A 計画(する) For Scams
見解/翻訳/版 0.2 - 2005-02-11
Phishing - the setting up of 偽の websites to collect high-value (警察などへの)密告,告訴(状) such as bank passwords and credit card 詳細(に述べる)s - has become a major Internet 問題/発行する. 取り組むing the problem 要求するs a co-ordinated 成果/努力 from browser and mail (弁護士の)依頼人 vendors, website owners, ISPs, domain registrars and 証明書 当局. Here's a 示唆するd 計画(する) for each group.
Browsers
As the 乗り物 圧倒的に used for interacting with high-value 場所/位置s and making 処理/取引s, browsers are in the 最前部 of the phishing war.
- Make sure every window の上に every SSL 場所/位置 陳列する,発揮するs its 安全な・保証する
nature, together with unspoofable and (疑いを)晴らす 場所/位置-identifying
(警察などへの)密告,告訴(状). The 目的(とする) is to make it possible for 使用者s to be
quickly and easily 確かな of where they are.
Firefox does this by making
the status 妨げる/法廷,弁護士業 永久の, and having a lock and the 場所/位置 domain
指名する in the 底(に届く) 権利 corner; other 実施s are possible.
My paper Phishing - Browser-based Defences" explains in more 詳細(に述べる) why SSL is 必須の for any anti-phishing 戦略. -
Create a 永久の history of domains 接近d over SSL, and use it
to 通知する the 使用者 when they are 接近ing an SSL domain that they
have not visited before. This てこ入れ/借入資本s the 重要な fact about a phish -
a 使用者 thinks they are somewhere they've been before, when in fact
they aren't. Done 正確に, this should make the 使用者 pause before
they 服従させる/提出する any confidential (警察などへの)密告,告訴(状). The UI in Firefox would
look something like the に引き続いて:
First time: All other times: 
Phishing - Browser-based Defences explains how the necessary history can be kept for long periods without too many privacy 問題/発行するs arising.
-
器具/実施する phishing (犯罪,病気などの)発見 heuristics. If the browser thinks the
場所/位置 is a phish, 陳列する,発揮する a 安全 妨げる/法廷,弁護士業 which gives 接近 to an
explanation why, and 無能にする all form 支配(する)/統制するs on pages from
that 場所/位置 until the
使用者 活発に 解任するs the 妨げる/法廷,弁護士業. This 軍隊s the 使用者 to consider
the problem, and 避けるs "(a)自動的な/(n)自動拳銃 popup 解雇/(訴訟の)却下".
"Phishing - Browser-based Defences" 含むs discussion of which heuristics should and should not be used.
- 器具/実施する, and encourage 使用者s to use a 見解/翻訳/版 of PwdHash. PwdHash is a system to 許すs 使用者s to have a different 生成するd password for every domain based on one master password. As a 味方する 影響, it 敗北・負かすs phishing because phishers at a 偽の domain get sent a password 生成するd for their domain rather than for the 初めの. (Blake, one of the PwdHash authors, and I have had discussions about 正確に/まさに how the UI should work - but we both agree on the usefulness of the idea.)
- If the browser supports IDNs, blacklist TLDs where homographic
domains are not 扱う/治療するd as a 封鎖する, and 陳列する,発揮する IDN domains in those TLDs in
their ugly, raw form - i.e. www.xn--pypal-4ve.com. Many registrars
get IDN 権利, and you should 許す it to work 正確に for them; a
few 著名な exceptions get it wrong. So if you make IDN ugly in those
errant TLDs, people looking to buy IDN domains will look somewhere else
- and that'll 影響する/感情 the 底(に届く) lines of the registrars in that
TLD.
Mail (弁護士の)依頼人s
Mail (弁護士の)依頼人s are the most ありふれた 機械装置 for phishers to 配達する their lies to 使用者s.
- 器具/実施する phishing (犯罪,病気などの)発見 heuristics. You can use some of the
same techniques as the browser, but can also analyse the 所有物/資産/財産s of
the email message. In a mail (弁護士の)依頼人, it's possible to be more
積極的な and pop up a 警告 when the 使用者 clicks a 怪しげな
link. Thunderbird has already 器具/実施するd a simple form of this.
- 器具/実施する SPF and DomainKeys 直接/まっすぐに in the (弁護士の)依頼人
(ISSUE: does SPF then become SenderID, and therefore 特許d?).
Although both of these 基準s
were designed to be used by mailservers, there is no 推論する/理由 why (弁護士の)依頼人s
cannot 器具/実施する them 直接/まっすぐに ーするために 保護する their 使用者s. SPF in
particular is 公正に/かなり 平易な - a DNS lookup, a small bit of parsing and
some comparisons. This 保護するs 使用者s whose ISPs are not doing so.
