Non-English Domain Names Likely Delayed
Neil Harris
neil at tonal.clara.co.uk
Mon Jul 18 14:22:56 UTC 2005
Brandon Butterworth wrote:
>>>Already, some 21 TLDs are whitelisted, including .cn, .tw, a number
>>>of European ccTLDs, .museum, and .info. Any other registrars who
>>>want to be supported can simply E-mail Gerv at the Mozilla
>>>Foundation, or his Opera counterpart, and give them a pointer to
>>>their anti-spoofing rules.
>>>
>>>
>
>I don't think it's a good idea to introduce a system with a known
>vulnerability and try and work around it by having some people agree
>they'll police the exploit. No doubt the people protecting us
>will be tempted to exploit it themselves by trying to sell
>the spoofs to the spoofed domain owner as essential international
>branding (.mobi, yeah. .com is shorter and people should learn
>about content negotiation to present suitable content to mobiles,
>no need to buy your domains all over again)
>
>If this goes ahead the browser needs a default on button for
>"please don't expose me to this spoofing attack"
>
>brandon
>
>
>
>
>
Unfortunately, the problem is inherent in human writing systems.
Consider rnicrosoft.com and paypaI.com.
The good news is that fairly simple homograph rules can be applied to
collapse the namespace into visually distinct labels: see TR #36. See
also https://bugzilla.mozilla.org/show_bug.cgi?id=279099 for a lengthy
group discussion of the issues involved.
As a side-effect of this, implementing either a blocking bundling or
inclusive bundling policy has the effect of precluding a registry from
selling potential spoofs to others. The former requires no change to
existing software, apart from a check at name registration time; the
latter requires either the generation of huge zonefiles, or a few lines
of code and a ~128kbyte static lookup table to be added to DNS server
software: see RFC 3743 for more detail than you ever wanted to know
about bundling.
Neither is beyond the wit of man, particularly given commercial pressure
from registry customers.
Neil
(my personal views only, not that of any organization)
More information about the NANOG
mailing list