[At-Large] IDN Variants in the market place

Alejandro Pisanty apisanty at gmail.com
Fri Jul 20 22:30:16 UTC 2018 

There is an irrremediable lack of understanding here.

Alejandro Pisanty

On Fri, Jul 20, 2018 at 3:05 PM, Sivasubramanian M <6.Internet at gmail.com>
wrote:

>
>
> On Sat, Jul 21, 2018, 1:05 AM Alejandro Pisanty <apisanty at gmail.com>
> wrote:
>
>> Hi,
>>
>> "at least in ASCII space"
>>
>
> at least in plain english
>
> still can't work. Innumerable strings contain characters that, in turn,
>> have look-alikes in other character sets, many in more than one. To get a
>> sense of scale, try "aardvark" first; EVERY character has a potential
>> substitute. Also please remember the row around ".bg" in Cyrillic. (Again,
>> barring correction from someone more knowledgeable.)
>>
>> Alejandro Pisanty
>>
>> On Fri, Jul 20, 2018 at 1:55 PM, Sivasubramanian M <6.Internet at gmail.com>
>> wrote:
>>
>>>
>>>
>>> On Sat, Jul 21, 2018, 12:19 AM Alejandro Pisanty <apisanty at gmail.com>
>>> wrote:
>>>
>>>> Barry,
>>>>
>>>> spot on, plus the idea of a list of forbidden strings appears to be
>>>> pure lunacy in this context.
>>>>
>>>
>>> All strings are potentially an attack for any substitution of any
>>>> character by any IDN look-alike character. The list would contain a couple
>>>> zillion names and as you say, many could be legtimate. To complicate things
>>>> further, an ASCII "A" could be used in an homograph attack by substituting
>>>> for a Greek or Cyrillic "A" as well.
>>>>
>>>> I may be missing something and would study a correction though.
>>>>
>>>
>>> for the Registries, at least in the ASCII space, to volunteer to feed
>>> their respective list of harmful names
>>>
>>> You missed 'at least in ASCII space'.
>>>
>>>
>>>> Alejandro Pisanty
>>>>
>>>> On Fri, Jul 20, 2018 at 1:37 PM, <bzs at theworld.com> wrote:
>>>>
>>>>>
>>>>> On July 19, 2018 at 15:48 6.Internet at gmail.com (Sivasubramanian M)
>>>>> wrote:
>>>>>  > Please take a look at the attached screenshot of a domainer's offer
>>>>> to sell
>>>>>  > single character IDNs, for instance an IDN variant (lookalike) of
>>>>> the ASCII
>>>>>  > character X, which sets a harmful trend. This is an issue if
>>>>> confusability.
>>>>>
>>>>> The general term for this is "homograph attack" or specifically "IDN
>>>>> homograph attack", where "attack" may be in the eye of the beholder:
>>>>>
>>>>>   https://en.wikipedia.org/wiki/IDN_homograph_attack
>>>>>
>>>>> and has been the subject of much discussion over recent years and
>>>>> little resolution.
>>>>>
>>>>> I believe one popular proposal is browser support which either
>>>>> visually flags such IDNs or displays the punycode alongside which is
>>>>> an ASCII represenation and should make obvious that this not what one
>>>>> might suspect.
>>>>>
>>>>> For example (from this wikipedia page): xn--bcher-kva.tld indicating
>>>>> an umlauted 'u' is in there but importantly that it's not just
>>>>> bucher.tld.
>>>>>
>>>>>   https://en.wikipedia.org/wiki/Punycode
>>>>>
>>>>> There's still the problem with intent. Could I legitimately offer for
>>>>> sale the strings with and without the umlaut? I think that's generally
>>>>> considered acceptable.
>>>>>
>>>>> Caveat emptor?
>>>>>
>>>>>  >
>>>>>  > I understand that the Registries (are required to?) maintain a list
>>>>> of harmful
>>>>>  > names for their TLDs, but there is no common minimal list of
>>>>> harmful names. One
>>>>>  > possible way to achieve this is for the Registries, at least in the
>>>>> ASCII
>>>>>  > space, to volunteer to feed their respective list of harmful names
>>>>> into a
>>>>>  > common Registry Stakeholder database, and then draw up a common
>>>>> minimum list of
>>>>>  > harmful domain names that any Registry could avoid registering.
>>>>>  >
