[UA-discuss] UA-discuss Digest, Vol 38, Issue 11
Harish Chowdhary
harish at nixi.in
Wed Feb 21 12:18:44 UTC 2018
+1Thanks,Harish Chowdhary,ISOC IETF FELLOWinSIG 2017 FELLOWwww.nixi.in | www.indiaig.in From: ua-discuss-request at icann.orgSent: Wed, 21 Feb 2018 17:30:13 GMT+0530To: ua-discuss at icann.orgSubject: UA-discuss Digest, Vol 38, Issue 11Send UA-discuss mailing list submissions to ua-discuss at icann.orgTo subscribe or unsubscribe via the World Wide Web, visit https://mm.icann.org/mailman/listinfo/ua-discussor, via email, send a message with subject or body 'help' to ua-discuss-request at icann.orgYou can reach the person managing the list at ua-discuss-owner at icann.orgWhen replying, please edit your Subject line so it is more specificthan "Re: Contents of UA-discuss digest..."Today's Topics: 1. Re: Another difficulty to overcome ... (Asmus Freytag) 2. Re: Another difficulty to overcome ... (Mark Svancarek) 3. Re: Another difficulty to overcome ... (Andrew Sullivan) 4. Re: Another
difficulty to overcome ... (Andrew Sullivan)----------------------------------------------------------------------Message: 1Date: Tue, 20 Feb 2018 10:05:08 -0800From: Asmus Freytag <asmusf at ix.netcom.com>To: ua-discuss at icann.orgSubject: Re: [UA-discuss] Another difficulty to overcome ...Message-ID: <441b9b4f-3546-6acf-6d6e-e369286b3040 at ix.netcom.com>Content-Type: text/plain; charset="utf-8"; Format="flowed"On 2/20/2018 12:54 AM, Jim DeLaHunt wrote:>> Multiple people have made the argument that having a browser show> A-labels ("punycode") instead of U-labels ("regular IDN") is desirable> as a way of fighting phishing.>> My rebuttal has three parts:>> 1. The underlying problem is that the registry (here, .com) permitted> registration of a domain name which was confusable with another> one. The right place to fight this kind of phishing with> confusable ch
aracters is at the domain registry level.> 2. Even if you could magically prevent all confusable 2nd-level> domain name registrations, phishing would still be a problem.> Fraudsters have many tools, confusable 2nd-level names is only one> of them. There are also confusable names at the 4th or 5th levels> (e.g. microsoft.com.innocuous.deceptive.com), and misleading links> in message bodies, and so on.> 3. The people for whom A-labels instead of U-labels [are more> readable] are a privileged set of latin-script reading Internet> users. The second billion internet users will predominantly be> people who read a different script than latin. U-labels are a> requirement for them to have legible domain names for legitimate> sites. A-labels mean they don't get domain names which they can> &nbs
p; read. And they deserve to be able to read their domain names and> email addresses.>> This is an excellent audience for me to test my rebuttal. Is it> solid?? Can I improve it?>One edit above in []There's a fallacy that A-labels are less confusable. Even for users ofthe Latin script. In fact, they obscure the intended destination almostas badly as URL shortening does... Otherwise we could all just usehashes like those used in URL shortening - and I'm not sure I'd call thelatter a win for security.Finally, there are some nice spoofing methods specific to a-labels.A./>> Cheers,> ???? ?Jim DeLaHunt, Vancouver, Canada>> On 2018-02-19 23:36, Ronald Geens wrote:>> All,>>>> ? ?I am aware of the good work going on in the UASG to get IDN at all>> levels natively supported in web-adresses and email and I fully>> support that.>>>> On the other hand there is darker side of the web that people wan
t to>> be protected from.>> I just read this blog about some people that may actually find it>> better to see puny-code in stead of regular IDN in order to detect>> spam and phishing.>> https://ma.ttias.be/show-idn-punycode-firefox-avoid-phishing-urls/?which>> is an opposite view of what UASG is trying to achieve.>>>> ? ?Does/Will the UASG have a standpoint in this matter ? Is this in>> scope of UASG or will we rely on the anti-virus industry or even>> registrars/registries to protect the world from abuses like this ?>>>> Best regards,>>>> Ron Geens>> DNS Belgium>> --> --Jim DeLaHunt,jdlh at jdlh.com http://blog.jdlh.com/ (http://jdlh.com/)> multilingual websites consultant>> 355-1027 Davie St, Vancouver BC V6E 4L2, Canada> Canada mobile +1-604