- Do not 許す the 使用者 to turn off the 陳列する,発揮する of email 演説(する)/住所s
unless the 使用者 is in their 演説(する)/住所 調書をとる/予約する. Once SPF becomes 普及した,
phishers will have to send phishing email with a From header 始める,決める to a
domain other than the 的 場所/位置. This (警察などへの)密告,告訴(状) must be 陳列する,発揮するd
to the 使用者 so they can use it in 評価するing the email. (Thunderbird already
does this.)
Domain Registrars
Domain registrars have a special 責任/義務 to 保護する the Internet community against homographic domain attacks.
- 扱う/治療する domains in a homographic 始める,決める as an inseperable 封鎖する, as the advice has long recommended. Many registrars get this 権利 already. This is in your own 利益/興味 - if you 問題/発行する enough domains which are used for phishing, it could start to 損失 your 評判, and the 評判 of your TLD.
証明書 当局
- 辞退する to 問題/発行する 証明書s to any domain in a homographic 始める,決める unless the person or organisation in question owns the entire 始める,決める, or at least the "root" domain. You can 供給する a second 層 of defence if the domain registrars are not doing their 職業. This is also in your own 利益/興味 - if you 問題/発行する a 証明書 to a 場所/位置 subsequently used for phishing, it could 本気で 損失 your 評判.
- Manually 検査/視察する all 証明書 requests to see if the 指名する is suspiciously の近くに to that of a 井戸/弁護士席-known high value 場所/位置. Domain registrars operate on a low-cost, high-容積/容量 model and 手動式の 査察 of domain 指名するs isn't really possible. But at $400 a cert, you should be able to 適用する enough 予定 diligence to 避ける giving a cert to http://www.paypai.com. Outsource to Asia if you must.
Web 場所/位置s
High-value web 場所/位置s can do more to 保護する themselves than they 現在/一般に do.
- Use SSL, and teach 使用者s to "look for the lock". SSL is 要求するd for the browser to be able to 立証する when it is, or is not pointed at your 場所/位置. This point, at least, won't 要求する much 成果/努力 - almost every high-value 場所/位置 already uses SSL.
- Encourage your 顧客s to use (弁護士の)依頼人 ソフトウェア which 保護するs them from phishing attacks. Support such ソフトウェア on your 場所/位置, and 供給する help which 特に explains how to use its 安全 features. For Firefox, this would mean pointing out the always-on status 妨げる/法廷,弁護士業 and telling 顧客s to look for your domain 指名する in it.
- Publish "hard fail" SPF 記録,記録的な/記録するs and 器具/実施する DomainKeys.
SPF may have its
detractors when it comes to stopping spam, but it definitely helps with
phishing. DomainKeys gives you many of the advantages of 調印するd emails
without the need for end 使用者s to understand encryption and 数字表示式の
署名s.
- For very high value 場所/位置s like banks, use a 2-段階 login over SSL with the username input on the first page and the password(s) on the second. This 許すs you to decorate the second page in a 使用者-明確な/細部 way - for example, with an image 生成するd from a hash of their username. You can tell the 使用者 to be 怪しげな if this image ever changes or doesn't appear. Update 2005-03-14: it has been pointed out that phishers could 負担 the real 場所/位置 in the background to get 接近 to your image, so this may not be as useful as I thought.
- Keep a の近くに 注目する,もくろむ on your system スピードを出す/記録につけるs, 特に Referers. Many phishing 場所/位置s redirect to your login page after doing their nefarious work; most browsers send the Referer header, so some aggregation should point you straight at the phishing 場所/位置s. You can also check which other pages are using your images - many phishing 場所/位置s 負担 graphics straight from the 初めの 場所/位置. You can then put a "you've just been phished" 警報 for people arriving from those domains. It's not 予防, but it's 即座の notification, and that's better than nothing.
ISPs
- 器具/実施する SPF and DomainKeys. This 保護するs your 顧客s by 許すing you to throw away many phishing (and spam, for that 事柄) emails with no 危険 of 誤った 肯定的なs.
You will 公式文書,認める that in all of this, I have not recommended anything which 要求するs large 量s of 使用者 education. 使用者 education has its place, but the 最初の/主要な 責任/義務 for 保護するing Internet 使用者s 残り/休憩(する)s with us, the Internet's creators, maintainers and 接近 providers. If all those groups were to do their part, I am 確信して that the phishing problem could be 意味ありげに 減ずるd.
Gerv
Credits
- Paul Graham - 陳謝s for playing on the 肩書を与える of his essay, but also many thanks for making email usable again
- 足緒 Ruderman for the domain blacklist idea
- さまざまな phishing toolbars for heuristic ideas
- Ian G for useful 早期に feedback
- The members of the Mozilla 安全 group