Non-English Domain Names Likely Delayed
Fergie (Paul Ferguson)
fergdawg at netzero.net
Sun Jul 17 16:29:52 UTC 2005
Forwarded Message from Neil Harris <neil at tonal.clara.co.uk> ---
Fergie (Paul Ferguson) wrote:
>...sez Vint...due to the prevalence of phishing:
>
>http://www.msnbc.msn.com/id/8586332/
>
>- ferg
>
>
Paul,
I'm not registered as a poster on the Nanog list, so I thought I'd let
you know that this problem is already well under control.
After extensive analysis and discussion, the Mozilla community and Opera
have already produced a fix for this, based on only displaying Unicode
IDN labels where the registry publishes and enforces well-defined
anti-homograph policies, and displaying the Punycode equivalent
otherwise. All that is needed is a couple of lines of code in the
Punycode -> Unicode translation code in the application, and a whitelist
of TLDs. See
http://www.mozilla.org/projects/security/tld-idn-policy-list.html for
more details. This delegates the responsibility of catching homographs
to the registries, rather than trying to catch them using ad-hoc
heuristics at the browser end.
In many cases, this can be as simple as restricting labels within a TLD
to use a small set of non-confusable characters. In others, with wider
character sets, techniques such as bundling and blocking sets of
confusable labels using homograph tables can be used. RFC 3743 is a case
in point. For an excellent summary of the technical details, which is
intended to help anyone attempting to eliminate homographs from a naming
system, see the latest, much-expanded, version of Unicode TR #36, which
also links to machine-readable confusables tables.
http://www.unicode.org/reports/tr36/
Already, some 21 TLDs are whitelisted, including .cn, .tw, a number of
European ccTLDs, .museum, and .info. Any other registrars who want to be
supported can simply E-mail Gerv at the Mozilla Foundation, or his Opera
counterpart, and give them a pointer to their anti-spoofing rules.
You might want to summarize to the list.
-- Neil
More information about the NANOG
mailing list