RE: phishing in IRIs from Larry Masinter on 2009-11-26 (public-iri@w3.org from November 2009)

From: Larry Masinter <masinter@adobe.com>
Date: Thu, 26 Nov 2009 12:45:48 -0800
To: Shawn Steele <Shawn.Steele@microsoft.com>, "Martin J. Dürst" <duerst@it.aoyama.ac.jp>
CC: "PUBLIC-IRI@W3.ORG" <PUBLIC-IRI@w3.org>, Pete Resnick <presnick@qualcomm.com>, Ted Hardie <ted.ietf@gmail.com>
Message-ID: <8B62A039C620904E92F1233570534C9B0118DC9EC473@nambx04.corp.adobe.com>

I would support a separate, longer document addressing
phishing in particular; it would be great if this
could be referenced by the IRI document itself. Perhaps
it could be a BCP. This might be a way of getting
specific review of the broader security issues.

Shawn, are you interested in editing such a document?


I'd also suggest some coordination with the HTTPBIS
security section:
http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-08#section-11

"Phishers abuse domain name certainly, but they still use all-ASCII."

The concern is that once IRIs with IDN are deployed
that this will create an entirely new, rich attack
surface. Putting in preventative measures
before deployment rather than after-the-fact
would be prudent.

Larry
--
http://larry.masinter.net


-----Original Message-----
From: Shawn Steele [mailto:Shawn.Steele@microsoft.com] 
Sent: Wednesday, November 25, 2009 12:12 PM
To: "Martin J. Dürst"
Cc: Larry Masinter; PUBLIC-IRI@W3.ORG; Pete Resnick; Ted Hardie
Subject: RE: phishing in IRIs

> What I am saying is that spoofing of IRIs with the domain name part is a much greater problem than spoofing with IRIs in the rest of the IRI.

I don't disagree with that :)  But you extended it (I thought) to "the IDNs in the IRIs", which I don't see any evidence of.  Phishers abuse domain name certainly, but they still use all-ASCII.

> The IETF has a tradition of putting security considerations in the main document, not as a separate document.

I'm concerned that to fully address the issues of security considerations in IRIs would take quite a bit of space.  I'm also concerned that some aspects might be lead to a lot of discussion, as there probably isn't one "right" way to handle IRI security.  An effective security document for IRIs IMO would be comparable to trying to address how to handle spam in email.  So maybe the WG could consider mentioning some security concerns in the main document and provide a further document that describes security in more detail?  For example, I think the discussion of safe-yourbank.com IRIs is interesting, but I'm not sure the main document is the right place for all of that discussion.

-Shawn

Received on Thursday, 26 November 2009 20:46:36 UTC