[UA-discuss] Another difficulty to overcome ...

Chaals McCathie Nevile chaals at yandex.ru
Tue Feb 20 09:40:31 UTC 2018 

The strongest argument against showing A-labels is the technical side of  
point 3, and IMHO it is sufficient to make the case. Point 2 is a true  
statement but doesn't address the problem. Point 1 is about what else  
should be done to address the problem, but does not directly rebut the  
suggestion.

In more detail, (for anyone in this choir who wants the full sermon ;) )

People who more naturally read a non-latin script - the primary market for  
non-latin script - are generally more able to read that accurately and  
less able to spot oddities in latin script or another script they don't  
read.

This isn't a question of "deserving" to be allowed to use your own script  
(although it is true people do deserve that IMHO).

It is about ensuring that people can effectively notice whether something  
is a meaningful URL they were looking for, or a corrupted version. It is  
easier for most people in their own script than noticing a corrupted  
version of a punycode string.

This is also generally true for e.g. Europeans who do read Latin script.  
Dahlström, Dahlstrom, and Dahlstrőm *are* similar, and could be used for  
phishing attacks (one of them is part of a friend's email address). but  
xn--ksjdlfn and xn--sekdrtb are actually gibberish, and spotting whether  
gibberish has a mistake is pretty difficult for normal people.

A better idea might be larger fonts, to make differences clearer.

On user demand, offering a strict non-ambiguous *transliteration* could  
help (whether that is from or to a script such as Latin, or doesn't  
involve it at all as between say Thai and Arabic). But transliteration  
introduces some thorny and well-known problems. I hope that is the reason  
it isn't widely available, rather than just because a bunch of engineers  
assume everything begins with Latin script anyway...

cheers

cheers.

On Tue, 20 Feb 2018 09:54:40 +0100, Jim DeLaHunt <jfrom.uasg at jdlh.com>
wrote:

>   Multiple people have made the argument that having a browser show
>      A-labels ("punycode") instead of U-labels ("regular IDN") is
>      desirable as a way of fighting phishing.
>
>   My rebuttal has three parts:
>
>
>       1. The underlying problem is that the registry (here, .com)
>        permitted registration of a domain name which was confusable
>        with another one. The right place to fight this kind of phishing
>        with confusable characters is at the domain registry level.
>
>     2. Even if you could magically prevent all confusable 2nd-level
>        domain name registrations, phishing would still be a problem.
>        Fraudsters have many tools, confusable 2nd-level names is only
>        one of them. There are also confusable names at the 4th or 5th
>        levels (e.g. microsoft.com.innocuous.deceptive.com), and
>        misleading links in message bodies, and so on.
>
>         3. The people for whom A-labels instead of U-labels are a
>        privileged set of latin-script reading Internet users. The
>        second billion internet users will predominantly be people who
>        read a different script than latin. U-labels are a requirement
>        for them to have legible domain names for legitimate sites.
>        A-labels mean they don't get domain names which they can read.
>        And they deserve to be able to read their domain names and email
>        addresses.


>   This is an excellent audience for me to test my rebuttal. Is it
>      solid?  Can I improve it?   Cheers,
>
>           —Jim DeLaHunt, Vancouver, Canada
>
>     On 2018-02-19 23:36, Ronald Geens
>      wrote:
>
>
>>
>>          All,
>>               I am aware of the good work going on in the UASG
>>        to get IDN at all levels natively supported in web-adresses and
>>        email and I fully support that.
>>             On the other hand there is darker side of the web
>>        that people want to be protected from.
>>     I just read this blog about some people that may
>>        actually find it better to see puny-code in stead of regular IDN
>>        in order to detect spam and phishing.
>>
>>     https://ma.ttias.be/show-idn-punycode-firefox-avoid-phishing-urls/  
>> which
>>        is an opposite view of what UASG is trying to achieve.
>>
>>               Does/Will the UASG have a standpoint in this
>>        matter ? Is this in scope of UASG or will we rely on the
>>        anti-virus industry or even registrars/registries to protect the
>>        world from abuses like this ?
>>
>>             Best regards,
>>
>>             Ron Geens
>>
>>     DNS Belgium
>>
>>
>
>     --   --Jim DeLaHunt, jdlh at jdlh.com     http://blog.jdlh.com/  
> (http://jdlh.com/)
>      multilingual websites consultant
>
>      355-1027 Davie St, Vancouver BC V6E 4L2, Canada
>         Canada mobile +1-604-376-8953
>
>



-- 
Chaals is Charles McCathie Nevile
find more at http://yandex.com

More information about the UA-discuss mailing list