Jump to content

Blanket TLD Blocking sets a whole new precedent of security fraud!


erenfro
Go to solution Solved by AdvancedSetup,

Recommended Posts

@leo3487, it's irrelevant whether a gTLD is 'standard'. No name in itself is an attack. It's only a hint to be more or less suspicious. So it should only be used to optimize code (e.g. to save processing by only triggering other checks for 'more suspicious' TLDs).

Therefore, when @pbust said they were going to completely remove the problem of near-blanket gTLD blocking, that was good. So I'm cutting them more slack than perhaps they deserve, and waiting for them to tackle all the domains "over the next few days and weeks". As long as the warning the user sees is less hysterical than the one I was shown (second hand - I don't have the product).

Personally, I'd just disable the blanket rule because it's blocking more good domains than bad, so the cure is worse than the disease. But most security companies weigh harm from 'bad' people more heavily than their own harm, which they convince themselves is 'good' harm, because they believe their intentions are honourable. There's some truth in that, e.g. blocking a benign domain is not as harmful as allowing access to a domain involved in identity theft.

 

Link to post
  • Root Admin
2 hours ago, BobBriscoe said:

Personally, I'd just disable the blanket rule because it's blocking more good domains than bad

 

I'm 100% in agreement with you that blanket blocking is not the best solution and should be removed. However, your statement above is a bit misleading according to Spamhaus who does some level of tracking them.

On some domains where the percentage of bad is low and if we're blocking it then yes your statement could very well be true, but not as itself a blanket statement when there are domains with more than 75% of them bad actors.

Again, we are working on this issue as posted previously

 

On 2/3/2021 at 9:48 AM, pbust said:

FWIW, .XYZ and .CLUB are fixed. We are still finetuning other gTLDs, so you might still see some aggressive gTLD blocks outside .XYZ and .CLUB. Over the next few days and weeks we'll tackle the rest of the gTLDs.

 

 

Thank you

 

Link to post

I meant what I said. Your company's actions cause reactions. If you block a TLD purely on its name, bad actors (who are watching you) will move to domains you are not blocking faster than good actors (who are not). So you have to have a second test that finds actual evidence, not just circumstantial. From what @pbust says, you obviously have those second test(s) now. So, even if a TLD contains 99% bad actors, that should be just a trigger to run the other test(s).

The name of the TLD of itself is not the attack nor cause for blocking - it's just a circumstantial cause for suspicion. The fact that you are still confusing the two shows:

  • either that @pbust has some work to do to convince you that blanket bans are inappropriate
  • or that the company position on completely removing blanket bans might not stick long term, because if/when @pbust and those who agree with him move on, there are still others inside the company who could bring back blanket bans, because they still don't grock how wrong-headed blanket bans are.
Link to post
  • 1 month later...
On 2/4/2021 at 6:54 PM, brad03 said:

Are TDL blocks going to be more aggressive in the near future? 

In fact less agressive

Version 2.2.20 include a gTLD blocking at options, default is off

I mean, now they could be more agressive, including newer TLD, but only applied for users than enable TLD blocking option (last option at cog icon)

  • Like 1
Link to post
9 hours ago, AdvancedSetup said:

image.png

Wow.. Still calling them "suspicious top level domains", alone, is again, still part of the problem. There's NOTHING suspicious about gTLDs, period.

Eric Renfro

 

Link to post
  • Staff

We are pushing changes to the detection logic, but Google publishing process has slowed down considerably. Used to be a couple of hours and nowaday's it's a couple of weeks. But rest assured, it is getting fixed.

 

Link to post
4 hours ago, erenfro said:

Wow.. Still calling them "suspicious top level domains", alone, is again, still part of the problem. There's NOTHING suspicious about gTLDs, period.

Eric Renfro

Also take note they are not blocked by default. A significant step forward.

Link to post
5 hours ago, Porthos said:

Also take note they are not blocked by default. A significant step forward.

It's not significant at all. It's a bit more what it should've been at best, but to still flagrantly call them "Suspicious gTLDs", without warranting proof and yet still cover all, or still nearly all, the previously mentioned gTLDs, and all the rest as well, it's still setting a precedent that's unacceptable in the security community as a whole, which is my entire point. Illegitimately blanket naming an entire huge list of gTLDs as 'suspicious' just literally marks them as all bad, even if they aren't, even if the majority aren't, and above all, when there is literally no proof of it in that, but only more proof AGAINST those associations.

No, it's not better, it's just as bad to still be a security company NOT doing security, and doing generalized, failed, inaccurate assumptions, period.

Eric Renfro

Link to post
  • 4 weeks later...
On 3/9/2021 at 6:37 PM, erenfro said:

It's not significant at all. It's a bit more what it should've been at best, but to still flagrantly call them "Suspicious gTLDs", without warranting proof and yet still cover all, or still nearly all, the previously mentioned gTLDs, and all the rest as well, it's still setting a precedent that's unacceptable in the security community as a whole, which is my entire point. Illegitimately blanket naming an entire huge list of gTLDs as 'suspicious' just literally marks them as all bad, even if they aren't, even if the majority aren't, and above all, when there is literally no proof of it in that, but only more proof AGAINST those associations.

No, it's not better, it's just as bad to still be a security company NOT doing security, and doing generalized, failed, inaccurate assumptions, period.

Eric Renfro

 

In fact, for non-english users, and people than use the extension "as it comes", is an significant step forward

Link to post
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.