<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
        {mso-style-name:msonormal;
        mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;
        color:black;}
span.EmailStyle19
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
span.EmailStyle20
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
span.EmailStyle21
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
span.EmailStyle24
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:windowtext">I think this is the important point:<o:p></o:p></span></p>
<p style="margin-left:1.0in"><i>The only real solution to this is that all registries treat whole script confusables as variants, so that they cannot be registered to anyone different than the owner of the equivalent ASCII domain. Unicode TR-39 allows to do
 this programmatically. However, I just checked the proposed draft IDN guidelines that are currently undergoing public consultation at ICANN:<o:p></o:p></i></p>
<p style="margin-left:1.0in"><i><a href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fen%2Fsystem%2Ffiles%2Ffiles%2Fdraft-idn-guidelines-03mar17-en.pdf&amp;data=02%7C01%7Cmarksv%40microsoft.com%7C5de6ad1e3bb445cc53f608d488ffbe89%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636284079405801232&amp;sdata=LbJAWO9c3%2FDXm4G0D7HSDkcfOL9%2B9CkAETh0SvIC4m0%3D&amp;reserved=0">https://www.icann.org/en/system/files/files/draft-idn-guidelines-03mar17-en.pdf</a><o:p></o:p></i></p>
<p style="margin-left:1.0in"><i>At point 16, they say that the registry &quot;may&quot; do this, but that should really be a &quot;must&quot;. If this does not happen, there will be more of these situations and the risk that all the Western world will then disable IDNs in URLs
 for good is quite significant. <o:p></o:p></i></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:windowtext">And ICANN must be hardcore about compliance and enforcement.<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:windowtext"><o:p>&nbsp;</o:p></span></a></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:windowtext">From:</span></b><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:windowtext"> ua-discuss-bounces@icann.org [mailto:ua-discuss-bounces@icann.org]
<b>On Behalf Of </b>Dusan Stojicevic<br>
<b>Sent:</b> Friday, April 21, 2017 2:45 PM<br>
<b>To:</b> 'Asmus Freytag' &lt;asmusf@ix.netcom.com&gt;; ua-discuss@icann.org<br>
<b>Subject:</b> Re: [UA-discuss] Re : And now about phishing...<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">Hi Asmus,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">If I understood correctly, it’s a good approach, but it’s definitely not the one for average user.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">First of all, average user have a problem to see the difference between http and https. Average owner of domain name usually don’t know what SSL is.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">I agree with you that this suggestion is better than make IDNs second-class URLs, but in my opinion, it’s not for average user.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">And in this case, you just assume that “fake websites” must have certificate?
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">And yes, I admit, I don’t know how to solve this…
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">Cheers,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">Dusan<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:windowtext">From:</span></b><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:windowtext">
<a href="mailto:ua-discuss-bounces@icann.org">ua-discuss-bounces@icann.org</a> [<a href="mailto:ua-discuss-bounces@icann.org">mailto:ua-discuss-bounces@icann.org</a>]
<b>On Behalf Of </b>Asmus Freytag<br>
<b>Sent:</b> Friday, April 21, 2017 7:05 PM<br>
<b>To:</b> <a href="mailto:ua-discuss@icann.org">ua-discuss@icann.org</a><br>
