The recent Shmoo Group punycode phishing demo has caused a lot of debate on the topic of phishing. In fact, domain registrars were warned about this problem (guideline 3, subsection b) when IDN was invented, and many registrars (for example, the Japanese) have implemented sensible controls to counter the problem of homographic domains.
However, it’s caused me to crystallise a number of thoughts I’ve been having on the subject into a paper – Phishing – Browser-based Defences – which covers what we can be doing in the browser space to mitigate the phishing problem. It lists the qualities of a good solution, analyses some of the suggestions that have been made, and then makes three of its own.
Please let me know what you think.