<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 4/21/2017 2:50 AM, Dusan Stojicevic
      wrote:<br>
    </div>
    <blockquote cite="mid:011101d2ba84$be5708b0$3b051a10$@dukes.in.rs"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
      <style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0cm;
        mso-margin-bottom-alt:auto;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
        {mso-style-name:msonormal;
        mso-margin-top-alt:auto;
        margin-right:0cm;
        mso-margin-bottom-alt:auto;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">More
            on Mozilla&gt;<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D"><a
              moz-do-not-send="true"
              href="https://wiki.mozilla.org/IDN_Display_Algorithm">https://wiki.mozilla.org/IDN_Display_Algorithm</a><o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">FWIW,
            I think that this is a problem on which UASG must react
            somehow.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">@Asmus:
            this phishing issue is not new. We were speaking about it 2
            years ago. And yes, it’s starting to create a big problem.</span></p>
      </div>
    </blockquote>
    <br>
    All,<br>
    <br>
    confusables spoofing is *not* limited to cross-script homoglyphs,
    although the Latin/Cyrillic case is particularly egregious.<br>
    <br>
    This kind of defense shown below works even for non-homoglyph
    attacks, such as "gooogle" or similar typos that may be hard to spot
    with perfect reliability. More can be done in that direction,
    without making IDNs second-class URLs.<br>
    <br>
    For the cross script case, the registries could do a lot more, and
    we are definitely going to do more in the root.<br>
    <br>
    On my system I get this, when I connect to "apple.com":<br>
    <br>
    <img src="cid:part2.DCD81D26.3840A8B2@ix.netcom.com" alt=""><br>
    <br>
    and this, for the "fake" (<a class="moz-txt-link-freetext" href="https://www.аррӏе.com/">https://www.аррӏе.com/</a>)<br>
    <br>
    <img src="cid:part3.079059F4.5971DB8F@ix.netcom.com" alt=""><br>
    <br>
    Arguably, the lock should change color if there's no owner
    information<br>
    present, to give a better warning than just the absence of an
    identification.<br>
    <br>
    <img src="cid:part4.19B82638.DCEE09E7@ix.netcom.com" alt=""><br>
    <br>
    <img src="cid:part5.F56F8BE8.20BD0807@ix.netcom.com" alt=""><br>
    <br>
    A./<br>
    <br>
    @Dusan: I know that this phishing issue is not new, I've known about
    that one for way longer than just two years (and for longer than
    I've been active in the IDN area).<br>
    <blockquote cite="mid:011101d2ba84$be5708b0$3b051a10$@dukes.in.rs"
      type="cite">
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D"
            lang="SR-LATN-RS"><o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">Cheers,<br>
            Dusan<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #E1E1E1
            1.0pt;padding:3.0pt 0cm 0cm 0cm">
            <p class="MsoNormal"><b><span
                  style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif">
                <a class="moz-txt-link-abbreviated" href="mailto:ua-discuss-bounces@icann.org">ua-discuss-bounces@icann.org</a>
                [<a class="moz-txt-link-freetext" href="mailto:ua-discuss-bounces@icann.org">mailto:ua-discuss-bounces@icann.org</a>] <b>On Behalf Of </b>Vittorio
                Bertola<br>
                <b>Sent:</b> Friday, April 21, 2017 11:04 AM<br>
                <b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:ua-discuss@icann.org">ua-discuss@icann.org</a>; Asmus Freytag
                <a class="moz-txt-link-rfc2396E" href="mailto:asmusf@ix.netcom.com">&lt;asmusf@ix.netcom.com&gt;</a><br>
                <b>Subject:</b> Re: [UA-discuss] Re : And now about
                phishing...<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p><o:p> </o:p></p>
        <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
          <p class="MsoNormal" style="margin-bottom:12.0pt">Il 21 aprile
            2017 alle 0.52 Asmus Freytag &lt;<a moz-do-not-send="true"
              href="mailto:asmusf@ix.netcom.com">asmusf@ix.netcom.com</a>&gt;
            ha scritto:<br>
            <br>
            If you think about it, the following recommendation at the
            end is anathema to "Universal acceptance":<o:p></o:p></p>
