[UA-discuss] UASG Response to WordFence IDN Phishing concerns

Wed Apr 26 23:16:04 UTC 2017

Hello, all:

I would like to contribute my suggestions for this IDN Phishing release.

My suggestion is about framing. It looks like the core framing that got 
traction 12 days ago is "Phishing with Unicode Domains". That is, 
domains ought to be ASCII, Unicode domains are this innovation, and it 
opens a hole. I suggest we confront that framing head-on, re-frame, and 
then respond within our own framing. That's what I've tried to do.

I moved the reference to the term Internationalized Domain Names out of 
the first paragraph. The first paragraph summarises the homograph 
attack.  I introduce the term IDN in its own paragraph, in the context 
of making the Internate globally accessible. Thus: the Internet ought to 
be global, domain names ought to be global, IDNs help make domain names 
global, and the great benefits this brings outweighs the fact that it 
adds a few tools to the scammer's toolkit.

I also try to frame the scammers as having many tools in their toolkit, 
and homograph attacks are a minor part of that toolkit.

I will borrow Jothan's excellent metaphor: treat my redline as a buffet, 
put on the tray what works.

        --Jim DeLaHunt, Vancouver, Canada

P.S. I think the Reddit conversation at 
<https://www.reddit.com/r/netsec/comments/65csdk/phishing_with_unicode_domains/> 
needs a reply that centres the Universal Acceptance and IDNs. I'll have 
a go at that also.

On 2017-04-24 14:40, Don Hollander wrote:
>
> Further to recent discussion on this list, we have drafted a document 
> that we plan on posting as a Blog Post to the UASG Web site that can 
> be referenced by others.
>
> We want to get feedback from the community on this document by 
> Thursday UTC.
>
> So, here it is – pasted below and as a word document in case you want 
> to enable tracking and make amendments.   If you have comments or 
> suggestions, please share them to this group.
>
> Don
>
> *IDNs and Phishing: What You Need to Know*
>
> By TBD at UASG
>
> Internationalized Domain Names 
> <https://www.icann.org/resources/pages/idn-2012-02-25-en> (IDNs) are 
> growing in popularity, a testament to their role in the expansion of 
> the global Internet and the value they provide in connecting 
> non-English speakers to the Web. However, you may have noticed a 
> renewed focus over the past week of a script mixing technique that 
> phishing scammers could potentially use to trick Internet users into 
> visiting malicious websites. This phishing method takes advantage of 
> the fact that characters from various languages and scripts are 
> sometimes visually similar to each other. For example, the Cyrillic 
> “а” and the ASCII <https://en.wikipedia.org/wiki/ASCII> “a” look 
> virtually identical. This technique is known as a homograph attack.
>
> Homographic phishing efforts associated with IDNs are not new. In 
> fact, they date back to the early 2000s. Registries have since 
> implemented policies that preclude mixing scripts^^[1] <#_ftn1> within 
> a domain name label.
>
> While this issue should be taken seriously and serves as an important 
> reminder of consumer safety, various IDN and anti-abuse groups are 
> actively working to mitigate potential threats, and there are already 
> certain browser-set protections in place. In the meantime, Internet 
> users should practice the same basic security hygiene that is always 
> recommended: avoid clicking suspicious links, and use a good password 
> manager that will only enter login credentials on trusted sites.
>
> Equally important is to recognize the benefits of IDNs and avoid 
> disabling them, which could lead to an unpredictable user experience 
> and eventually a decrease in adoption. IDNs are essential in bringing 
> non-English speakers – the majority of the world’s population – 
> online, and allowing those users to create their own highly relevant 
> online identities as well as navigate the Internet in their native 
> languages. In addition to the social and cultural benefits of IDNs, 
> they also represent a significant economic opportunity; a recent 
> report <https://uasg.tech/whitepaper/> commissioned by the Universal 
> Acceptance Steering Group (UASG) found that online spending from new 
> IDN users could start at USD 6.2 billion per year.
>
> The UASG’s mission is to help software developers and website owners 
> keep pace with the evolving Domain Name System (DNS) – and this 
> includes issues around the adoption and acceptance of IDNs. If you’d 
> like to get involved in helping work toward a solution to this and 
> other IDN-related issues, please visit https://uasg.tech/ or get in 
> touch <https://uasg.tech/contact/> to learn more.
>
>
> ------------------------------------------------------------------------
>
> [1] <#_ftnref1>Exceptions are practiced for languages with established 
> orthographies and conventions that require the commingled use of 
> multiple scripts, e.g. the Japanese writing system.
>

-- 
     --Jim DeLaHunt, jdlh at jdlh.com     http://blog.jdlh.com/ (http://jdlh.com/)
       multilingual websites consultant

       355-1027 Davie St, Vancouver BC V6E 4L2, Canada
          Canada mobile +1-604-376-8953

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ua-discuss/attachments/20170426/d788c8d2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IDN response blog - v3 DH (JDLH comments) 2017-04d.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 14760 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ua-discuss/attachments/20170426/d788c8d2/IDNresponseblog-v3DHJDLHcomments2017-04d.docx>