<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 4/19/2017 6:11 AM, Tan Tanaka,
Dennis via UA-discuss wrote:<br>
</div>
<blockquote
cite="mid:181383D2-316A-4EDE-A8F5-5E6D870E274D@verisign.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Arial;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"American Typewriter";
panose-1:2 9 6 4 2 0 4 2 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:Calibri">The thing with
homoglyphs is that it depends on the choice of font type and
size. That’s why it is hard to define the set. For example,
in certain font types lower case L ‘</span><span
style="font-size:11.0pt;font-family:"American
Typewriter"">l</span><span
style="font-size:11.0pt;font-family:Calibri">’ and number
one ‘</span><span
style="font-size:11.0pt;font-family:"American
Typewriter"">1</span><span
style="font-size:11.0pt;font-family:Calibri">’ (both ASCII)
look almost identical.
</span></p>
</div>
</blockquote>
<br>
For this reason, I like to distinguish between true homoglyphs
(identical or near identical appearance by design or across the
range of typical UI fonts) on the one hand, and 'merely' similar
code points on the other. <br>
<br>
In its most general incarnation, similarity can be accidental. For
example "rn" and "m" are harder to distinguish that one might think.
This general issue needs to be addressed, but it involves a lot of
subjectivity. It also involves cases where of three similar items,
one pair may appear distinct, while two other pairs are not. (For a
true homograph, the homograph relation should be transitive).<br>
<br>
<blockquote
cite="mid:181383D2-316A-4EDE-A8F5-5E6D870E274D@verisign.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:Calibri"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:Calibri">To deal with
cases of cross-script homoglyphs, the ICANN IDN guidelines
have a requirement to prohibited such registrations (i.e.
mixing Cyrillic with Latin in a single label) except for in
cases of established orthographies, such as Japanese (i.e.
Japanese uses three different scripts: Han, Hiragana and
Katakana).</span></p>
</div>
</blockquote>
<br>
The prohibition on script mixing in a single label is useful for a
number of cases, but doesn't cover anywhere near the full scope of
the problem.<br>
<br>
Many scripts have an "o". Disallowing script mixing makes sure that
one cannot spoof a label containing an "o", by substituting an "o"
from another script. So far, so good.<br>
<br>
However, the labels "ooo", "oooo" and so on are not protected.
Writing the whole label in the other script makes it 'legal', but it
can still be used for spoofing.<br>
<br>
When this only affects a handful of labels (how many strings
consisting entirely of "o" will be registered?) the benefit of a
general solution is likewise limited. The problem is those scripts
that more than one code point like that. E.g. "p", "e", "s" etc.
exist in equivalent shapes in both Latin and Cyrillic. Many more
labels are thus subject to a whole-label homograph attack, and the
prohibition against script mixing doesn't help.<br>
<br>
A more robust approach is to make cross-script homoglyphs blocked
variants of each other. This ensures that look-alike strings become
mutually exclusive: only one can be delegated. (Note, by the way,
that the reduction of available labels is not as big as it might
appear: most labels would contain at least one script-unique letter,
making it secure from a homograph attack like that).<br>
<br>
For a discussion of variants, read:
<a class="moz-txt-link-freetext" href="https://datatracker.ietf.org/doc/draft-freytag-lager-variant-rules/">https://datatracker.ietf.org/doc/draft-freytag-lager-variant-rules/</a><br>
<br>
A./<br>
<br>
<blockquote
cite="mid:181383D2-316A-4EDE-A8F5-5E6D870E274D@verisign.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:Calibri"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:Calibri">-Dennis<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-family:Calibri;color:black">From: </span>
</b><span style="font-family:Calibri;color:black"><a class="moz-txt-link-rfc2396E" href="mailto:ua-discuss-bounces@icann.org"><ua-discuss-bounces@icann.org></a>
on behalf of deepak <a class="moz-txt-link-rfc2396E" href="mailto:deepak.singhal@dil.in"><deepak.singhal@dil.in></a><br>
<b>Date: </b>Wednesday, April 19, 2017 at 1:33 AM<br>
<b>To: </b>Dusan Stojicevic <a class="moz-txt-link-rfc2396E" href="mailto:dusan@dukes.in.rs"><dusan@dukes.in.rs></a>,
<a class="moz-txt-link-rfc2396E" href="mailto:UA-discuss@icann.org">"UA-discuss@icann.org"</a> <a class="moz-txt-link-rfc2396E" href="mailto:ua-discuss@icann.org"><ua-discuss@icann.org></a><br>
<b>Subject: </b>[EXTERNAL] [UA-discuss] Re : And now
about phishing...<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Hi,<br>
<br>
<br>
These are homoglyph character <a class="moz-txt-link-freetext" href="http://homoglyphs.net/">http://homoglyphs.net/</a>
which can be use in phishing ..<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Regards<br>
Deepak Singhal<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div id="mySignature">
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div class="MsoNormal" style="text-align:center" align="center">
<hr align="center" size="2" width="100%">
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><strong>From:</strong>
"Dusan Stojicevic" <a class="moz-txt-link-rfc2396E" href="mailto:dusan@dukes.in.rs"><dusan@dukes.in.rs></a> <span
style="font-size:7.5pt;font-family:Verdana">MailId :
[68261406]</span><br>
<strong>To:</strong> "ua-discuss" <a class="moz-txt-link-rfc2396E" href="mailto:UA-discuss@icann.org"><UA-discuss@icann.org></a><br>
<strong>Subject: </strong>[UA-discuss] And now about
phishing...<br>
<strong>Date:</strong> 19 Apr 2017 12:24:34 AM <o:p></o:p></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Interesting
and possible><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a
moz-do-not-send="true"
href="https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/">https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/</a><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Cheers,<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Dusan<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoNormalTable" border="0" cellpadding="0">
<tbody>
<tr>
<td style="width:41.25pt;padding:9.75pt .75pt .75pt .75pt"
width="55">
<p class="MsoNormal"><a moz-do-not-send="true"
href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon"
target="_blank"><span style="border:solid windowtext
1.0pt;padding:0in;text-decoration:none"><img
moz-do-not-send="true" id="_x0000_i1026"
src="cid:Word%20Work%20File%20D.jpg" alt="mage
removed by sender." height="29" border="0"
width="46"></span></a><o:p></o:p></p>
</td>
<td style="width:352.5pt;padding:9.0pt .75pt .75pt .75pt"
width="470">
<p class="MsoNormal" style="line-height:13.5pt"><span
style="font-size:10.0pt;font-family:Arial;color:#41424E">Virus-free.
<a moz-do-not-send="true"
href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link"
target="_blank">
<span style="color:#4453EA">www.avast.com</span></a><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><br>
<span style="font-size:7.5pt;font-family:Arial;color:white">Do
not Remove:<br>
[HID]20170419002433157[-HID]</span> <o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
<span
style="font-size:7.5pt;font-family:Verdana;color:white">[XGENFOOTER]</span><br>
<br>
<span
style="font-size:7.5pt;font-family:Verdana;color:white">[-XGENFOOTER]</span><o:p></o:p></p>
</div>
</div>
</blockquote>
<p><br>
</p>
</body>
</html>