          <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
            <p class="MsoNormal" style="margin-bottom:12.0pt">"Zheng is
              encouraging Firefox users to limit their exposure to the
              bug by going to the browser’s <a class="moz-txt-link-freetext" href="about:config">about:config</a> settings and
              setting network.IDN_show_punycode to true. By doing this
              Firefox will always display IDN domains in its Punycode
              form, something that should make it easier to identify
              malicious domains, the researcher claims."<o:p></o:p></p>
          </blockquote>
          <p class="MsoNormal">If you do that, you implicitly assume
            that only the "non-IDN" links are "real", in other words,
            you assume an English-only environment. (When stuff is
            displayed as punicode, you usually can't tell what domain it
            is, except you can guess for some European ones with very
            few special characters, but you can't be sure unless the
            Unicode form is at least also displayed, which I think is
            not what that config change means).<o:p></o:p></p>
        </blockquote>
        <p>Hello,<o:p></o:p></p>
        <p>excuse me if I jump into a discussion having just joined the
          list, but this issue is really troubling me for at least two
          reasons.<o:p></o:p></p>
        <p>First, many news sources are now filling up with calls and
          guides for disabling IDNs in browsers altogether, which is a
          death call for universal acceptance. It all started with this
          horrible post by Wordfence's CEO, basically equating IDNs to
          an instrument conceived for phishing:<o:p></o:p></p>
        <p><a moz-do-not-send="true"
href="https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/">https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/</a><o:p></o:p></p>
        <p>It would be really good if anyone knew him and could have a
          chat with him, maybe even convince him to help spreading a
          better view of the issue.<o:p></o:p></p>
        <p>Secondly, browser makers are now reacting in opposite ways:<o:p></o:p></p>
        <p>1) Microsoft's browser (AFAIK) will enable or disable the
          display of Unicode in the URL bar depending on the operating
          system's language;<o:p></o:p></p>
        <p>2) Google's browser, with a newly released patch, will not
          display Unicode IDNs in ASCII TLDs if the IDNs are
          whole-script confusables ( <a moz-do-not-send="true"
            href="https://codereview.chromium.org/2683793010">https://codereview.chromium.org/2683793010</a>
          );<o:p></o:p></p>
        <p>3) Mozilla's browser will explicitly always display Unicode
          IDNs regardless of whether this may be used for phishing ( <a
            moz-do-not-send="true"
            href="https://wiki.mozilla.org/IDN_Display_Algorithm_FAQ">https://wiki.mozilla.org/IDN_Display_Algorithm_FAQ
          </a>and <a moz-do-not-send="true"
            href="https://bugzilla.mozilla.org/show_bug.cgi?id=1332714">https://bugzilla.mozilla.org/show_bug.cgi?id=1332714</a>
          ). However, multiple online sources are now advising people to
          use a Firefox configuration option that allows to disable the
          display of IDNs altogether.<o:p></o:p></p>
        <p>(Don't know about Apple, Opera and others.)<o:p></o:p></p>
        <p>As you see, this is going to hamper the usability of IDNs in
          URLs and, even worse, make it entirely unpredictable,
          depending on the user's browser choice.<o:p></o:p></p>
        <p>The only real solution to this is that all registries treat
          whole script confusables as variants, so that they cannot be
          registered to anyone different than the owner of the
          equivalent ASCII domain. Unicode TR-39 allows to do this
          programmatically. However, I just checked the proposed draft
          IDN guidelines that are currently undergoing public
          consultation at ICANN:<o:p></o:p></p>
        <p><a moz-do-not-send="true"
href="https://www.icann.org/en/system/files/files/draft-idn-guidelines-03mar17-en.pdf">https://www.icann.org/en/system/files/files/draft-idn-guidelines-03mar17-en.pdf</a><o:p></o:p></p>
        <p>At point 16, they say that the registry "may" do this, but
