<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 4/20/2017 3:24 PM, Dusan Stojicevic
wrote:<br>
</div>
<blockquote cite="mid:004a01d2ba24$e82d7d50$b88877f0$@dukes.in.rs"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:"American Typewriter";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0cm;
        mso-margin-bottom-alt:auto;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
        {mso-style-name:msonormal;
        mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0cm;
        mso-margin-bottom-alt:auto;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
span.EmailStyle19
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
span.EmailStyle20
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
span.EmailStyle22
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">More
on the issue… any comments? Someone from Google here?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><a
moz-do-not-send="true"
href="https://threatpost.com/google-fixes-unicode-phishing-vulnerability-in-chrome-58-firefox-standing-pat/125099/">https://threatpost.com/google-fixes-unicode-phishing-vulnerability-in-chrome-58-firefox-standing-pat/125099/</a></span></p>
</div>
</blockquote>
<br>
If you think about it, the following recommendation at the end is
anathema to "Universal acceptance":<br>
<br>
<blockquote>"Zheng is encouraging Firefox users to limit their
exposure to the bug by going to the browser’s <a class="moz-txt-link-freetext" href="about:config">about:config</a>
settings and setting network.IDN_show_punycode to true. By doing
this Firefox will always display IDN domains in its Punycode form,
something that should make it easier to identify malicious
domains, the researcher claims."<br>
<br>
</blockquote>
If you do that, you implicitly assume that only the "non-IDN" links
are "real", in other words, you assume an English-only environment.
(When stuff is displayed as punicode, you usually can't tell what
domain it is, except you can guess for some European ones with very
few special characters, but you can't be sure unless the Unicode
form is at least also displayed, which I think is not what that
config change means).<br>
<br>
A./<br>
<blockquote cite="mid:004a01d2ba24$e82d7d50$b88877f0$@dukes.in.rs"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Cheers,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Dusan<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
<a class="moz-txt-link-abbreviated" href="mailto:ua-discuss-bounces@icann.org">ua-discuss-bounces@icann.org</a>
[<a class="moz-txt-link-freetext" href="mailto:ua-discuss-bounces@icann.org">mailto:ua-discuss-bounces@icann.org</a>] <b>On Behalf Of </b>Richard
Merdinger<br>
<b>Sent:</b> Wednesday, April 19, 2017 11:15 PM<br>
<b>To:</b> Asmus Freytag <a class="moz-txt-link-rfc2396E" href="mailto:asmusf@ix.netcom.com"><asmusf@ix.netcom.com></a>;
<a class="moz-txt-link-abbreviated" href="mailto:ua-discuss@icann.org">ua-discuss@icann.org</a><br>
<b>Subject:</b> Re: [UA-discuss] Re : And now about
phishing...<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Thank
you for the thoughtful reply, Asmus.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">--Rich<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Richard
Merdinger<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">VP,
Domains - GoDaddy <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-left:36.0pt"><b><span
style="font-family:"Calibri",sans-serif;color:black">From:
</span></b><span
style="font-family:"Calibri",sans-serif;color:black"><<a
moz-do-not-send="true"
href="mailto:ua-discuss-bounces@icann.org">ua-discuss-bounces@icann.org</a>>
on behalf of Asmus Freytag <<a moz-do-not-send="true"
href="mailto:asmusf@ix.netcom.com">asmusf@ix.netcom.com</a>><br>
<b>Date: </b>Wednesday, April 19, 2017 at 3:44 PM<br>
<b>To: </b>"<a moz-do-not-send="true"
href="mailto:ua-discuss@icann.org">ua-discuss@icann.org</a>"
<<a moz-do-not-send="true"
href="mailto:ua-discuss@icann.org">ua-discuss@icann.org</a>><br>
<b>Subject: </b>Re: [UA-discuss] Re : And now about
phishing...<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt">On 4/19/2017
6:11 AM, Tan Tanaka, Dennis via UA-discuss wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-left:36.0pt"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">The
thing with homoglyphs is that it depends on the choice of
font type and size. That’s why it is hard to define the
set. For example, in certain font types lower case L ‘</span><span
style="font-size:11.0pt;font-family:"American
Typewriter"">l</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">’
and number one ‘</span><span
style="font-size:11.0pt;font-family:"American
Typewriter"">1</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">’
(both ASCII) look almost identical. </span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"
style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:36.0pt"><br>
For this reason, I like to distinguish between true homoglyphs
(identical or near identical appearance by design or across
the range of typical UI fonts) on the one hand, and 'merely'
similar code points on the other. <br>
<br>
In its most general incarnation, similarity can be accidental.
