[At-Large] IDN Variants in the market place

Sivasubramanian M 6.Internet at gmail.com
Fri Jul 20 18:55:20 UTC 2018 

On Sat, Jul 21, 2018, 12:19 AM Alejandro Pisanty <apisanty at gmail.com> wrote:

> Barry,
>
> spot on, plus the idea of a list of forbidden strings appears to be pure
> lunacy in this context.
>

All strings are potentially an attack for any substitution of any character
> by any IDN look-alike character. The list would contain a couple zillion
> names and as you say, many could be legtimate. To complicate things
> further, an ASCII "A" could be used in an homograph attack by substituting
> for a Greek or Cyrillic "A" as well.
>
> I may be missing something and would study a correction though.
>

for the Registries, at least in the ASCII space, to volunteer to feed their
respective list of harmful names

You missed 'at least in ASCII space'.


> Alejandro Pisanty
>
> On Fri, Jul 20, 2018 at 1:37 PM, <bzs at theworld.com> wrote:
>
>>
>> On July 19, 2018 at 15:48 6.Internet at gmail.com (Sivasubramanian M) wrote:
>>  > Please take a look at the attached screenshot of a domainer's offer to
>> sell
>>  > single character IDNs, for instance an IDN variant (lookalike) of the
>> ASCII
>>  > character X, which sets a harmful trend. This is an issue if
>> confusability.
>>
>> The general term for this is "homograph attack" or specifically "IDN
>> homograph attack", where "attack" may be in the eye of the beholder:
>>
>>   https://en.wikipedia.org/wiki/IDN_homograph_attack
>>
>> and has been the subject of much discussion over recent years and
>> little resolution.
>>
>> I believe one popular proposal is browser support which either
>> visually flags such IDNs or displays the punycode alongside which is
>> an ASCII represenation and should make obvious that this not what one
>> might suspect.
>>
>> For example (from this wikipedia page): xn--bcher-kva.tld indicating
>> an umlauted 'u' is in there but importantly that it's not just
>> bucher.tld.
>>
>>   https://en.wikipedia.org/wiki/Punycode
>>
>> There's still the problem with intent. Could I legitimately offer for
>> sale the strings with and without the umlaut? I think that's generally
>> considered acceptable.
>>
>> Caveat emptor?
>>
>>  >
>>  > I understand that the Registries (are required to?) maintain a list of
>> harmful
>>  > names for their TLDs, but there is no common minimal list of harmful
>> names. One
>>  > possible way to achieve this is for the Registries, at least in the
>> ASCII
>>  > space, to volunteer to feed their respective list of harmful names
>> into a
>>  > common Registry Stakeholder database, and then draw up a common
>> minimum list of
>>  > harmful domain names that any Registry could avoid registering.
>>  >
>>  > If At-Large could shape this as a workable suggestion, it could
>> formally go to
>>  > the Registry Stakeholders.
>>  >
>>  > Sivasubramanian M
>>  > x[DELETED ATTACHMENT Screenshot_20180719-152932~2.png, PNG image]
>>  > _______________________________________________
>>  > At-Large mailing list
>>  > At-Large at atlarge-lists.icann.org
>>  > https://atlarge-lists.icann.org/mailman/listinfo/at-large
>>  >
>>  > At-Large Official Site: http://atlarge.icann.org
>>
>> --
>>         -Barry Shein
>>
>> Software Tool & Die    | bzs at TheWorld.com             |
>> http://www.TheWorld.com
>> Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
>> The World: Since 1989  | A Public Information Utility | *oo*
>> _______________________________________________
>> At-Large mailing list
>> At-Large at atlarge-lists.icann.org
>> https://atlarge-lists.icann.org/mailman/listinfo/at-large
>>
>> At-Large Official Site: http://atlarge.icann.org
>>
>
>
>
> --
> - - - - - - - - - - - - - - - - - - - - - - - - - - -
>      Dr. Alejandro Pisanty
> Facultad de Química UNAM
> Av. Universidad 3000, 04510 Mexico DF Mexico
> +52-1-5541444475 FROM ABROAD
> +525541444475 DESDE MÉXICO SMS +525541444475
> Blog: http://pisanty.blogspot.com
> LinkedIn: http://www.linkedin.com/in/pisanty
> Unete al grupo UNAM en LinkedIn,
> http://www.linkedin.com/e/gis/22285/4A106C0C8614
> Twitter: http://twitter.com/apisanty
> ---->> Unete a ISOC Mexico, http://www.isoc.org
> .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
> _______________________________________________
> At-Large mailing list
> At-Large at atlarge-lists.icann.org
> https://atlarge-lists.icann.org/mailman/listinfo/at-large
>
> At-Large Official Site: http://atlarge.icann.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://atlarge-lists.icann.org/pipermail/at-large/attachments/20180721/c302cff4/attachment-0001.html>

More information about the At-Large mailing list