Re: Stopping (https) phishing from Dean Pierce on 2018-07-12 (public-web-security@w3.org from July 2018)

From: Dean Pierce <pierce403@gmail.com>
Date: Thu, 12 Jul 2018 08:57:11 -0700
To: henry.story@bblfish.net
Cc: public-web-security@w3.org
Message-ID: <CAFOKM3p5NR-=kZNsG6LFaDbPqhNOD1+=WNDe8_TogLudpCp18g@mail.gmail.com>

I think for any solution to be scalable it needs to be community driven
with a lot of agility and flexibility.  I really like some of the attempts
at Web of Trust style solutions, but it's really hard to figure out how to
incentivize good behavior in such a way that can't just as easily be gamed
by criminals to boost the reputation of fraudulent sites.  Still, I feel
like some sort of fuzzy community reputation based solution is the only
approach that makes sense.  The great thing about that is even if a fully
trusted, legitimate site gets hacked and starts serving malware, its
reputation could nosedive over the course of minutes, and quickly protect
additional users from getting pulled in.  I'd like to see green address
bars for well trusted sites, maybe grey for unpopular websites, and dark
red for sites that have been judged by the community to be malicious.
Maybe some browsers could even automatically block sites whose reputation
drops below a certain threshold.

  - DEAN

On Thu, Jul 12, 2018 at 5:21 AM Henry Story <henry.story@bblfish.net> wrote:

> Dear Web Security group members,
>
>   I have recently written up a proposal on how to stop (https) Phishing,
> which has grown 6 fold in the past year according to the Anti Phishing
> Working Group, and a lot more according to Symantec researchers I talked to
> recently.
>
> I am looking into this as part of my PhD at Southampton, which is a mix
> between Web Science, Cybersecurity and Social Machines. Bringing these
> fields together opens up as I believe you will see reading this, new ways
> of thinking of problems that have been dogging us for a while.
>
>   https://medium.com/cybersoton/stopping-https-phishing-42226ca9e7d9
>
> There is also a response to a couple of questions by Ben Laurie on Twitter
> where I go into a bit more detail on how this solves the UI part of the
> problem.
>
>
> https://medium.com/@bblfish/response-to-remarks-on-phishing-article-c59d018324fe
>
> I am very keen to hear your feedback on this. As TPAC will be in Lyon which
> is a reasonable distance from where I live I may be able to make it there
> to talk about improvements on this proposal following your feedback.
>
> Sincerely,
>
>   Henry Story
>   http://bblfish.net/
>

Received on Friday, 13 July 2018 12:17:14 UTC