<div dir="ltr">Barry,<div><br></div><div>spot on, plus the idea of a list of forbidden strings appears to be pure lunacy in this context. All strings are potentially an attack for any substitution of any character by any IDN look-alike character. The list would contain a couple zillion names and as you say, many could be legtimate. To complicate things further, an ASCII "A" could be used in an homograph attack by substituting for a Greek or Cyrillic "A" as well.</div><div><br></div><div>I may be missing something and would study a correction though.</div><div><br></div><div>Alejandro Pisanty</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jul 20, 2018 at 1:37 PM, <span dir="ltr"><<a href="mailto:bzs@theworld.com" target="_blank">bzs@theworld.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
On July 19, 2018 at 15:48 <a href="mailto:6.Internet@gmail.com">6.Internet@gmail.com</a> (Sivasubramanian M) wrote:<br>
> Please take a look at the attached screenshot of a domainer's offer to sell<br>
> single character IDNs, for instance an IDN variant (lookalike) of the ASCII<br>
> character X, which sets a harmful trend. This is an issue if confusability.<br>
<br>
The general term for this is "homograph attack" or specifically "IDN<br>
homograph attack", where "attack" may be in the eye of the beholder:<br>
<br>
<a href="https://en.wikipedia.org/wiki/IDN_homograph_attack" rel="noreferrer" target="_blank">https://en.wikipedia.org/wiki/<wbr>IDN_homograph_attack</a><br>
<br>
and has been the subject of much discussion over recent years and<br>
little resolution.<br>
<br>
I believe one popular proposal is browser support which either<br>
visually flags such IDNs or displays the punycode alongside which is<br>
an ASCII represenation and should make obvious that this not what one<br>
might suspect.<br>
<br>
For example (from this wikipedia page): xn--bcher-kva.tld indicating<br>
an umlauted 'u' is in there but importantly that it's not just<br>
bucher.tld.<br>
<br>
<a href="https://en.wikipedia.org/wiki/Punycode" rel="noreferrer" target="_blank">https://en.wikipedia.org/wiki/<wbr>Punycode</a><br>
<br>
There's still the problem with intent. Could I legitimately offer for<br>
sale the strings with and without the umlaut? I think that's generally<br>
considered acceptable.<br>
<br>
Caveat emptor?<br>
<br>
> <br>
> I understand that the Registries (are required to?) maintain a list of harmful<br>
> names for their TLDs, but there is no common minimal list of harmful names. One<br>
> possible way to achieve this is for the Registries, at least in the ASCII<br>
> space, to volunteer to feed their respective list of harmful names into a<br>
> common Registry Stakeholder database, and then draw up a common minimum list of<br>
> harmful domain names that any Registry could avoid registering. <br>
> <br>
> If At-Large could shape this as a workable suggestion, it could formally go to<br>
> the Registry Stakeholders.<br>
> <br>
> Sivasubramanian M<br>
> x[DELETED ATTACHMENT Screenshot_20180719-152932~2.<wbr>png, PNG image]<br>
> ______________________________<wbr>_________________<br>
> At-Large mailing list<br>
> <a href="mailto:At-Large@atlarge-lists.icann.org">At-Large@atlarge-lists.icann.<wbr>org</a><br>
> <a href="https://atlarge-lists.icann.org/mailman/listinfo/at-large" rel="noreferrer" target="_blank">https://atlarge-lists.icann.<wbr>org/mailman/listinfo/at-large</a><br>
> <br>
> At-Large Official Site: <a href="http://atlarge.icann.org" rel="noreferrer" target="_blank">http://atlarge.icann.org</a><br>
<span class="HOEnZb"><font color="#888888"><br>
-- <br>
-Barry Shein<br>
<br>
Software Tool & Die | bzs@TheWorld.com | <a href="http://www.TheWorld.com" rel="noreferrer" target="_blank">http://www.TheWorld.com</a><br>
Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD<br>
The World: Since 1989 | A Public Information Utility | *oo*<br>
______________________________<wbr>_________________<br>
At-Large mailing list<br>
<a href="mailto:At-Large@atlarge-lists.icann.org">At-Large@atlarge-lists.icann.<wbr>org</a><br>
<a href="https://atlarge-lists.icann.org/mailman/listinfo/at-large" rel="noreferrer" target="_blank">https://atlarge-lists.icann.<wbr>org/mailman/listinfo/at-large</a><br>
<br>
At-Large Official Site: <a href="http://atlarge.icann.org" rel="noreferrer" target="_blank">http://atlarge.icann.org</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">- - - - - - - - - - - - - - - - - - - - - - - - - - -<br> Dr. Alejandro Pisanty<br>Facultad de Química UNAM<br>Av. Universidad 3000, 04510 Mexico DF Mexico<br>+52-1-5541444475 FROM ABROAD<br>+525541444475 DESDE MÉXICO SMS +525541444475<br>Blog: <a href="http://pisanty.blogspot.com" target="_blank">http://pisanty.blogspot.com</a><br>LinkedIn: <a href="http://www.linkedin.com/in/pisanty" target="_blank">http://www.linkedin.com/in/pisanty</a><br>Unete al grupo UNAM en LinkedIn, <a href="http://www.linkedin.com/e/gis/22285/4A106C0C8614" target="_blank">http://www.linkedin.com/e/gis/22285/4A106C0C8614</a><br>Twitter: <a href="http://twitter.com/apisanty" target="_blank">http://twitter.com/apisanty</a><br>---->> Unete a ISOC Mexico, <a href="http://www.isoc.org" target="_blank">http://www.isoc.org</a><br>. . . . . . . . . . . . . . . .</div>
</div>