Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve fuzzylist logic in eth-phishing-detect #45

Open
holantonela opened this issue Nov 23, 2022 · 1 comment
Open

Improve fuzzylist logic in eth-phishing-detect #45

holantonela opened this issue Nov 23, 2022 · 1 comment

Comments

@holantonela
Copy link

holantonela commented Nov 23, 2022
edited
Loading

from @Gudahtt:

The fuzzylist is not safe to extend in its current form. We should freeze it until we improve that functionality to make it more effective at blocking imposter sites, less prone to false positives, and less alarming for users.

There are a few fairly low-effort changes we could make to improve this:

  1. Increase the levenstien tolerance from 2 to 1, dramatically reducing the number of matches (and thus reducing false positives)
  2. Make the warning page less alarming for fuzzylist matches (e.g. yellow instead of red, less alarming copy)
  3. Make the warning page emphasize the risk of the website being an impostor of a specific target, so users can better evaluate risk on their own. Display different warning for fuzzylist matches (i.e. suspected imitation websites) #37
  4. It's hard for a user to look at a site and know if it's malicious or not, but most people would probably be confident that unity.com isn't trying to pretend to be invity.com.
  5. Add detection for invisible confusable characters, so we can detect obvious imposters and treat them more harshly
  6. Add confusable character support to the warning page, so we can better highlight easy-to-miss differences between the suspected domain and potential target that it may be pretending to be.

Looking at some recent Trezor examples:

  • #9471: This is meant to be confusable for "Trezor" directly. Unsure how our detector works with confusables today. This might still pass with a tolerance of 2, since we're passing in punycode and our detector doesn't treat punycode any differently.
  • #9472: This one would be blocked by a tolerance of 1
  • #9409: Two entries, one which is another confusable imposter, simimler to the first bullet. The second uses a longer domain, so not currently handled by our fuzzylist, but maybe a good target if we wanted to start doing substring matching.
  • #9239: both longer domains, so not covered.

from @legobeat :

Let's consider

MetaMask/eth-phishing-detect#9407
MetaMask/eth-phishing-detect#9610
MetaMask/eth-phishing-detect#9602
@AlexHerman1
Copy link

love this

@legobeat legobeat mentioned this issue Feb 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AlexHerman1 @holantonela