<b>Subject:</b> Re: [UA-discuss] Re : And now about phishing...<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class="MsoNormal">On 4/21/2017 2:50 AM, Dusan Stojicevic wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">More on Mozilla&gt;</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D"><a href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.mozilla.org%2FIDN_Display_Algorithm&amp;data=02%7C01%7Cmarksv%40microsoft.com%7C5de6ad1e3bb445cc53f608d488ffbe89%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636284079405791224&amp;sdata=Z1BQM7OQMkHf%2BechLA3lN5vrfS8GBJMyvOEqwGZYS2o%3D&amp;reserved=0">https://wiki.mozilla.org/IDN_Display_Algorithm</a></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">&nbsp;</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">FWIW, I think that this is a problem on which UASG must react somehow.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">@Asmus: this phishing issue is not new. We were speaking about it 2 years ago. And yes, it’s starting to create a big problem.</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
All,<br>
<br>
confusables spoofing is *not* limited to cross-script homoglyphs, although the Latin/Cyrillic case is particularly egregious.<br>
<br>
This kind of defense shown below works even for non-homoglyph attacks, such as &quot;gooogle&quot; or similar typos that may be hard to spot with perfect reliability. More can be done in that direction, without making IDNs second-class URLs.<br>
<br>
For the cross script case, the registries could do a lot more, and we are definitely going to do more in the root.<br>
<br>
On my system I get this, when I connect to &quot;apple.com&quot;:<br>
<br>
<img border="0" width="326" height="59" style="width:3.3958in;height:.6145in" id="_x0000_i1025" src="cid:image001.png@01D2BAB5.703FEC10"><br>
<br>
and this, for the &quot;fake&quot; (<a href="https://na01.safelinks.protection.outlook.com/?url=https:%2F%2Fwww.%D0%B0%D1%80%D1%80%D3%8F%D0%B5.com%2F&amp;data=02%7C01%7Cmarksv%40microsoft.com%7C5de6ad1e3bb445cc53f608d488ffbe89%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636284079405791224&amp;sdata=4QYG2FdWpBAEPq8%2FN01y4vLdZsHOhUm9WV24TGGtcrw%3D&amp;reserved=0">https://www.аррӏе.com/</a>)<br>
<br>
<img border="0" width="239" height="49" style="width:2.4895in;height:.5104in" id="_x0000_i1026" src="cid:image002.png@01D2BAB5.703FEC10"><br>
<br>
Arguably, the lock should change color if there's no owner information<br>
present, to give a better warning than just the absence of an identification.<br>
<br>
<img border="0" width="395" height="421" style="width:4.1145in;height:4.3854in" id="_x0000_i1027" src="cid:image003.png@01D2BAB5.703FEC10"><br>
<br>
<img border="0" width="395" height="421" style="width:4.1145in;height:4.3854in" id="_x0000_i1028" src="cid:image004.png@01D2BAB5.703FEC10"><br>
<br>
A./<br>
<br>
@Dusan: I know that this phishing issue is not new, I've known about that one for way longer than just two years (and for longer than I've been active in the IDN area).<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">&nbsp;</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">Cheers,<br>
Dusan</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">&nbsp;</span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif">
<a href="mailto:ua-discuss-bounces@icann.org">ua-discuss-bounces@icann.org</a> [<a href="mailto:ua-discuss-bounces@icann.org">mailto:ua-discuss-bounces@icann.org</a>]
<b>On Behalf Of </b>Vittorio Bertola<br>
<b>Sent:</b> Friday, April 21, 2017 11:04 AM<br>
<b>To:</b> <a href="mailto:ua-discuss@icann.org">ua-discuss@icann.org</a>; Asmus Freytag
<a href="mailto:asmusf@ix.netcom.com">&lt;asmusf@ix.netcom.com&gt;</a><br>
<b>Subject:</b> Re: [UA-discuss] Re : And now about phishing...</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal">&nbsp;<o:p></o:p></p>
<p>&nbsp;<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">Il 21 aprile 2017 alle 0.52 Asmus Freytag &lt;<a href="mailto:asmusf@ix.netcom.com">asmusf@ix.netcom.com</a>&gt; ha scritto:<br>
<br>
If you think about it, the following recommendation at the end is anathema to &quot;Universal acceptance&quot;:<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">&quot;Zheng is encouraging Firefox users to limit their exposure to the bug by going to the browser’s
<a href="about:config">about:config</a> settings and setting network.IDN_show_punycode to true. By doing this Firefox will always display IDN domains in its Punycode form, something that should make it easier to identify malicious domains, the researcher claims.&quot;<o:p></o:p></p>
</blockquote>
<p class="MsoNormal">If you do that, you implicitly assume that only the &quot;non-IDN&quot; links are &quot;real&quot;, in other words, you assume an English-only environment. (When stuff is displayed as punicode, you usually can't tell what domain it is, except you can guess
