<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Multiple people have made the argument that having a browser show
A-labels ("punycode") instead of U-labels ("regular IDN") is
desirable as a way of fighting phishing.</p>
<p>My rebuttal has three parts:</p>
<ol>
<li>The underlying problem is that the registry (here, .com)
permitted registration of a domain name which was confusable
with another one. The right place to fight this kind of phishing
with confusable characters is at the domain registry level.</li>
<li>Even if you could magically prevent all confusable 2nd-level
domain name registrations, phishing would still be a problem.
Fraudsters have many tools, confusable 2nd-level names is only
one of them. There are also confusable names at the 4th or 5th
levels (e.g. microsoft.com.innocuous.deceptive.com), and
misleading links in message bodies, and so on.<br>
</li>
<li>The people for whom A-labels instead of U-labels are a
privileged set of latin-script reading Internet users. The
second billion internet users will predominantly be people who
read a different script than latin. U-labels are a requirement
for them to have legible domain names for legitimate sites.
A-labels mean they don't get domain names which they can read.
And they deserve to be able to read their domain names and email
addresses.<br>
</li>
</ol>
<p>This is an excellent audience for me to test my rebuttal. Is it
solid? Can I improve it? </p>
<p>Cheers,<br>
—Jim DeLaHunt, Vancouver, Canada<br>
</p>
<div class="moz-cite-prefix">On 2018-02-19 23:36, Ronald Geens
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:2441912C-9F34-41CD-9316-F69284513CD6@dnsbelgium.be">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
All,
<div class=""><br class="">
</div>
<div class=""> I am aware of the good work going on in the UASG
to get IDN at all levels natively supported in web-adresses and
email and I fully support that. </div>
<div class=""><br class="">
</div>
<div class="">On the other hand there is darker side of the web
that people want to be protected from. </div>
<div class="">I just read this blog about some people that may
actually find it better to see puny-code in stead of regular IDN
in order to detect spam and phishing.</div>
<div class=""><a
href="https://ma.ttias.be/show-idn-punycode-firefox-avoid-phishing-urls/"
class="" moz-do-not-send="true">https://ma.ttias.be/show-idn-punycode-firefox-avoid-phishing-urls/</a> which
is an opposite view of what UASG is trying to achieve.</div>
<div class=""><br class="">
</div>
<div class=""> Does/Will the UASG have a standpoint in this
matter ? Is this in scope of UASG or will we rely on the
anti-virus industry or even registrars/registries to protect the
world from abuses like this ?</div>
<div class=""><br class="">
</div>
<div class="">Best regards,</div>
<div class=""><br class="">
</div>
<div class="">Ron Geens</div>
<div class="">DNS Belgium</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
--Jim DeLaHunt, <a class="moz-txt-link-abbreviated" href="mailto:jdlh@jdlh.com">jdlh@jdlh.com</a> <a class="moz-txt-link-freetext" href="http://blog.jdlh.com/">http://blog.jdlh.com/</a> (<a class="moz-txt-link-freetext" href="http://jdlh.com/">http://jdlh.com/</a>)
multilingual websites consultant
355-1027 Davie St, Vancouver BC V6E 4L2, Canada
Canada mobile +1-604-376-8953
</pre>
</body>
</html>