8cx77f392c3991d95e5@mail.gmail.com>
Fair point that solution difficulty shouldn't necessarily limit scope. I am a bit skeptical as to the practicality of implementing this, but you're right that that should not be a blocking point at this time. I'd be interested to see what comes up, i.e. if anyone comes up with a solution that scales well given the large volume and transient nature, and is also privacy-preserving for clients doing lookups. -Ian On 8/31/07, Dan Schutzer <dan.schutzer@fstc.org> wrote: > > I agree with Mike's comments > > > ------------------------------ > > *From:* public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] > *On Behalf Of *michael.mccormick@wellsfargo.com > *Sent:* Thursday, August 30, 2007 5:56 PM > *To:* ifette@google.com; public-wsc-wg@w3.org > *Cc:* dan.schutzer@fstc.org; todd.inskeep@bankofamerica.com; > dixonom@wellsfargo.com; rudolphm@wellsfargo.com > *Subject:* RE: New Use Case for W3C WSC > > > > Indeed. But solution difficulty shouldn't be a factor in determining the > validity of a use case or requirement. > > > > Fwiw I don't think the problem is intractable. For instance, a list of > takedown URLs could be maintained & published by appropriate law enforcement > authorities, which browsers would consult to determine whether to display an > educational page instead of the standard 403 error. > > > > Mike > > > ------------------------------ > > *From:* public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] > *On Behalf Of *Ian Fette > *Sent:* Friday, August 24, 2007 10:26 AM > *To:* public-wsc-wg@w3.org > *Subject:* Re: New Use Case for W3C WSC > > The problem is that it's difficult (perhaps impossible) to, in the > browser, distinguish between "This was a phishing site and now it's gone" > and "This is just a page that's not here". It's possible that the URL has > made it on to a blacklist, in which case then the browser might have this > information, but dead URLs are not always maintained on blacklists... > > On 8/24/07, *Timothy Hahn* <hahnt@us.ibm.com> wrote: > > > Dan, > > FWIW, I like the use case below. It points out an opportunity for > educating people as they traverse to something that has been addressed (or > so it appears) by "someone/thing out there". The current status-quo is that > they receive an error that is indistinguishable from something they get if > they, themselves, did something wrong (like mis-type a URL). > > Regards, > Tim Hahn > IBM Distinguished Engineer > > Internet: hahnt@us.ibm.com > Internal: Timothy Hahn/Durham/IBM@IBMUS > phone: 919.224.1565 tie-line: 8/687.1565 > fax: 919.224.2530 > > > From: > > "Dan Schutzer" <dan.schutzer@fstc.org> > > To: > > <public-wsc-wg@w3.org> > > Cc: > > "'Dan Schutzer'" <dan.schutzer@fstc.org> > > Date: > > 08/24/2007 07:50 AM > > Subject: > > New Use Case for W3C WSC > > > ------------------------------ > > > > > I'd like to submit a new use case, shown below, that several of our > members would like included. It looks for recommendations on how to educate > customers who have fallen for a phishing email, and improve the type of > response customers generally get today when they try to access a phishing > site that has been taken down. I hope this is not too late for > consideration. > > *Use Case* > > Frank regularly reads his email in the morning. This morning he receives > an email that claims it is from his bank asking him to verify a recent > transaction by clicking on the link embedded in the email. The link does not > display the usual URL that he types to get to his bank's website, but it > does have his bank's name in it. He clicks on the link and is directed to a > phishing site. The phishing site has been shut down as a known fraudulent > site, so when Frank clicks on the link he receives the generic Error 404: > File Not Found page. Frank is not sure what has occurred. > *Destination site * > > prior interaction, known organization > *Navigation * > > none > *Intended interaction * > > verification > *Actual interaction * > > Was a phishing site that has been shut down > *Note* > * * > Frank is likely to fall for a similar phishing email. Is there some way to > educate Frank this time, so that he is less likely to fail for the phishing > email again? > > > >
Received on Friday, 31 August 2007 18:14:15 UTC