 for some European ones with very few special characters, but you can't be sure unless the Unicode form is at least also displayed, which I think is not what that config change means).<o:p></o:p></p>
</blockquote>
<p>Hello,<o:p></o:p></p>
<p>excuse me if I jump into a discussion having just joined the list, but this issue is really troubling me for at least two reasons.<o:p></o:p></p>
<p>First, many news sources are now filling up with calls and guides for disabling IDNs in browsers altogether, which is a death call for universal acceptance. It all started with this horrible post by Wordfence's CEO, basically equating IDNs to an instrument
 conceived for phishing:<o:p></o:p></p>
<p><a href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.wordfence.com%2Fblog%2F2017%2F04%2Fchrome-firefox-unicode-phishing%2F&amp;data=02%7C01%7Cmarksv%40microsoft.com%7C5de6ad1e3bb445cc53f608d488ffbe89%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636284079405801232&amp;sdata=FnZprYS3G1Nh19xrUt4gtcDD%2FdPyEnKiQ0ENVgTpwyA%3D&amp;reserved=0">https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/</a><o:p></o:p></p>
<p>It would be really good if anyone knew him and could have a chat with him, maybe even convince him to help spreading a better view of the issue.<o:p></o:p></p>
<p>Secondly, browser makers are now reacting in opposite ways:<o:p></o:p></p>
<p>1) Microsoft's browser (AFAIK) will enable or disable the display of Unicode in the URL bar depending on the operating system's language;<o:p></o:p></p>
<p>2) Google's browser, with a newly released patch, will not display Unicode IDNs in ASCII TLDs if the IDNs are whole-script confusables (
<a href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcodereview.chromium.org%2F2683793010&amp;data=02%7C01%7Cmarksv%40microsoft.com%7C5de6ad1e3bb445cc53f608d488ffbe89%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636284079405801232&amp;sdata=i79xxo2F1DHOzade7wHq%2FgHGUmtKminFCJJtcHWgBKo%3D&amp;reserved=0">
https://codereview.chromium.org/2683793010</a> );<o:p></o:p></p>
<p>3) Mozilla's browser will explicitly always display Unicode IDNs regardless of whether this may be used for phishing (
<a href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.mozilla.org%2FIDN_Display_Algorithm_FAQ&amp;data=02%7C01%7Cmarksv%40microsoft.com%7C5de6ad1e3bb445cc53f608d488ffbe89%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636284079405801232&amp;sdata=GJthMT%2BE%2FIz8YxLh%2FCTHZw%2FR02MIw%2BDsGW0PO0LBt%2BQ%3D&amp;reserved=0">
https://wiki.mozilla.org/IDN_Display_Algorithm_FAQ </a>and <a href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1332714&amp;data=02%7C01%7Cmarksv%40microsoft.com%7C5de6ad1e3bb445cc53f608d488ffbe89%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636284079405801232&amp;sdata=IxHIcUwQS9ukIOmKEV%2FZBjnlKguK1Ozbgp8yx4KBkKs%3D&amp;reserved=0">
https://bugzilla.mozilla.org/show_bug.cgi?id=1332714</a> ). However, multiple online sources are now advising people to use a Firefox configuration option that allows to disable the display of IDNs altogether.<o:p></o:p></p>
<p>(Don't know about Apple, Opera and others.)<o:p></o:p></p>
<p>As you see, this is going to hamper the usability of IDNs in URLs and, even worse, make it entirely unpredictable, depending on the user's browser choice.<o:p></o:p></p>
<p>The only real solution to this is that all registries treat whole script confusables as variants, so that they cannot be registered to anyone different than the owner of the equivalent ASCII domain. Unicode TR-39 allows to do this programmatically. However,
 I just checked the proposed draft IDN guidelines that are currently undergoing public consultation at ICANN:<o:p></o:p></p>
<p><a href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fen%2Fsystem%2Ffiles%2Ffiles%2Fdraft-idn-guidelines-03mar17-en.pdf&amp;data=02%7C01%7Cmarksv%40microsoft.com%7C5de6ad1e3bb445cc53f608d488ffbe89%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636284079405801232&amp;sdata=LbJAWO9c3%2FDXm4G0D7HSDkcfOL9%2B9CkAETh0SvIC4m0%3D&amp;reserved=0">https://www.icann.org/en/system/files/files/draft-idn-guidelines-03mar17-en.pdf</a><o:p></o:p></p>
<p>At point 16, they say that the registry &quot;may&quot; do this, but that should really be a &quot;must&quot;. If this does not happen, there will be more of these situations and the risk that all the Western world will then disable IDNs in URLs for good is quite significant.