          that should really be a "must". If this does not happen, there
          will be more of these situations and the risk that all the
          Western world will then disable IDNs in URLs for good is quite
          significant. <o:p></o:p></p>
        <p>I think that this group could do several useful things:<o:p></o:p></p>
        <p>a) promote a better public understanding of the issue,
          countering the trend that "IDN URLs are for phishing";<o:p></o:p></p>
        <p>b) encourage browser makers to elaborate a common approach;<o:p></o:p></p>
        <p>c) push for ICANN and the registries to free the Internet
          from whole-script confusables.<o:p></o:p></p>
        <p>Regards,<o:p></o:p></p>
        <div>
          <p style="margin-bottom:12.0pt">-- <br>
            <br>
            <strong>Vittorio Bertola</strong><br>
            Research &amp; Innovation Engineer <o:p></o:p></p>
          <table class="MsoNormalTable"
            style="width:100.0%;border-collapse:collapse" border="0"
            cellpadding="0" cellspacing="0" width="100%">
            <tbody>
              <tr>
                <td style="width:90.0pt;padding:1.5pt 1.5pt 1.5pt 1.5pt"
                  width="120">
                  <p class="MsoNormal"><span
                      style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif">Cell:<o:p></o:p></span></p>
                </td>
                <td style="padding:1.5pt 1.5pt 1.5pt 1.5pt">
                  <p class="MsoNormal"><span
                      style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif">+39
                      348 7015022<o:p></o:p></span></p>
                </td>
              </tr>
              <tr>
                <td style="width:90.0pt;padding:1.5pt 1.5pt 1.5pt 1.5pt"
                  width="120">
                  <p class="MsoNormal"><span
                      style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif">Skype:<o:p></o:p></span></p>
                </td>
                <td style="padding:1.5pt 1.5pt 1.5pt 1.5pt">
                  <p class="MsoNormal"><span
                      style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif"><a
                        moz-do-not-send="true"
                        href="mailto:in-skype-ox@bertola.eu">in-skype-ox@bertola.eu</a><o:p></o:p></span></p>
                </td>
              </tr>
              <tr>
                <td style="width:75.0pt;padding:1.5pt 1.5pt 1.5pt 1.5pt"
                  width="100">
                  <p class="MsoNormal"><span
                      style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif">Email:<o:p></o:p></span></p>
                </td>
                <td style="padding:1.5pt 1.5pt 1.5pt 1.5pt">
                  <p class="MsoNormal"><span
                      style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif"><a
                        moz-do-not-send="true"
                        href="mailto:vittorio.bertola@open-xchange.com">vittorio.bertola@open-xchange.com</a><o:p></o:p></span></p>
                </td>
              </tr>
            </tbody>
          </table>
          <p class="MsoNormal"><span style="display:none"><o:p> </o:p></span></p>
          <table class="MsoNormalTable"
            style="width:100.0%;border-collapse:collapse" border="0"
            cellpadding="0" cellspacing="0" width="100%">
            <tbody>
              <tr>
                <td colspan="2" style="padding:1.5pt 1.5pt 1.5pt 1.5pt">
                  <p class="MsoNormal"><span
                      style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif"> <o:p></o:p></span></p>
                </td>
              </tr>
              <tr>
                <td colspan="2" style="padding:1.5pt 1.5pt 1.5pt 1.5pt">
                  <p class="MsoNormal"><span
                      style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif">Twitter:
                      <a moz-do-not-send="true"
                        href="http://twitter.com/openexchange">@openexchange</a>
                      - Facebook: <a moz-do-not-send="true"
                        href="https://www.facebook.com/OpenXchange">OpenXchange</a>
                      - Web: <a moz-do-not-send="true"
                        href="http://www.open-xchange.com">www.open-xchange.com</a><o:p></o:p></span></p>
                </td>
              </tr>
              <tr>
                <td style="width:150.0pt;border:solid black