>>>>>  > If At-Large could shape this as a workable suggestion, it could
>>>>> formally go to
>>>>>  > the Registry Stakeholders.
>>>>>  >
>>>>>  > Sivasubramanian M
>>>>>  > x[DELETED ATTACHMENT Screenshot_20180719-152932~2.png, PNG image]
>>>>>  > _______________________________________________
>>>>>  > At-Large mailing list
>>>>>  > At-Large at atlarge-lists.icann.org
>>>>>  > https://atlarge-lists.icann.org/mailman/listinfo/at-large
>>>>>  >
>>>>>  > At-Large Official Site: http://atlarge.icann.org
>>>>>
>>>>> --
>>>>>         -Barry Shein
>>>>>
>>>>> Software Tool & Die    | bzs at TheWorld.com             |
>>>>> http://www.TheWorld.com
>>>>> Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
>>>>> The World: Since 1989  | A Public Information Utility | *oo*
>>>>> _______________________________________________
>>>>> At-Large mailing list
>>>>> At-Large at atlarge-lists.icann.org
>>>>> https://atlarge-lists.icann.org/mailman/listinfo/at-large
>>>>>
>>>>> At-Large Official Site: http://atlarge.icann.org
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> - - - - - - - - - - - - - - - - - - - - - - - - - - -
>>>>      Dr. Alejandro Pisanty
>>>> Facultad de Química UNAM
>>>> <https://maps.google.com/?q=UNAM+Av.+Universidad+3000&entry=gmail&source=g>
>>>> Av. Universidad 3000
>>>> <https://maps.google.com/?q=UNAM+Av.+Universidad+3000&entry=gmail&source=g>,
>>>> 04510 Mexico DF Mexico
>>>> +52-1-5541444475 FROM ABROAD
>>>> +525541444475 DESDE MÉXICO SMS +525541444475
>>>> Blog: http://pisanty.blogspot.com
>>>> LinkedIn: http://www.linkedin.com/in/pisanty
>>>> Unete al grupo UNAM
>>>> <https://maps.google.com/?q=UNAM+Av.+Universidad+3000&entry=gmail&source=g>
>>>> en LinkedIn, http://www.linkedin.com/e/gis/22285/4A106C0C8614
>>>> Twitter: http://twitter.com/apisanty
>>>> ---->> Unete a ISOC Mexico, http://www.isoc.org
>>>> .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
>>>> _______________________________________________
>>>> At-Large mailing list
>>>> At-Large at atlarge-lists.icann.org
>>>> https://atlarge-lists.icann.org/mailman/listinfo/at-large
>>>>
>>>> At-Large Official Site: http://atlarge.icann.org
>>>
>>>
>>
>>
>> --
>> - - - - - - - - - - - - - - - - - - - - - - - - - - -
>>      Dr. Alejandro Pisanty
>> Facultad de Química UNAM
>> Av. Universidad 3000
>> <https://maps.google.com/?q=UNAM+Av.+Universidad+3000&entry=gmail&source=g>,
>> 04510 Mexico DF Mexico
>> +52-1-5541444475 FROM ABROAD
>> +525541444475 DESDE MÉXICO SMS +525541444475
>> Blog: http://pisanty.blogspot.com
>> LinkedIn: http://www.linkedin.com/in/pisanty
>> Unete al grupo UNAM
>> <https://maps.google.com/?q=UNAM+Av.+Universidad+3000&entry=gmail&source=g>
>> en LinkedIn, http://www.linkedin.com/e/gis/22285/4A106C0C8614
>> Twitter: http://twitter.com/apisanty
>> ---->> Unete a ISOC Mexico, http://www.isoc.org
>> .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
>> _______________________________________________
>> At-Large mailing list
>> At-Large at atlarge-lists.icann.org
>> https://atlarge-lists.icann.org/mailman/listinfo/at-large
>>
>> At-Large Official Site: http://atlarge.icann.org
>
>


-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - -
     Dr. Alejandro Pisanty
Facultad de Química UNAM
Av. Universidad 3000, 04510 Mexico DF Mexico
+52-1-5541444475 FROM ABROAD
+525541444475 DESDE MÉXICO SMS +525541444475
Blog: http://pisanty.blogspot.com
LinkedIn: http://www.linkedin.com/in/pisanty
Unete al grupo UNAM en LinkedIn,
http://www.linkedin.com/e/gis/22285/4A106C0C8614
Twitter: http://twitter.com/apisanty
---->> Unete a ISOC Mexico, http://www.isoc.org
.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://atlarge-lists.icann.org/pipermail/at-large/attachments/20180720/b1d6d530/attachment.html>

More information about the At-Large mailing list