-376-8953-------------- next part --------------An HTML attachment was scrubbed...URL: <http://mm.icann.org/pipermail/ua-discuss/attachments/20180220/74b05f41/attachment-0001.html>------------------------------Message: 2Date: Tue, 20 Feb 2018 18:08:25 +0000From: Mark Svancarek <marksv at microsoft.com>To: Chaals McCathie Nevile <chaals at yandex.ru>, "ua-discuss at icann.org" <ua-discuss at icann.org>Subject: Re: [UA-discuss] Another difficulty to overcome ...Message-ID: <BL0PR2101MB08838933734E2C5FA1474E96D1CF0 at BL0PR2101MB0883.namprd21.prod.outlook.com> Content-Type: text/plain; charset="utf-8"I like Jim's rebuttal in entirety, but would re-order 123 --> 321 per Chaals comments.-----Original Message-----From: UA-discuss <ua-discuss-bounces at icann.org> On Behalf Of Chaals McCathie NevileSent: Tuesday, February 20, 2018 1:41 AMTo: ua-discuss at icann.orgSubject: Re: [UA-discuss] Another
difficulty to overcome ...The strongest argument against showing A-labels is the technical side of point 3, and IMHO it is sufficient to make the case. Point 2 is a true statement but doesn't address the problem. Point 1 is about what else should be done to address the problem, but does not directly rebut the suggestion.In more detail, (for anyone in this choir who wants the full sermon ;) )People who more naturally read a non-latin script - the primary market for non-latin script - are generally more able to read that accurately and less able to spot oddities in latin script or another script they don't read.This isn't a question of "deserving" to be allowed to use your own script (although it is true people do deserve that IMHO).It is about ensuring that people can effectively notice whether something is a meaningful URL they were looking for, or a corrupted version. It is easier for most people in their own script than noticing a corrupted version of a punyc
ode string.This is also generally true for e.g. Europeans who do read Latin script. Dahlstr?m, Dahlstrom, and Dahlstr?m *are* similar, and could be used for phishing attacks (one of them is part of a friend's email address). but xn--ksjdlfn and xn--sekdrtb are actually gibberish, and spotting whether gibberish has a mistake is pretty difficult for normal people.A better idea might be larger fonts, to make differences clearer.On user demand, offering a strict non-ambiguous *transliteration* could help (whether that is from or to a script such as Latin, or doesn't involve it at all as between say Thai and Arabic). But transliteration introduces some thorny and well-known problems. I hope that is the reason it isn't widely available, rather than just because a bunch of engineers assume everything begins with Latin script anyway...cheerscheers.On Tue, 20 Feb 2018 09:54:40 +0100, Jim DeLaHunt <jfrom.uasg at jdlh.com>wrote:> Multiple people have made the arg
ument that having a browser show> A-labels ("punycode") instead of U-labels ("regular IDN") is> desirable as a way of fighting phishing.>> My rebuttal has three parts:>>> 1. The underlying problem is that the registry (here, .com)> permitted registration of a domain name which was confusable> with another one. The right place to fight this kind of phishing> with confusable characters is at the domain registry level.>> 2. Even if you could magically prevent all confusable 2nd-level> domain name registrations, phishing would still be a problem.> Fraudsters have many tools, confusable 2nd-level names is only> one of them. There are also confusable names at the 4th or 5th>
levels (e.g. microsoft.com.innocuous.deceptive.com), and> misleading links in message bodies, and so on.>> 3. The people for whom A-labels instead of U-labels are a> privileged set of latin-script reading Internet users. The> second billion internet users will predominantly be people who> read a different script than latin. U-labels are a requirement> for them to have legible domain names for legitimate sites.> A-labels mean they don't get domain names which they can read.> And they deserve to be able to read their domain names and email> addresses.> This is an excellent audience for me to test my rebuttal. Is it> solid? Can I improve it? Cheers
