[UA-discuss] Another difficulty to overcome ...

Mark Svancarek marksv at microsoft.com
Tue Feb 20 18:08:25 UTC 2018

I like Jim's rebuttal in entirety, but would re-order 123 --> 321 per Chaals comments.

-----Original Message-----
From: UA-discuss <ua-discuss-bounces at icann.org> On Behalf Of Chaals McCathie Nevile
Sent: Tuesday, February 20, 2018 1:41 AM
To: ua-discuss at icann.org
Subject: Re: [UA-discuss] Another difficulty to overcome ...

The strongest argument against showing A-labels is the technical side of point 3, and IMHO it is sufficient to make the case. Point 2 is a true statement but doesn't address the problem. Point 1 is about what else should be done to address the problem, but does not directly rebut the suggestion.

In more detail, (for anyone in this choir who wants the full sermon ;) )

People who more naturally read a non-latin script - the primary market for non-latin script - are generally more able to read that accurately and less able to spot oddities in latin script or another script they don't read.

This isn't a question of "deserving" to be allowed to use your own script (although it is true people do deserve that IMHO).

It is about ensuring that people can effectively notice whether something is a meaningful URL they were looking for, or a corrupted version. It is easier for most people in their own script than noticing a corrupted version of a punycode string.

This is also generally true for e.g. Europeans who do read Latin script.  
Dahlström, Dahlstrom, and Dahlstrőm *are* similar, and could be used for phishing attacks (one of them is part of a friend's email address). but xn--ksjdlfn and xn--sekdrtb are actually gibberish, and spotting whether gibberish has a mistake is pretty difficult for normal people.

A better idea might be larger fonts, to make differences clearer.

On user demand, offering a strict non-ambiguous *transliteration* could help (whether that is from or to a script such as Latin, or doesn't involve it at all as between say Thai and Arabic). But transliteration introduces some thorny and well-known problems. I hope that is the reason it isn't widely available, rather than just because a bunch of engineers assume everything begins with Latin script anyway...



On Tue, 20 Feb 2018 09:54:40 +0100, Jim DeLaHunt <jfrom.uasg at jdlh.com>

>   Multiple people have made the argument that having a browser show
>      A-labels ("punycode") instead of U-labels ("regular IDN") is
>      desirable as a way of fighting phishing.
>   My rebuttal has three parts:
>       1. The underlying problem is that the registry (here, .com)
>        permitted registration of a domain name which was confusable
>        with another one. The right place to fight this kind of phishing
>        with confusable characters is at the domain registry level.
>     2. Even if you could magically prevent all confusable 2nd-level
>        domain name registrations, phishing would still be a problem.
>        Fraudsters have many tools, confusable 2nd-level names is only
>        one of them. There are also confusable names at the 4th or 5th
>        levels (e.g. microsoft.com.innocuous.deceptive.com), and
>        misleading links in message bodies, and so on.
>         3. The people for whom A-labels instead of U-labels are a
>        privileged set of latin-script reading Internet users. The
>        second billion internet users will predominantly be people who
>        read a different script than latin. U-labels are a requirement
>        for them to have legible domain names for legitimate sites.
>        A-labels mean they don't get domain names which they can read.
>        And they deserve to be able to read their domain names and email
>        addresses.

>   This is an excellent audience for me to test my rebuttal. Is it
>      solid?  Can I improve it?   Cheers,
>           —Jim DeLaHunt, Vancouver, Canada
>     On 2018-02-19 23:36, Ronald Geens
>      wrote:
>>          All,
>>               I am aware of the good work going on in the UASG
>>        to get IDN at all levels natively supported in web-adresses and
>>        email and I fully support that.
>>             On the other hand there is darker side of the web
>>        that people want to be protected from.
>>     I just read this blog about some people that may
>>        actually find it better to see puny-code in stead of regular IDN
>>        in order to detect spam and phishing.
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fma.t
>> tias.be%2Fshow-idn-punycode-firefox-avoid-phishing-urls%2F&data=04%7C
>> 01%7Cmarksv%40microsoft.com%7Cf1f66762f22b4b0f20b908d578460c54%7C72f9
>> 88bf86f141af91ab2d7cd011db47%7C1%7C1%7C636547164644768767%7CUnknown%7
>> CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3
>> D%3D%7C-1&sdata=5EXp%2Fkh8hb8Qzm24y8yPWeKJ3lLE28FzIv7CHvX2C4E%3D&rese
>> rved=0
>> which
>>        is an opposite view of what UASG is trying to achieve.
>>               Does/Will the UASG have a standpoint in this
>>        matter ? Is this in scope of UASG or will we rely on the
>>        anti-virus industry or even registrars/registries to protect the
>>        world from abuses like this ?
>>             Best regards,
>>             Ron Geens
>>     DNS Belgium
>     --   --Jim DeLaHunt, jdlh at jdlh.com     https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fblog.jdlh.com%2F&data=04%7C01%7Cmarksv%40microsoft.com%7Cf1f66762f22b4b0f20b908d578460c54%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636547164644768767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=zsgXxJAX%2FvmuAS2OaK7GEtxOP2oh816zNG3d7cugGJg%3D&reserved=0  
> (https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjdlh.com%2F&data=04%7C01%7Cmarksv%40microsoft.com%7Cf1f66762f22b4b0f20b908d578460c54%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636547164644768767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=VQBSfH2vD4Z5snL9nZiMAQheZrszgF0%2FMHZwM%2B2tRr0%3D&reserved=0)
>      multilingual websites consultant
>      355-1027 Davie St, Vancouver BC V6E 4L2, Canada
>         Canada mobile +1-604-376-8953

Chaals is Charles McCathie Nevile
find more at https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fyandex.com&data=04%7C01%7Cmarksv%40microsoft.com%7Cf1f66762f22b4b0f20b908d578460c54%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636547164644768767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=zTS4b%2Bl9vylzCpslPxZjLoInKeE1btfIJcJSouOz3CQ%3D&reserved=0

More information about the UA-discuss mailing list