Call me simplistic, but it seems to me that there is a relatively simple solution to the phishing epidemic, assuming those in control of the Internet would like to stop it.  Since almost all phishing emails using a hyperlinks something like http://www.MyBigBankName.com.bad_guys_domain.info/login.html, eliminating it would be a simple as ICANN cancelling domain registrations for anyone caught phishing.  (I assume Internet registrations are ICANN’s domain? No pun intended…) 

To implement they would set up an email alias like phishing@icann.org where people could forward phishing emails.  Once they had someone verify that an email routed to a phishing website (I bet this could even be done with vetted volunteers), ICANN would cancel the domain registration.  Then it would be a simple matter for browser, personal firewall, and anti-spyware vendors to be update their software to provide anti-phishing warning for any website that is reached via IP address rather than via domain name.

With domain cancellation in place and IP-address based anti-phishing functionality by browser, personal firewall, and anti-spyware vendors, phishing would be eliminated as it would quickly become effectively impossible for a phisher to maintain a domain, and IP addresses would be easily filtered.

Or so it seems to me.  But it must not be that easy, or someone else would have thought of it by now.  I’m posting this hoping that someone can either explain to me why this would not work, or if I just happen to be the only one to have thought of it and it would work, that someone reading this will forward to the good folks at ICANN for implementation.

ideas, phishing, webarchitecture

Today Joris Evers on CNET posted an article about the security developers for the four main web browsers discussing how to make surfing the Web safer. One of the tactics mentioned was Microsoft plans for IIS7 to show the URL in the address bar on all Internet windows to help users identify fraudulent sites. Whereas the trend has somewhat been for many websites to eliminate the address bar on their seconday windows to make their websites look slicker — see what happens when the bad marketing wonks get involved, and when techies become over-enamored by techniques like AJAX — this move will shine the light more brightly on the lowly URL.

In the past have blogged about Good URL design for websites and the related topics of wanting Mod_rewrite functionality for IIS and the tool ISAPI Rewrite that gives mod_rewrite functionality to IIS so it is clear I’m passionate about virtue of incorporating URL design into the overall design of a website. More specifically, my personal opinion is that URL design is one of the more important aspects of web design. This even though one person in this world disagrees with me, but Mark Kamoski is wrong. :)

What’s cool about IIS7 requiring the URL to be seen at all times besides the obvious anti-phishing benefits is it will hopefully cause more website stakeholders (marketers, developers, etc.) to think more about the design of their website’s URLs.

And that would be a good thing.

P.S. Actually, I’d love to see all Windows applications do what Windows Explorer does and support a URL of sorts (maybe call it an "LRL" as in Local Resource Locator?) Wouldn’t it be great to see apps like Word, Excel, QuickBooks, and even Visual Studio be written as a series of state changes where the URL/LRL could represent in a user readable format each uniquely-representable state (with some obvious caveats)? Just imagine how that would empower the creation of solutions by composing applications… but I digress as that is the topic for a future day’s blog post.

P.P.S. I almost don’t want to say this next thing as it could obviate the need for exposing URLs to guard against phishing, but I’m too intellectually honest not to. I see a huge market opportunity for Verisign, with the support of browser and server vendors, to enhance their SSL certificates to include a "Phishing-Safe" seal of approval. Today website owners only need pay for a certificate if they are collecting sensitive information, but in the future I could see it becoming a defacto requirement for any website with a login to need a "phishing-safe" certificate, raising the bar on lots of hobby forums sites, etc. But I once again digress… Oops, I should have read the whole article before pontificating here; looks like they are discussing just such a concept.

ajax, iis, isapirewrite, mod_rewrite, phishing, urldesign, webarchitecture