[UA-discuss] Re : And now about phishing...

Asmus Freytag asmusf at ix.netcom.com
Wed Apr 19 20:44:42 UTC 2017 

On 4/19/2017 6:11 AM, Tan Tanaka, Dennis via UA-discuss wrote:
>
> The thing with homoglyphs is that it depends on the choice of font 
> type and size. That’s why it is hard to define the set. For example, 
> in certain font types lower case L ‘l’ and number one ‘1’ (both ASCII) 
> look almost identical.
>

For this reason, I like to distinguish between true homoglyphs 
(identical or near identical appearance by design or across the range of 
typical UI fonts) on the one hand, and 'merely' similar code points on 
the other.

In its most general incarnation, similarity can be accidental. For 
example "rn" and "m" are harder to distinguish that one might think. 
This general issue needs to be addressed, but it involves a lot of 
subjectivity. It also involves cases where of three similar items, one 
pair may appear distinct, while two other pairs are not. (For a true 
homograph, the homograph relation should be transitive).

> To deal with cases of cross-script homoglyphs, the ICANN IDN 
> guidelines have a requirement to prohibited such registrations (i.e. 
> mixing Cyrillic with Latin in a single label) except for in cases of 
> established orthographies, such as Japanese (i.e. Japanese uses three 
> different scripts: Han, Hiragana and Katakana).
>

The prohibition on script mixing in a single label is useful for a 
number of cases, but doesn't cover anywhere near the full scope of the 
problem.

Many scripts have an "o". Disallowing script mixing makes sure that one 
cannot spoof a label containing an "o", by substituting an "o" from 
another script. So far, so good.

However, the labels "ooo", "oooo" and so on are not protected. Writing 
the whole label in the other script makes it 'legal', but it can still 
be used for spoofing.

When this only affects a handful of labels  (how many strings consisting 
entirely of "o" will be registered?) the benefit of a general solution 
is likewise limited. The problem is those scripts that more than one 
code point like that. E.g. "p", "e", "s" etc. exist in equivalent shapes 
in both Latin and Cyrillic. Many more labels are thus subject to a 
whole-label homograph attack, and the prohibition against script mixing 
doesn't help.

A more robust approach is to make cross-script homoglyphs blocked 
variants of each other. This ensures that look-alike strings become 
mutually exclusive: only one can be delegated. (Note, by the way, that 
the reduction of available labels is not as big as it might appear: most 
labels would contain at least one script-unique letter, making it secure 
from a homograph attack like that).

For a discussion of variants, read: 
https://datatracker.ietf.org/doc/draft-freytag-lager-variant-rules/

A./

> -Dennis
>
> *From: *<ua-discuss-bounces at icann.org> on behalf of deepak 
> <deepak.singhal at dil.in>
> *Date: *Wednesday, April 19, 2017 at 1:33 AM
> *To: *Dusan Stojicevic <dusan at dukes.in.rs>, "UA-discuss at icann.org" 
> <ua-discuss at icann.org>
> *Subject: *[EXTERNAL] [UA-discuss] Re : And now about phishing...
>
> Hi,
>
>
>     These are  homoglyph character  http://homoglyphs.net/ which can 
> be use in phishing ..
>
> Regards
> Deepak Singhal
>
> ------------------------------------------------------------------------
>
> *From:* "Dusan Stojicevic" <dusan at dukes.in.rs> MailId : [68261406]
> *To:* "ua-discuss" <UA-discuss at icann.org>
> *Subject: *[UA-discuss] And now about phishing...
> *Date:* 19 Apr 2017 12:24:34 AM
>
> Interesting and possible>
>
> https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/
>
> Cheers,
>
> Dusan
>
> mage removed by sender. 
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon>
>
> 	
>
> Virus-free. www.avast.com 
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link>
>
>
> Do not Remove:
> [HID]20170419002433157[-HID]
>
>
> [XGENFOOTER]
>
> [-XGENFOOTER]
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ua-discuss/attachments/20170419/14535cde/attachment.html>

More information about the UA-discuss mailing list