                  1.0pt;border-left:none;padding:1.5pt 1.5pt 1.5pt
                  1.5pt" width="200">
                  <p class="MsoNormal" style="text-align:center"
                    align="center"><img
                      id="_x0035_be0f06900124bc5ac3f7591a0d1911f"
                      src="cid:part17.BB4E07CC.625B015A@ix.netcom.com"
                      height="40" border="0" width="190"><o:p></o:p></p>
                </td>
                <td style="border-top:solid black
                  1.0pt;border-left:none;border-bottom:solid black
                  1.0pt;border-right:none;padding:1.5pt 1.5pt 1.5pt
                  1.5pt">
                  <p class="MsoNormal"><span
                      style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif">Open-Xchange
                      AG, Rollnerstr. 14, 90408 Nuremberg, District
                      Court Nuremberg HRB 24738<br>
                      Managing Board: Rafael Laguna de la Vera, Carsten
                      Dirks, Uwe Reumuth <br>
                      Chairman of the Board: Richard Seibt<br>
                      <br>
                      European Office: <br>
                      Open-Xchange GmbH, Olper Huette 5f, D-57462 Olpe,
                      Germany, District Court Siegen, HRB 8718 <br>
                      Managing Directors: Frank Hoberg, Martin Kauss<br>
                      <br>
                      US Office: <br>
                      Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto,
                      CA 94301, USA <o:p></o:p></span></p>
                </td>
              </tr>
              <tr>
                <td colspan="2" style="padding:1.5pt 1.5pt 1.5pt 1.5pt">
                  <p class="MsoNormal"><span
                      style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif"> <o:p></o:p></span></p>
                </td>
              </tr>
              <tr>
                <td colspan="2" style="padding:1.5pt 1.5pt 1.5pt 1.5pt">
                  <p class="MsoNormal"><span
style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif;color:#CCCCCC">Confidentiality
                      Warning: This message and any attachments are
                      intended only for the use of the intended
                      recipient(s), are confidential, and may be
                      privileged. If you are not the intended recipient,
                      you are hereby notified that any review,
                      retransmission, conversion to hard copy, copying,
                      circulation or other use of this message and any
                      attachments is strictly prohibited. If you are not
                      the intended recipient, please notify the sender
                      immediately by return e-mail, and delete this
                      message and any attachments from your system.<o:p></o:p></span></p>
                </td>
              </tr>
            </tbody>
          </table>
          <p class="MsoNormal"><o:p> </o:p></p>
        </div>
      </div>
      <div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br>
        <table style="border-top: 1px solid #D3D4DE;">
          <tbody>
            <tr>
              <td style="width: 55px; padding-top: 13px;"><a
                  moz-do-not-send="true"
href="https://www.avast.com/sig-email?utm_medium=email&amp;utm_source=link&amp;utm_campaign=sig-email&amp;utm_content=emailclient&amp;utm_term=icon"
                  target="_blank"><img moz-do-not-send="true"
src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif"
                    style="width: 46px; height: 29px;" height="29"
                    width="46"></a></td>
              <td style="width: 470px; padding-top: 12px; color:
                #41424e; font-size: 13px; font-family: Arial, Helvetica,
                sans-serif; line-height: 18px;">Virus-free. <a
                  moz-do-not-send="true"
href="https://www.avast.com/sig-email?utm_medium=email&amp;utm_source=link&amp;utm_campaign=sig-email&amp;utm_content=emailclient&amp;utm_term=link"
                  target="_blank" style="color: #4453ea;">www.avast.com</a>
              </td>
            </tr>
          </tbody>
        </table>
        <a moz-do-not-send="true"
          href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1"
          height="1"> </a></div>
    </blockquote>
    <p><br>
    </p>
  </body>
</html>