[At-Large] IDN Variants in the market place
Alejandro Pisanty
apisanty at gmail.com
Fri Jul 20 18:48:17 UTC 2018
Barry,
spot on, plus the idea of a list of forbidden strings appears to be pure
lunacy in this context. All strings are potentially an attack for any
substitution of any character by any IDN look-alike character. The list
would contain a couple zillion names and as you say, many could be
legtimate. To complicate things further, an ASCII "A" could be used in an
homograph attack by substituting for a Greek or Cyrillic "A" as well.
I may be missing something and would study a correction though.
Alejandro Pisanty
On Fri, Jul 20, 2018 at 1:37 PM, <bzs at theworld.com> wrote:
>
> On July 19, 2018 at 15:48 6.Internet at gmail.com (Sivasubramanian M) wrote:
> > Please take a look at the attached screenshot of a domainer's offer to
> sell
> > single character IDNs, for instance an IDN variant (lookalike) of the
> ASCII
> > character X, which sets a harmful trend. This is an issue if
> confusability.
>
> The general term for this is "homograph attack" or specifically "IDN
> homograph attack", where "attack" may be in the eye of the beholder:
>
> https://en.wikipedia.org/wiki/IDN_homograph_attack
>
> and has been the subject of much discussion over recent years and
> little resolution.
>
> I believe one popular proposal is browser support which either
> visually flags such IDNs or displays the punycode alongside which is
> an ASCII represenation and should make obvious that this not what one
> might suspect.
>
> For example (from this wikipedia page): xn--bcher-kva.tld indicating
> an umlauted 'u' is in there but importantly that it's not just
> bucher.tld.
>
> https://en.wikipedia.org/wiki/Punycode
>
> There's still the problem with intent. Could I legitimately offer for
> sale the strings with and without the umlaut? I think that's generally
> considered acceptable.
>
> Caveat emptor?
>
> >
> > I understand that the Registries (are required to?) maintain a list of
> harmful
> > names for their TLDs, but there is no common minimal list of harmful
> names. One
> > possible way to achieve this is for the Registries, at least in the
> ASCII
> > space, to volunteer to feed their respective list of harmful names into
> a
> > common Registry Stakeholder database, and then draw up a common minimum
> list of
> > harmful domain names that any Registry could avoid registering.
> >
> > If At-Large could shape this as a workable suggestion, it could
> formally go to
> > the Registry Stakeholders.
> >
> > Sivasubramanian M
> > x[DELETED ATTACHMENT Screenshot_20180719-152932~2.png, PNG image]
> > _______________________________________________
> > At-Large mailing list
> > At-Large at atlarge-lists.icann.org
> > https://atlarge-lists.icann.org/mailman/listinfo/at-large
> >
> > At-Large Official Site: http://atlarge.icann.org
>
> --
> -Barry Shein
>
> Software Tool & Die | bzs at TheWorld.com |
> http://www.TheWorld.com
> Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD
> The World: Since 1989 | A Public Information Utility | *oo*
> _______________________________________________
> At-Large mailing list
> At-Large at atlarge-lists.icann.org
> https://atlarge-lists.icann.org/mailman/listinfo/at-large
>
> At-Large Official Site: http://atlarge.icann.org
>
--
- - - - - - - - - - - - - - - - - - - - - - - - - - -
Dr. Alejandro Pisanty
Facultad de Química UNAM
Av. Universidad 3000, 04510 Mexico DF Mexico
+52-1-5541444475 FROM ABROAD
+525541444475 DESDE MÉXICO SMS +525541444475
Blog: http://pisanty.blogspot.com
LinkedIn: http://www.linkedin.com/in/pisanty
Unete al grupo UNAM en LinkedIn,
http://www.linkedin.com/e/gis/22285/4A106C0C8614
Twitter: http://twitter.com/apisanty
---->> Unete a ISOC Mexico, http://www.isoc.org
. . . . . . . . . . . . . . . .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://atlarge-lists.icann.org/pipermail/at-large/attachments/20180720/12ec2d16/attachment.html>
More information about the At-Large
mailing list