[At-Large] IDN Variants in the market place

bzs at theworld.com bzs at theworld.com
Sat Jul 21 03:47:41 UTC 2018

This homograph problem is not new and has been been worked on for well
over a decade. Type "homograph attack" into your favorite search

But briefly:

1. You can type x.com and DNS (and other layers) can indeed redirect
you to the cyrillic x.com or anywhere they like.

The primary defense you have against this are security layers such as
SSL (https) which can, to some cryptographic certainty, verify who you
finally connected to.

Of course they are perfectly capable of responding, with great
confidence, that you indeed have arrived at a site owned by some bad

SSL certificates are cheap and even the most expensive only certify
that you are indeed "Mr Bad Actor" and perhaps have managed to obtain
some corporate credentials such as a DUN number. Not a very exclusive

And you'd have to be motivated to check that it's who you intended to
connect to, none of this can read your mind. Maybe you do business
with Mr Bad Actor, someone must.

2. When I said "attack" is in the eye of the beholder I was quite

For example why SHOULDN'T cyrillic X.com exist?

Because you or some subset of the internet find it potentially

We abandoned the notion that the internet is ASCII-only or even
ISO/IEC 8859-1 only (aka Latin-1, includes Western European characters
such as umlauted-u) many years ago.


One can assert "but I (or some other billions) must never be
confused!"  but as they say if wishes were horses...or perhaps put
better this genie isn't likely going back in the bottle.

The other choice is to somehow enforce against malicious uses rather
than potentially malicious uses which is another huge topic covering
everything from "define malicious!" to "how, exactly, would you
enforce this?"

3. A lot of this reduces to what's often called "reputational
services": How do I verify (preferably with little effort) the
reputation of some resource I am accessing?

Gratuitous anecdote:

In 2003 I was one of two keynote speakers at the MIT Spam Conference.

The other speaker's talk was about DKIM, a crpytographically based way
to verify that an email has come from the signing party.

I rudely (perhaps) asked at the end how do I know I have only verified
they are indeed Mr Bad Actor?

And the speaker said: Reputational services! They are being developed
and will augment this protocol to solve exactly that problem.


Do you see any reputational services? I don't.

Or not beyond some singular efforts where a search engine tries to
flag a link as potentially malicious.

        -Barry Shein

Software Tool & Die    | bzs at TheWorld.com             | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

More information about the At-Large mailing list