,>> ?Jim DeLaHunt, Vancouver, Canada>> On 2018-02-19 23:36, Ronald Geens> wrote:>>>>>> All,>> I am aware of the good work going on in the UASG>> to get IDN at all levels natively supported in web-adresses and>> email and I fully support that.>> On the other hand there is darker side of the web>> that people want to be protected from.>> I just read this blog about some people that may>> actually find it better to see puny-code in stead of regular IDN>> in order to detect spam and phishing.>>>> >> https://na01.safelinks.protection.outlook
.com/?url=https%3A%2F%2Fma.t>> tias.be%2Fshow-idn-punycode-firefox-avoid-phishing-urls%2F&data=04%7C>> 01%7Cmarksv%40microsoft.com%7Cf1f66762f22b4b0f20b908d578460c54%7C72f9>> 88bf86f141af91ab2d7cd011db47%7C1%7C1%7C636547164644768767%7CUnknown%7>> CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3>> D%3D%7C-1&sdata=5EXp%2Fkh8hb8Qzm24y8yPWeKJ3lLE28FzIv7CHvX2C4E%3D&rese>> rved=0>> which>> is an opposite view of what UASG is trying to achieve.>>>> Does/Will the UASG have a standpoint in this>> matter ? Is this in scope of UASG or will we rely on the>> anti-virus industry or even registrars/registries to protect the>> world from abuses like this ?>>>> Best regards,>>&
gt;> Ron Geens>>>> DNS Belgium>>>>>> -- --Jim DeLaHunt, jdlh at jdlh.com https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fblog.jdlh.com%2F&data=04%7C01%7Cmarksv%40microsoft.com%7Cf1f66762f22b4b0f20b908d578460c54%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636547164644768767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=zsgXxJAX%2FvmuAS2OaK7GEtxOP2oh816zNG3d7cugGJg%3D&reserved=0 > (https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjdlh.com%2F&data=04%7C01%7Cmarksv%40microsoft.com%7Cf1f66762f22b4b0f20b908d578460c54%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636547164644768767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=VQBSfH2vD4Z5snL9nZiMAQheZrszgF0%2FMHZwM%2B2tRr0%3D&reserved=0)> &nb
sp;multilingual websites consultant>> 355-1027 Davie St, Vancouver BC V6E 4L2, Canada> Canada mobile +1-604-376-8953>>--Chaals is Charles McCathie Nevilefind more at https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fyandex.com&data=04%7C01%7Cmarksv%40microsoft.com%7Cf1f66762f22b4b0f20b908d578460c54%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636547164644768767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=zTS4b%2Bl9vylzCpslPxZjLoInKeE1btfIJcJSouOz3CQ%3D&reserved=0------------------------------Message: 3Date: Tue, 20 Feb 2018 13:18:44 -0500From: Andrew Sullivan <ajs at anvilwalrusden.com>To: ua-discuss at icann.orgSubject: Re: [UA-discuss] Another difficulty to overcome ...Message-ID: <20180220181844.qamd4mz5t6fx5pgz at mx4.yitter.info>Content-Type: text/plain; charset=us-asciiHi,On Tue, Feb 20, 2018 at 12:54:40AM -0800, Jim DeLaHunt wrote:>
;> 1. The underlying problem is that the registry (here, .com) permitted> registration of a domain name which was confusable with another one. The> right place to fight this kind of phishing with confusable characters is at> the domain registry level.I sort of agree with that, but I want to note some cautions. 1. It is not possible as a general matter to ensure that nothing "confusable" ever gets registered. We have no control over the fonts people are using, or the visual acuity of people, or the context in which the label is presented. All of those have a great deal to do with whether people get phished, quite apart from the content of the labels. 2. The "no-script-mixing" rules that many of us are arguing for are also drags on innovation, and i
