[At-Large] IDN Variants in the market place

Dr. Alejandro Pisanty Baruch apisan at unam.mx
Tue Jul 24 00:59:07 UTC 2018 

Andrei,

thanks. Exactly. No list of "forbidden strings" - just one good practice. A lot of mischief can be done in the remaining space but at least that one bad practice can be taken off the table.

Alejandro Pisanty




- - - - - - - - - - - - - - - - - - - - - - - - - - -
     Dr. Alejandro Pisanty
Facultad de Química UNAM
Av. Universidad 3000, 04510 Mexico DF Mexico



+52-1-5541444475 FROM ABROAD

+525541444475 DESDE MÉXICO SMS +525541444475
Blog: http://pisanty.blogspot.com
LinkedIn: http://www.linkedin.com/in/pisanty
Unete al grupo UNAM en LinkedIn, http://www.linkedin.com/e/gis/22285/4A106C0C8614
Twitter: http://twitter.com/apisanty
---->> Unete a ISOC Mexico, http://www.isoc.org
.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .

________________________________
Desde: At-Large [at-large-bounces at atlarge-lists.icann.org] en nombre de Andrei Kolesnikov [andrei at rol.ru]
Enviado el: lunes, 23 de julio de 2018 11:05
Hasta: Alejandro Pisanty
CC: At-Large Staff; At-Large Worldwide
Asunto: Re: [At-Large] IDN Variants in the market place

Mixing scripts on the left and right is a sin initially. Cool registries ban it at EPP level.

--andrei

2018-07-20 22:34 GMT+03:00 Alejandro Pisanty <apisanty at gmail.com<mailto:apisanty at gmail.com>>:
Hi,

"at least in ASCII space" still can't work. Innumerable strings contain characters that, in turn, have look-alikes in other character sets, many in more than one. To get a sense of scale, try "aardvark" first; EVERY character has a potential substitute. Also please remember the row around ".bg" in Cyrillic. (Again, barring correction from someone more knowledgeable.)

Alejandro Pisanty

On Fri, Jul 20, 2018 at 1:55 PM, Sivasubramanian M <6.Internet at gmail.com<mailto:6.Internet at gmail.com>> wrote:


On Sat, Jul 21, 2018, 12:19 AM Alejandro Pisanty <apisanty at gmail.com<mailto:apisanty at gmail.com>> wrote:
Barry,

spot on, plus the idea of a list of forbidden strings appears to be pure lunacy in this context.

All strings are potentially an attack for any substitution of any character by any IDN look-alike character. The list would contain a couple zillion names and as you say, many could be legtimate. To complicate things further, an ASCII "A" could be used in an homograph attack by substituting for a Greek or Cyrillic "A" as well.

I may be missing something and would study a correction though.

for the Registries, at least in the ASCII space, to volunteer to feed their respective list of harmful names

You missed 'at least in ASCII space'.


Alejandro Pisanty

On Fri, Jul 20, 2018 at 1:37 PM, <bzs at theworld.com<mailto:bzs at theworld.com>> wrote:

On July 19, 2018 at 15:48 6.Internet at gmail.com<mailto:6.Internet at gmail.com> (Sivasubramanian M) wrote:
 > Please take a look at the attached screenshot of a domainer's offer to sell
 > single character IDNs, for instance an IDN variant (lookalike) of the ASCII
 > character X, which sets a harmful trend. This is an issue if confusability.

The general term for this is "homograph attack" or specifically "IDN
homograph attack", where "attack" may be in the eye of the beholder:

  https://en.wikipedia.org/wiki/IDN_homograph_attack

and has been the subject of much discussion over recent years and
little resolution.

I believe one popular proposal is browser support which either
visually flags such IDNs or displays the punycode alongside which is
an ASCII represenation and should make obvious that this not what one
might suspect.

For example (from this wikipedia page): xn--bcher-kva.tld indicating
an umlauted 'u' is in there but importantly that it's not just
bucher.tld.

  https://en.wikipedia.org/wiki/Punycode

There's still the problem with intent. Could I legitimately offer for
sale the strings with and without the umlaut? I think that's generally
considered acceptable.

Caveat emptor?

 >
 > I understand that the Registries (are required to?) maintain a list of harmful
 > names for their TLDs, but there is no common minimal list of harmful names. One
 > possible way to achieve this is for the Registries, at least in the ASCII
 > space, to volunteer to feed their respective list of harmful names into a
 > common Registry Stakeholder database, and then draw up a common minimum list of
 > harmful domain names that any Registry could avoid registering.
 >
 > If At-Large could shape this as a workable suggestion, it could formally go to
 > the Registry Stakeholders.
 >
 > Sivasubramanian M
 > x[DELETED ATTACHMENT Screenshot_20180719-152932~2.png, PNG image]
 > _______________________________________________
 > At-Large mailing list
 > At-Large at atlarge-lists.icann.org<mailto:At-Large at atlarge-lists.icann.org>
 > https://atlarge-lists.icann.org/mailman/listinfo/at-large
 >
 > At-Large Official Site: http://atlarge.icann.org

--
        -Barry Shein

Software Tool & Die    | bzs at TheWorld.com             | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*
_______________________________________________
At-Large mailing list
At-Large at atlarge-lists.icann.org<mailto:At-Large at atlarge-lists.icann.org>
https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org



--
- - - - - - - - - - - - - - - - - - - - - - - - - - -
     Dr. Alejandro Pisanty
Facultad de Química UNAM<https://maps.google.com/?q=UNAM+Av.+Universidad+3000&entry=gmail&source=g>
Av. Universidad 3000<https://maps.google.com/?q=UNAM+Av.+Universidad+3000&entry=gmail&source=g>, 04510 Mexico DF Mexico
+52-1-5541444475 FROM ABROAD
+525541444475 DESDE MÉXICO SMS +525541444475
Blog: http://pisanty.blogspot.com
LinkedIn: http://www.linkedin.com/in/pisanty
Unete al grupo UNAM en LinkedIn, http://www.linkedin.com/e/gis/22285/4A106C0C8614
Twitter: http://twitter.com/apisanty
---->> Unete a ISOC Mexico, http://www.isoc.org
.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
_______________________________________________
At-Large mailing list
At-Large at atlarge-lists.icann.org<mailto:At-Large at atlarge-lists.icann.org>
https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org



--
- - - - - - - - - - - - - - - - - - - - - - - - - - -
     Dr. Alejandro Pisanty
Facultad de Química UNAM
Av. Universidad 3000, 04510 Mexico DF Mexico
+52-1-5541444475 FROM ABROAD
+525541444475 DESDE MÉXICO SMS +525541444475
Blog: http://pisanty.blogspot.com
LinkedIn: http://www.linkedin.com/in/pisanty
Unete al grupo UNAM en LinkedIn, http://www.linkedin.com/e/gis/22285/4A106C0C8614
Twitter: http://twitter.com/apisanty
---->> Unete a ISOC Mexico, http://www.isoc.org
.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .

_______________________________________________
At-Large mailing list
At-Large at atlarge-lists.icann.org<mailto:At-Large at atlarge-lists.icann.org>
https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org



--
Andrey Kolesnikov
RIPN.NET<http://RIPN.NET>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://atlarge-lists.icann.org/pipermail/at-large/attachments/20180724/91c3f19d/attachment.html>

More information about the At-Large mailing list