For example "rn" and "m" are harder to distinguish that one
might think. This general issue needs to be addressed, but it
involves a lot of subjectivity. It also involves cases where
of three similar items, one pair may appear distinct, while
two other pairs are not. (For a true homograph, the homograph
relation should be transitive).<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-left:36.0pt"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">To
deal with cases of cross-script homoglyphs, the ICANN IDN
guidelines have a requirement to prohibited such
registrations (i.e. mixing Cyrillic with Latin in a single
label) except for in cases of established orthographies,
such as Japanese (i.e. Japanese uses three different
scripts: Han, Hiragana and Katakana).</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"
style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:36.0pt"><br>
The prohibition on script mixing in a single label is useful
for a number of cases, but doesn't cover anywhere near the
full scope of the problem.<br>
<br>
Many scripts have an "o". Disallowing script mixing makes sure
that one cannot spoof a label containing an "o", by
substituting an "o" from another script. So far, so good.<br>
<br>
However, the labels "ooo", "oooo" and so on are not protected.
Writing the whole label in the other script makes it 'legal',
but it can still be used for spoofing.<br>
<br>
When this only affects a handful of labels (how many strings
consisting entirely of "o" will be registered?) the benefit of
a general solution is likewise limited. The problem is those
scripts that more than one code point like that. E.g. "p",
"e", "s" etc. exist in equivalent shapes in both Latin and
Cyrillic. Many more labels are thus subject to a whole-label
homograph attack, and the prohibition against script mixing
doesn't help.<br>
<br>
A more robust approach is to make cross-script homoglyphs
blocked variants of each other. This ensures that look-alike
strings become mutually exclusive: only one can be delegated.
(Note, by the way, that the reduction of available labels is
not as big as it might appear: most labels would contain at
least one script-unique letter, making it secure from a
homograph attack like that).<br>
<br>
For a discussion of variants, read: <a moz-do-not-send="true"
href="https://datatracker.ietf.org/doc/draft-freytag-lager-variant-rules/">https://datatracker.ietf.org/doc/draft-freytag-lager-variant-rules/</a><br>
<br>
A./<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-left:36.0pt"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">-Dennis</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span><o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-left:36.0pt"><b><span
style="font-family:"Calibri",sans-serif;color:black">From:
</span></b><span
style="font-family:"Calibri",sans-serif;color:black"><a
moz-do-not-send="true"
href="mailto:ua-discuss-bounces@icann.org"><ua-discuss-bounces@icann.org></a>
on behalf of deepak <a moz-do-not-send="true"
href="mailto:deepak.singhal@dil.in"><deepak.singhal@dil.in></a><br>
<b>Date: </b>Wednesday, April 19, 2017 at 1:33 AM<br>
<b>To: </b>Dusan Stojicevic <a moz-do-not-send="true"
href="mailto:dusan@dukes.in.rs"><dusan@dukes.in.rs></a>,
<a moz-do-not-send="true"
href="mailto:UA-discuss@icann.org">"UA-discuss@icann.org"</a>
<a moz-do-not-send="true"
href="mailto:ua-discuss@icann.org"><ua-discuss@icann.org></a><br>
<b>Subject: </b>[EXTERNAL] [UA-discuss] Re : And now
about phishing...</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt">Hi,<br>
<br>
<br>
These are homoglyph character <a
moz-do-not-send="true" href="http://homoglyphs.net/">http://homoglyphs.net/</a>
which can be use in phishing ..<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt">Regards<br>
