Anyone who is remotely tech savvy doesn't need Google to tell them 'Phishing is one of the top ways bad actors intrude and steal data.' We recently witnessed a phishing attack on the npm supply chain. Luckily it was caught before having major repercussions. But it got me thinking: what steps can we take to prevent it from happening again? Or at least reduce the probability.
Recently I was doing some cookie stuff and learned about the Public Suffix List. I found it interesting because it admits 'there was and remains no algorithmic method' for a software problem: helping browsers figure out how to restrict cookie sharing across domains. It's not often I see software engineers, myself included, accept algorithmic defeat. I also loved how dead simple the solution is. What can be easier than maintaining a list of suffixes.
It brought me back to phishing. What if my browser had a list of domains I've whitelisted as being safe and trustworthy (ex. npmjs.com). When I visit a domain which looks similar to, but doesn't exactly match, one of those domains (ex. npmjs.help or npmj5.com), the browser could show me a warning. Not as extreme as the bold red 'dangerous site' warning Chrome shows but something to give pause with an option to still continue. Perhaps something similar to what I see when I visit a site without verified SSL.
Like the PSL, our respective 'anti-phishing' lists would be curated by humans. You would have your anti-phishing list. I would have mine. An algorithm wouldn't decide whether a domain is added to a list. So when a warning appears, I wouldn't be taken by surprise. I'll know it's because I had added a domain to my list and the website I'm trying to visit has a similarly spelled domain. Ideally, my list would also follow me across browsers and devices. Privacy enthusiasts may prefer to keep their list on their local device only.
You might be thinking: will people actually spend time to curate their anti-phishing list with domains they frequently visit? Most won't. Just like most people don't set up 2FA or use password managers. To reduce the burden, a browser could prompt me to add a domain to my anti-phishing list when it sees I visit it often. I would only have to click yes or no. If I click yes too much, worst case I will be met a false warning which I can easily bypass.
If even 1% of the world's most popular open source maintainers use this feature to reduce their chances of getting phished by 10%, I still think it would add tremendous value to the entire software community. And like the PSL which inspired this idea, it has no algorithmic component. No fancy machine learning. Just a handpicked list of domains.