[CPWG] Verisign

[Bill Jouris]

 Hi Roberto, 
You wrote:
What prompted me to react to this thread was the temptation to see the introduction of IDNs as evil because its could encourage criminal activities. My personal opinion is that, if we take a global view, the benefits of IDNs for users whose native languages do not use latin script overcome by far the potential problems it raises. Secondly, that a solution to the problem of fake web sites pretending to be something else should be found acting on the browsers and not on the DNS.

I completely agree that the benefits of IDNs far outweigh their downsides.  But I also think that some fairly straightforward ways to reduce some of the downsides, while preserving the benefits, have been overlooked. 
More could probably be done with browsers.  But I'm not sure I see how ICANN can drive that.  (Especially in light of how far, a decade later, most browsers are from even implementing IDNA 2008 to replace IDNA 2003.)  I do see how we can do something about what characteristics of domain names the DNS accepts.  And the contracts with the registries are where, from what I know, we can act. 
I think you are right that, since we have wandered rather far from the original topic, we should probably take this offline now. 
Bill 
    On Wednesday, January 8, 2020, 05:35:48 AM PST, Roberto Gaetano <roberto_gaetano at hotmail.com> wrote:  
 
 Hi Bill.My comments below.


On 08.01.2020, at 01:22, Bill Jouris via CPWG <cpwg at icann.org> wrote:
Hi Roberto, 
I don't know specifically what tables of potential problems you are referring to.

Ooopss - reading again your previous message I realise that when you spoke about 6 months from publication of the tables you meant that it will be 6 months in the future, not 6 months ago.I stand corrected.


  But since I'm on the Latin Generation Panel (that is, the part of IDN working on the Latin alphabet based scripts) I do know that we haven't published our lists/tables yet. 

Indeed, see above.I know you are active in this field, if I remember correctly we had a couple of exchanges on the UA mailing lists.


As for why these particular issues are getting raised, I would not that for the most part scripts are used by one, or at most a half dozen, different languages.  The Latin script is used by over 2hundred.  Because on the way it evolved, what that script has is 26 letters modified by a couple dozen diacritics.  Some of which are essentially indistinguishable.  By the time the various combinations are gathered, we are over 200 symbols. 

I know that, but thanks for pointing it out.


Any given language (and it's users) maybe involved a half dozen of those diacritics.  Users have trouble identifying the others simply because they have never encountered them and don't realize that there might be something to look for.  You may be familiar with the cedilla under the letter C used in French.  But would it even occur to you to look for one under a letter M?  You may be familiar with the acute accent used over some vowels.  But if the dot over a letter I was replaced by one, would you realize it meant you had a different character? 

OK, so now I am getting a better picture. I was speaking of confusing similarity of diacritics (or chars in different scripts) with plain ASCII chars. You are raising the issue of confusing similarity between diacritics.You get another point here, because in this case solutions like the simple display of the punycode together with the visual rendering would not solve the problem (I assume that users would not distinguish between two different punycode strings).


To date, we have seen criminal activity involving a relatively small number of symbols.  (I believe there was mention in Montreal of a scam involving replacing the J in EasyJet's name with an I.)  But criminals have the same challenges other users have: they just aren't aware (yet!) of all the possibilities that await. So it may not be unreasonable to foresee a surge in problems when ICANN's handy list of variants and confusables (focused on TLDs, but work anywhere in the name) is published. , 

Here I start keeping my points, so we still disagree.IMHO, criminals do this as their job, so they get aware much in advance of the potential pitfalls. Although I might agree that in time more criminals could get involved in exploiting these kinds of opportunities, I would be seriously surprised in learning that many of these individuals and organizations are not already acting as “early adopters”.In short, were I Citi Bank - or a similar organization potentially under attack - I would have started already taking countermeasures - including defensive registrations - if that was our defensive strategy. My personal opinion is that we have sufficient evidence that this is not happening - at least not on a large scale. I can, however, concede that the situation might evolve and getting worse in the future - but this not really to the extent that we can use the defensive registrations as an argument against raising prices.

  I suppose we could reduce the problem by forcing users to use the actual IP address, rather than domain names.  If nothing else, people would have to pay more attention in order to make sure that they hadn't accidentally gotten the wrong address.  Of course, that loses the ease of use that domain names provide....


I assume you are using this as a straw man - if not as a joke altogether. We obviously need to figure out a solution - or at least a mitigation of the impact.
What prompted me to react to this thread was the temptation to see the introduction of IDNs as evil because its could encourage criminal activities. My personal opinion is that, if we take a global view, the benefits of IDNs for users whose native languages do not use latin script overcome by far the potential problems it raises. Secondly, that a solution to the problem of fake web sites pretending to be something else should be found acting on the browsers and not on the DNS.
Happy to continue the discussion - but can also do that offline or in other contexts should this be of no interest to this group.
Cheers,Roberto


Bill



  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/cpwg/attachments/20200108/6cde0640/attachment.html>