Deepak Singhal<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt"> <o:p></o:p></p>
</div>
<div id="mySignature">
<p class="MsoNormal" style="margin-left:36.0pt"> <o:p></o:p></p>
</div>
<div style="margin-left:36.0pt">
<div class="MsoNormal" style="text-align:center"
align="center">
<hr align="center" size="2" width="100%"></div>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:36.0pt"><strong>From:</strong>
"Dusan Stojicevic" <a moz-do-not-send="true"
href="mailto:dusan@dukes.in.rs"><dusan@dukes.in.rs></a> <span
style="font-size:7.5pt;font-family:"Verdana",sans-serif">MailId
: [68261406]</span><br>
<strong>To:</strong> "ua-discuss" <a moz-do-not-send="true"
href="mailto:UA-discuss@icann.org"><UA-discuss@icann.org></a><br>
<strong>Subject: </strong>[UA-discuss] And now about
phishing...<br>
<strong>Date:</strong> 19 Apr 2017 12:24:34 AM <o:p></o:p></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:36.0pt">Interesting
and possible><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:36.0pt"><a
moz-do-not-send="true"
href="https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/">https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/</a><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:36.0pt"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:36.0pt">Cheers,<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:36.0pt">Dusan<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-left:36.0pt"> <o:p></o:p></p>
<table class="MsoNormalTable" style="margin-left:36.0pt"
border="0" cellpadding="0">
<tbody>
<tr>
<td style="width:39.0pt;padding:9.75pt .75pt .75pt
.75pt" width="52">
<p class="MsoNormal"><a moz-do-not-send="true"
href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon"
target="_blank"><span style="border:solid
windowtext
1.0pt;padding:0cm;text-decoration:none"><img
moz-do-not-send="true" id="_x0000_i1026"
src="cid:Word%20Work%20File%20D.jpg" alt="age
removed by sender." height="29" border="0"
width="46"></span></a><o:p></o:p></p>
</td>
<td style="width:350.25pt;padding:9.0pt .75pt .75pt
.75pt" width="467">
<p class="MsoNormal" style="line-height:13.5pt"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#41424E">Virus-free.
<a moz-do-not-send="true"
href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link"
target="_blank"><span style="color:#4453EA">www.avast.com</span></a></span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal" style="margin-left:36.0pt"><br>
<span
style="font-size:7.5pt;font-family:"Arial",sans-serif;color:white">Do
not Remove:<br>
[HID]20170419002433157[-HID]</span> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left:36.0pt"><br>
<span
style="font-size:7.5pt;font-family:"Verdana",sans-serif;color:white">[XGENFOOTER]</span><br>
<br>
<span
style="font-size:7.5pt;font-family:"Verdana",sans-serif;color:white">[-XGENFOOTER]</span><o:p></o:p></p>
</div>
</blockquote>
<p style="margin-left:36.0pt"><o:p> </o:p></p>
</div>
<div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br>
<table style="border-top: 1px solid #D3D4DE;">
<tbody>
<tr>
<td style="width: 55px; padding-top: 13px;"><a
moz-do-not-send="true"
href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon"
target="_blank"><img moz-do-not-send="true"
src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif"
style="width: 46px; height: 29px;" height="29"
width="46"></a></td>
<td style="width: 470px; padding-top: 12px; color:
#41424e; font-size: 13px; font-family: Arial, Helvetica,
sans-serif; line-height: 18px;">Virus-free. <a
moz-do-not-send="true"
href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link"
target="_blank" style="color: #4453ea;">www.avast.com</a>
</td>
</tr>
</tbody>
</table>
<a moz-do-not-send="true"
href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1"
height="1"> </a></div>
</blockquote>
<p><br>
</p>
</body>
</html>