[UA-discuss] Another difficulty to overcome ...
A.Schappo at lboro.ac.uk
Wed Feb 21 18:01:28 UTC 2018
I would argue that such security issues pale into near insignificance compared to the ubiquitous practice of link addresses not being self evident and up front.
eg ...please click here<http://thanks.for.clicking.the.link/I/have/now/emptied/your/bank/account> for further information on ...
I consider the up front presentation of link addresses should be common practice. I describe my working practice in schappo.blogspot.co.uk/2018/01/computer-science-internationalization_7.html<http://schappo.blogspot.co.uk/2018/01/computer-science-internationalization_7.html>
My practice does not, of course, guarantee a website is safe, but if the up front presented address is different to the resultant address after clicking the link, this would help to arouse suspicion in users.
So, yes, letʼs have IDNs presented up front to users as U-labels and not A-labels and not hidden behind a link labelled, for example, here<http://thanks.for.clicking.the.link/I/have/now/emptied/your/bank/account>
On 20 Feb 2018, at 08:54, Jim DeLaHunt <jfrom.uasg at jdlh.com<mailto:jfrom.uasg at jdlh.com>> wrote:
Multiple people have made the argument that having a browser show A-labels ("punycode") instead of U-labels ("regular IDN") is desirable as a way of fighting phishing.
My rebuttal has three parts:
1. The underlying problem is that the registry (here, .com) permitted registration of a domain name which was confusable with another one. The right place to fight this kind of phishing with confusable characters is at the domain registry level.
2. Even if you could magically prevent all confusable 2nd-level domain name registrations, phishing would still be a problem. Fraudsters have many tools, confusable 2nd-level names is only one of them. There are also confusable names at the 4th or 5th levels (e.g. microsoft.com.innocuous.deceptive.com<http://microsoft.com.innocuous.deceptive.com>), and misleading links in message bodies, and so on.
3. The people for whom A-labels instead of U-labels are a privileged set of latin-script reading Internet users. The second billion internet users will predominantly be people who read a different script than latin. U-labels are a requirement for them to have legible domain names for legitimate sites. A-labels mean they don't get domain names which they can read. And they deserve to be able to read their domain names and email addresses.
This is an excellent audience for me to test my rebuttal. Is it solid? Can I improve it?
—Jim DeLaHunt, Vancouver, Canada
On 2018-02-19 23:36, Ronald Geens wrote:
I am aware of the good work going on in the UASG to get IDN at all levels natively supported in web-adresses and email and I fully support that.
On the other hand there is darker side of the web that people want to be protected from.
I just read this blog about some people that may actually find it better to see puny-code in stead of regular IDN in order to detect spam and phishing.
https://ma.ttias.be/show-idn-punycode-firefox-avoid-phishing-urls/ which is an opposite view of what UASG is trying to achieve.
Does/Will the UASG have a standpoint in this matter ? Is this in scope of UASG or will we rely on the anti-virus industry or even registrars/registries to protect the world from abuses like this ?
--Jim DeLaHunt, jdlh at jdlh.com<mailto:jdlh at jdlh.com> http://blog.jdlh.com/ (http://jdlh.com/)
multilingual websites consultant
355-1027 Davie St, Vancouver BC V6E 4L2, Canada
Canada mobile +1-604-376-8953
🌏 🌍 🌎
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the UA-discuss