[UA-discuss] Re : And now about phishing...

Asmus Freytag asmusf at ix.netcom.com
Thu Apr 20 22:52:37 UTC 2017

On 4/20/2017 3:24 PM, Dusan Stojicevic wrote:
> More on the issue… any comments? Someone from Google here?
> https://threatpost.com/google-fixes-unicode-phishing-vulnerability-in-chrome-58-firefox-standing-pat/125099/

If you think about it, the following recommendation at the end is 
anathema to "Universal acceptance":

    "Zheng is encouraging Firefox users to limit their exposure to the
    bug by going to the browser’s about:config settings and setting
    network.IDN_show_punycode to true. By doing this Firefox will always
    display IDN domains in its Punycode form, something that should make
    it easier to identify malicious domains, the researcher claims."

If you do that, you implicitly assume that only the "non-IDN" links are 
"real", in other words, you assume an English-only environment. (When 
stuff is displayed as punicode, you usually can't tell what domain it 
is, except you can guess for some European ones with very few special 
characters, but you can't be sure unless the Unicode form is at least 
also displayed, which I think is not what that config change means).

> Cheers,
> Dusan
> *From:*ua-discuss-bounces at icann.org 
> [mailto:ua-discuss-bounces at icann.org] *On Behalf Of *Richard Merdinger
> *Sent:* Wednesday, April 19, 2017 11:15 PM
> *To:* Asmus Freytag <asmusf at ix.netcom.com>; ua-discuss at icann.org
> *Subject:* Re: [UA-discuss] Re : And now about phishing...
> Thank you for the thoughtful reply, Asmus.
> --Rich
> Richard Merdinger
> VP, Domains - GoDaddy
> *From: *<ua-discuss-bounces at icann.org 
> <mailto:ua-discuss-bounces at icann.org>> on behalf of Asmus Freytag 
> <asmusf at ix.netcom.com <mailto:asmusf at ix.netcom.com>>
> *Date: *Wednesday, April 19, 2017 at 3:44 PM
> *To: *"ua-discuss at icann.org <mailto:ua-discuss at icann.org>" 
> <ua-discuss at icann.org <mailto:ua-discuss at icann.org>>
> *Subject: *Re: [UA-discuss] Re : And now about phishing...
> On 4/19/2017 6:11 AM, Tan Tanaka, Dennis via UA-discuss wrote:
>     The thing with homoglyphs is that it depends on the choice of font
>     type and size. That’s why it is hard to define the set. For
>     example, in certain font types lower case L ‘l’ and number one ‘1’
>     (both ASCII) look almost identical.
> For this reason, I like to distinguish between true homoglyphs 
> (identical or near identical appearance by design or across the range 
> of typical UI fonts) on the one hand, and 'merely' similar code points 
> on the other.
> In its most general incarnation, similarity can be accidental. For 
> example "rn" and "m" are harder to distinguish that one might think. 
> This general issue needs to be addressed, but it involves a lot of 
> subjectivity. It also involves cases where of three similar items, one 
> pair may appear distinct, while two other pairs are not. (For a true 
> homograph, the homograph relation should be transitive).
>     To deal with cases of cross-script homoglyphs, the ICANN IDN
>     guidelines have a requirement to prohibited such registrations
>     (i.e. mixing Cyrillic with Latin in a single label) except for in
>     cases of established orthographies, such as Japanese (i.e.
>     Japanese uses three different scripts: Han, Hiragana and Katakana).
> The prohibition on script mixing in a single label is useful for a 
> number of cases, but doesn't cover anywhere near the full scope of the 
> problem.
> Many scripts have an "o". Disallowing script mixing makes sure that 
> one cannot spoof a label containing an "o", by substituting an "o" 
> from another script. So far, so good.
> However, the labels "ooo", "oooo" and so on are not protected. Writing 
> the whole label in the other script makes it 'legal', but it can still 
> be used for spoofing.
> When this only affects a handful of labels  (how many strings 
> consisting entirely of "o" will be registered?) the benefit of a 
> general solution is likewise limited. The problem is those scripts 
> that more than one code point like that. E.g. "p", "e", "s" etc. exist 
> in equivalent shapes in both Latin and Cyrillic. Many more labels are 
> thus subject to a whole-label homograph attack, and the prohibition 
> against script mixing doesn't help.
> A more robust approach is to make cross-script homoglyphs blocked 
> variants of each other. This ensures that look-alike strings become 
> mutually exclusive: only one can be delegated. (Note, by the way, that 
> the reduction of available labels is not as big as it might appear: 
> most labels would contain at least one script-unique letter, making it 
> secure from a homograph attack like that).
> For a discussion of variants, read: 
> https://datatracker.ietf.org/doc/draft-freytag-lager-variant-rules/
> A./
>     -Dennis
>     *From: *<ua-discuss-bounces at icann.org>
>     <mailto:ua-discuss-bounces at icann.org> on behalf of deepak
>     <deepak.singhal at dil.in> <mailto:deepak.singhal at dil.in>
>     *Date: *Wednesday, April 19, 2017 at 1:33 AM
>     *To: *Dusan Stojicevic <dusan at dukes.in.rs>
>     <mailto:dusan at dukes.in.rs>, "UA-discuss at icann.org"
>     <mailto:UA-discuss at icann.org> <ua-discuss at icann.org>
>     <mailto:ua-discuss at icann.org>
>     *Subject: *[EXTERNAL] [UA-discuss] Re : And now about phishing...
>     Hi,
>         These are  homoglyph character http://homoglyphs.net/   which
>     can be use in phishing ..
>     Regards
>     Deepak Singhal
>     ------------------------------------------------------------------------
>     *From:* "Dusan Stojicevic" <dusan at dukes.in.rs>
>     <mailto:dusan at dukes.in.rs> MailId : [68261406]
>     *To:* "ua-discuss" <UA-discuss at icann.org>
>     <mailto:UA-discuss at icann.org>
>     *Subject: *[UA-discuss] And now about phishing...
>     *Date:* 19 Apr 2017 12:24:34 AM
>     Interesting and possible>
>     https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/
>     Cheers,
>     Dusan
>     age removed by sender.
>     <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon>
>     Virus-free. www.avast.com
>     <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link>
>     Do not Remove:
>     [HID]20170419002433157[-HID]
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon> 
> 	Virus-free. www.avast.com 
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link> 
> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ua-discuss/attachments/20170420/383a3464/attachment.html>

More information about the UA-discuss mailing list