<o:p></o:p></p>
<p>I think that this group could do several useful things:<o:p></o:p></p>
<p>a) promote a better public understanding of the issue, countering the trend that &quot;IDN URLs are for phishing&quot;;<o:p></o:p></p>
<p>b) encourage browser makers to elaborate a common approach;<o:p></o:p></p>
<p>c) push for ICANN and the registries to free the Internet from whole-script confusables.<o:p></o:p></p>
<p>Regards,<o:p></o:p></p>
<div>
<p style="margin-bottom:12.0pt">-- <br>
<br>
<strong>Vittorio Bertola</strong><br>
Research &amp; Innovation Engineer <o:p></o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-collapse:collapse">
<tbody>
<tr>
<td width="120" style="width:1.25in;padding:1.5pt 1.5pt 1.5pt 1.5pt">
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif">Cell:</span><o:p></o:p></p>
</td>
<td style="padding:1.5pt 1.5pt 1.5pt 1.5pt">
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif">&#43;39 348 7015022</span><o:p></o:p></p>
</td>
</tr>
<tr>
<td width="120" style="width:1.25in;padding:1.5pt 1.5pt 1.5pt 1.5pt">
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif">Skype:</span><o:p></o:p></p>
</td>
<td style="padding:1.5pt 1.5pt 1.5pt 1.5pt">
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif"><a href="mailto:in-skype-ox@bertola.eu">in-skype-ox@bertola.eu</a></span><o:p></o:p></p>
</td>
</tr>
<tr>
<td width="100" style="width:75.0pt;padding:1.5pt 1.5pt 1.5pt 1.5pt">
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif">Email:</span><o:p></o:p></p>
</td>
<td style="padding:1.5pt 1.5pt 1.5pt 1.5pt">
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif"><a href="mailto:vittorio.bertola@open-xchange.com">vittorio.bertola@open-xchange.com</a></span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal">&nbsp;<o:p></o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-collapse:collapse">
<tbody>
<tr>
<td colspan="2" style="padding:1.5pt 1.5pt 1.5pt 1.5pt">
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif">&nbsp;</span><o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:1.5pt 1.5pt 1.5pt 1.5pt">
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif">Twitter:
<a href="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwitter.com%2Fopenexchange&amp;data=02%7C01%7Cmarksv%40microsoft.com%7C5de6ad1e3bb445cc53f608d488ffbe89%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636284079405801232&amp;sdata=KGZpGEaC33pgtfouwAGgMgx9bhFGWuIdDmsVtZRaul8%3D&amp;reserved=0">
@openexchange</a> - Facebook: <a href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2FOpenXchange&amp;data=02%7C01%7Cmarksv%40microsoft.com%7C5de6ad1e3bb445cc53f608d488ffbe89%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636284079405801232&amp;sdata=CQ1hv%2BP8Qj%2Fig5t0RdkU0KismQ6KYd9pEZr82u5orKE%3D&amp;reserved=0">
OpenXchange</a> - Web: <a href="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.open-xchange.com&amp;data=02%7C01%7Cmarksv%40microsoft.com%7C5de6ad1e3bb445cc53f608d488ffbe89%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636284079405811240&amp;sdata=%2FViikYhPLzXrbrPIqiem7iNJwDpqqFwkHr59SeDE79w%3D&amp;reserved=0">
www.open-xchange.com</a></span><o:p></o:p></p>
</td>
</tr>
<tr>
<td width="200" style="width:150.0pt;border:solid black 1.0pt;border-left:none;padding:1.5pt 1.5pt 1.5pt 1.5pt">