n some locales there are good reasons to mix scripts. That tension won't go away just because we said so. 3. The distinction between identifiers and branding appears to be almost totally lost on people, with even the Unicode Technical Committee, who recommend against emojis in identifiers, saying that they're ok in domain names (contrary to the IDNA2008 specifications). I don't have any idea what to do about this, because most people don't understand how context-free and locale-free identifiers could possibly work reliably. (That includes me.) 4. There is no way to make rules for the entire DNS, because it is a distributed datbase with distributed authority.More generally, however, the position, "Use the A-label form" is ineffe
ct the position, "Don't use IDNA." For the most conspicuous factabout A-labels is that they're equivalently meaningless to everyone.That hardly seems like a usability win.> 3. The people for whom A-labels instead of U-labelsThere is nobody for whom A-labels are useful. A-labels are thosethings that have the prefix (xn--) and a punycode-encoded string inthem. 'anvilwalrusden.com' has two labels, neither of which is anA-label, though they're both LDH-labels. This is covered in painfuldetail in RFC 5890, so I refer the gentle reader to that.Best regards,A--Andrew Sullivanajs at anvilwalrusden.com------------------------------Message: 4Date: Tue, 20 Feb 2018 13:23:42 -0500From: Andrew Sullivan <ajs at anvilwalrusden.com>To: ua-discuss at icann.orgSubject: Re: [UA-discuss] Another difficulty to overcome ...Message-ID: <20180220182342.6z75tmq4736dd4dq at mx4.yitter.info>Content-Type: text/plain; charset=us-asciiOn Tue, Feb 20,
2018 at 10:40:31AM +0100, Chaals McCathie Nevile wrote:>> People who more naturally read a non-latin script - the primary> market for non-latin script - are generally more able to read that> accurately and less able to spot oddities in latin script or another> script they don't read.This is only partly relevant, because even an ASCII label can causetrouble. If you doubt this, and you use an Apple product, I suggestthat you try to transcribe a string in the default font in either iOSor OSX (Keychain Access) where the string contains exactly one ofcapital I, lower-case L, capital O, or the digit zero. There arecertainly similar cases with composed Latin characters, and there areseveral well-worked-over examples in Arabic script -- the latter wherecharacters that are all but guaranteed to use the same glyph arenevertheless different characters.> It is about ensuring that people can effectively notice whether> something is a meaningful URL they were
looking for, or a corrupted> version. It is easier for most people in their own script than> noticing a corrupted version of a punycode string.The basic problem here is that domain names were a _lousy_ basis onwhich to build security policies, but we did it. (That sort of thinghappens all the time. The automobile was a lousy basis around whichto do social planning, but every North American city of any size showsthat we did that, too. We shape our tools and thereafter they shapeus.)Best regards,A--Andrew Sullivanajs at anvilwalrusden.com------------------------------Subject: Digest Footer_______________________________________________UA-discuss mailing listUA-discuss at icann.orghttps://mm.icann.org/mailman/listinfo/ua-discuss------------------------------End of UA-discuss Digest, Vol 38, Issue 11******************************************
-------------------------------------------------------------------------------------------------------------------------------
[NIXI is on Social-Media too. Kindly follow us at:
Facebook: https://www.facebook.com/nixiindia & Twitter: @inregistry ]
This e-mail is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. If you are not the
intended recipient, please contact the sender by reply e-mail and destroy
all copies and the original message. Any unauthorized review, use,
disclosure, dissemination, forwarding, printing or copying of this email
is strictly prohibited and appropriate legal action will be taken.
-------------------------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ua-discuss/attachments/20180221/bea554f8/attachment.html>
More information about the UA-discuss
mailing list