Re: phishing in IRIs from Martin J. Dürst on 2009-11-24 (public-iri@w3.org from November 2009)

From: Martin J. Dürst <duerst@it.aoyama.ac.jp>
Date: Tue, 24 Nov 2009 13:33:40 +0900
To: Shawn Steele <Shawn.Steele@microsoft.com>
CC: Larry Masinter <masinter@adobe.com>, "PUBLIC-IRI@W3.ORG" <PUBLIC-IRI@w3.org>, Pete Resnick <presnick@qualcomm.com>, Ted Hardie <ted.ietf@gmail.com>
Message-ID: <4B0B6224.5060401@it.aoyama.ac.jp>

Hello Shawn, Mark, others,

When I wrote:

>> Also, it should be noticed that the main attack vector for
>> phishing/spoofing are IDNs, not IRIs in general.

what I wanted to say is that when it comes to phishing/spoofing with 
IRIs, the main place that actually happens are the IDNs in the IRIs, not 
the other parts of an IRI (scheme/path/query). The main reason for this 
statement is that DNS is to a large extent first-come-first-server, 
whereas most other parts of an IRI are controlled by a single 
organization that has no interest to spoof itself.

I didn't mean to say anything about the relative magnitude of ASCII 
spoofing vs. non-ASCII spoofing, or about the relative magnitude of 
character lookalike spoofs (e.g. microsoft.com/microsoft.corn) vs. other 
types of spoof. But then I also thing it's difficult to say anything 
about how these various kinds of spoofs will develop in the future.

Regards,   Martin.

On 2009/11/24 2:54, Shawn Steele wrote:

> Huh? I have yet to see a phishing email that uses IDN for a host name.  I'd be less certain about general http links, but I haven't casually stumbled across them.
>
> Instead attackers choose other vectors to get my attention.  (Drive-by-malicious ads, etc.)  Not to mention which, it's currently impossible to determine legitimacy by an ASCII URL.  I got what I believe is a real toysrus black friday ad, and it sent me to something like "toysrus.localadservice.com" (I forget the exact name).  Anyway, how can I tell that's a "real" toysrus site?  If I make an order starting at that link did I just give a phisher my CC info?  Phishers could easily abuse our trust in these cases.
>
> Anyway, I agree that this is out of scope and best left to other mechanisms, ones that can catch ASCII too.  Educating retailers to use their own domain when farming out their mailing list to a service provider or ad hosting agency would help too.  (Eg: serviceprovider.toysrus.com instead of the other way around).
>
> - Shawn
>

-- 
#-# Martin J. Dürst, Professor, Aoyama Gakuin University
#-# http://www.sw.it.aoyama.ac.jp   mailto:duerst@it.aoyama.ac.jp

Received on Tuesday, 24 November 2009 04:34:38 UTC