<p class="MsoNormal" align="center" style="text-align:center"><img border="0" width="190" height="40" style="width:1.9791in;height:.4166in" id="_x0035_be0f06900124bc5ac3f7591a0d1911f" src="cid:image005.png@01D2BAB5.703FEC10"><o:p></o:p></p>
</td>
<td style="border-top:solid black 1.0pt;border-left:none;border-bottom:solid black 1.0pt;border-right:none;padding:1.5pt 1.5pt 1.5pt 1.5pt">
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif">Open-Xchange AG, Rollnerstr. 14, 90408 Nuremberg, District Court Nuremberg HRB 24738<br>
Managing Board: Rafael Laguna de la Vera, Carsten Dirks, Uwe Reumuth <br>
Chairman of the Board: Richard Seibt<br>
<br>
European Office: <br>
Open-Xchange GmbH, Olper Huette 5f, D-57462 Olpe, Germany, District Court Siegen, HRB 8718
<br>
Managing Directors: Frank Hoberg, Martin Kauss<br>
<br>
US Office: <br>
Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA </span><o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:1.5pt 1.5pt 1.5pt 1.5pt">
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif">&nbsp;</span><o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:1.5pt 1.5pt 1.5pt 1.5pt">
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:&quot;Verdana&quot;,sans-serif;color:#CCCCCC">Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged.
 If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please
 notify the sender immediately by return e-mail, and delete this message and any attachments from your system.</span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal">&nbsp;<o:p></o:p></p>
</div>
<div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2">
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<table class="MsoNormalTable" border="1" cellpadding="0" style="border:none;border-top:solid #D3D4DE 1.0pt">
<tbody>
<tr>
<td width="55" style="width:41.25pt;border:none;padding:9.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><a href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.avast.com%2Fsig-email%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient%26utm_term%3Dicon&amp;data=02%7C01%7Cmarksv%40microsoft.com%7C5de6ad1e3bb445cc53f608d488ffbe89%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636284079405811240&amp;sdata=mlmQBWEzGUFui5ymevhhgPIcbSN8oTk4Z78bK05n1CE%3D&amp;reserved=0" target="_blank"><span style="text-decoration:none"><img border="0" width="46" height="29" style="width:.4791in;height:.302in" id="_x0000_i1030" src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif"></span></a><o:p></o:p></p>
</td>
<td width="470" style="width:352.5pt;border:none;padding:9.0pt .75pt .75pt .75pt">
<p class="MsoNormal" style="line-height:13.5pt"><span style="font-size:10.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#41424E">Virus-free.
<a href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.avast.com%2Fsig-email%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient%26utm_term%3Dlink&amp;data=02%7C01%7Cmarksv%40microsoft.com%7C5de6ad1e3bb445cc53f608d488ffbe89%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636284079405811240&amp;sdata=KOV%2BEUAiK%2BoHQGCmBN%2BOVsbzYna%2BlGUwTbLVCEbDhWU%3D&amp;reserved=0" target="_blank">
<span style="color:#4453EA">www.avast.com</span></a> <o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</div>
</blockquote>
<p><o:p>&nbsp;</o:p></p>
</div>
</body>
</html>