[UA-discuss] Another difficulty to overcome ...

Asmus Freytag asmusf at ix.netcom.com
Tue Feb 20 18:05:08 UTC 2018 

On 2/20/2018 12:54 AM, Jim DeLaHunt wrote:
>
> Multiple people have made the argument that having a browser show 
> A-labels ("punycode") instead of U-labels ("regular IDN") is desirable 
> as a way of fighting phishing.
>
> My rebuttal has three parts:
>
>  1. The underlying problem is that the registry (here, .com) permitted
>     registration of a domain name which was confusable with another
>     one. The right place to fight this kind of phishing with
>     confusable characters is at the domain registry level.
>  2. Even if you could magically prevent all confusable 2nd-level
>     domain name registrations, phishing would still be a problem.
>     Fraudsters have many tools, confusable 2nd-level names is only one
>     of them. There are also confusable names at the 4th or 5th levels
>     (e.g. microsoft.com.innocuous.deceptive.com), and misleading links
>     in message bodies, and so on.
>  3. The people for whom A-labels instead of U-labels [are more
>     readable] are a privileged set of latin-script reading Internet
>     users. The second billion internet users will predominantly be
>     people who read a different script than latin. U-labels are a
>     requirement for them to have legible domain names for legitimate
>     sites. A-labels mean they don't get domain names which they can
>     read. And they deserve to be able to read their domain names and
>     email addresses.
>
> This is an excellent audience for me to test my rebuttal. Is it 
> solid?  Can I improve it?
>
One edit above in []

There's a fallacy that A-labels are less confusable. Even for users of 
the Latin script. In fact, they obscure the intended destination almost 
as badly as URL shortening does... Otherwise we could all just use 
hashes like those used in URL shortening - and I'm not sure I'd call the 
latter a win for security.

Finally, there are some nice spoofing methods specific to a-labels.

A./
>
> Cheers,
>      —Jim DeLaHunt, Vancouver, Canada
>
> On 2018-02-19 23:36, Ronald Geens wrote:
>> All,
>>
>>    I am aware of the good work going on in the UASG to get IDN at all 
>> levels natively supported in web-adresses and email and I fully 
>> support that.
>>
>> On the other hand there is darker side of the web that people want to 
>> be protected from.
>> I just read this blog about some people that may actually find it 
>> better to see puny-code in stead of regular IDN in order to detect 
>> spam and phishing.
>> https://ma.ttias.be/show-idn-punycode-firefox-avoid-phishing-urls/ which 
>> is an opposite view of what UASG is trying to achieve.
>>
>>    Does/Will the UASG have a standpoint in this matter ? Is this in 
>> scope of UASG or will we rely on the anti-virus industry or even 
>> registrars/registries to protect the world from abuses like this ?
>>
>> Best regards,
>>
>> Ron Geens
>> DNS Belgium
>
> -- 
>      --Jim DeLaHunt,jdlh at jdlh.com      http://blog.jdlh.com/  (http://jdlh.com/)
>        multilingual websites consultant
>
>        355-1027 Davie St, Vancouver BC V6E 4L2, Canada
>           Canada mobile +1-604-376-8953


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ua-discuss/attachments/20180220/74b05f41/attachment.html>

More information about the UA-discuss mailing list