[gnso-rds-pdp-wg] Reputation systems are not just nice to have (was Re: What we want redux)

Rob Golding rob.golding at astutium.com
Wed Oct 4 00:06:40 UTC 2017 

On 2017-10-02 10:46, Neil Schwartzman wrote:
> That is a product of logistical limitations  not the reputation of a
> given domain. everyone has a budget to consider, numerous checks can
> be costly in terms of computing overhead, and there is absolutely
> disparity between reputation systems (competitive advantages of one
> over the other), and how they manifest at a given user

The link between providers of 'reputation' and 'price' isn't lost on 
technically aware end-users or service providers - many of which view 
the entire concept as little more than the digital equivalent of 
'insurance' (in the "ooh you should get some insurance as you have a lot 
of flammable stuff here nudge nudge wink wink" sense)

> As a willfully intentional cesspool, an organization that "has decided
> that that's not part of its job  to refuse to issue certificates for
> particular domains based on reputation” has thus made the presence
> of a Let’s Encrypt cert the perfect datapoint. One upon which one
> can block.

With some browsers no longer providing clear/obvious details to users 
about certificates, and the continuing proliferation of free ssl 
options, "trust" in ssl has dropped since heartbleed to almost worthless 
levels, add in the who-has-issued-what-via-whom questions that 
constantly seem to reoccur there is little wonder consumers are 
confused. SSL retains a place as a useful tool to ensure only clued-up 
hackers and government spy agencies are intercepting your data, but a 
replacement is long overdue.

> host phish (most phish I encounter are
> on legitimate hosting providers)

It's been several years since I have seen wholesale hosting accounts 
setup specifically for phishing - it's much more cost-effective for 
organised criminals to abuse an unpatched wordpress or simple ftp 
password, utilise an unknown users' hosting, run up their bandwidth, 
wreck their hosting providers ip reputation etc

How much cotton-wool we should be wrapping users in can be debated 
ad-infinitum - I was on a train 2 weeks ago, and very loudly one 
passenger was quoting their c/card number & security code to someone by 
mobile, taking no notice that the other 150-or-so passengers could hear 
every character - this is far from an isolated incident - it appears 
stupidity will always win no matter what we do :(

Rob

More information about the gnso-rds-pdp-wg mailing list