Non-English Domain Names Likely Delayed

• Previous message (by thread): Non-English Domain Names Likely Delayed
• Next message (by thread): Non-English Domain Names Likely Delayed
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I don't know of any other IEEE/NANOG/IETF/ICANN-sanctioned method to
completely confuse even a savvy IT user who is trying to determine the
validity of an SSL site.

> There are dozens of ways we know of, and probably more that lie
undiscovered,
> to exploit vulnerabilities in DNS, browsers, and in human nature to
conduct
> phishing.

Sure, there are bugs and hacks. The existence of such does not justify
approving new measures (in this case, a glaring security hole) as a
global standard. In fact, quite the opposite: folks are generally trying
to fix such problems, not push them forward in public policy agenda.

It's clear that no one intended for the side effect of a complete
meltdown in the user layer of SSL (where the only thing you can do is
double-check the URL in your browser and verify there's a padlock icon
in your status bar), but the side effect is there and it's naive to
pretend that fairness to non-English folks or globalization justifies a
hole this large. Certainly, the vulnerability is just as much a problem
for the targeted benefactors of this change.

-Jason


-- 
Jason Sloderbeck 
Positive Networks 
jason @ positivenetworks . net


-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Crist Clark
Sent: Monday, July 18, 2005 4:43 PM
Cc: NANOG
Subject: Re: Non-English Domain Names Likely Delayed


Isn't someone more eloquent than I going to point out that that spending
a lot of effort eliminating homographs from DNS to stop phishing is a
security measure on par with cutting cell service to underground trains
to prevent bombings? It focuses on one small vulnerability that phishers
exploit, and "fixing" this one vulnerability just may make things worse.
It wastes resources that could go to coming up with a *real* solution,
and it may provide a false sense of security. 

Worrying about homographs is probably something about which we should
let the trademark lawyers get there undies in a bunch (knowing ICANN,
that may very well be what's driving this, not phishing worries) while
the IT security community concerns itself with a usable, and actually
secure, end-to-end security model for e-commerce.
-- 
Crist J. Clark                               crist.clark at globalstar.com
Globalstar Communications                                (408) 933-4387

• Previous message (by thread): Non-English Domain Names Likely Delayed
• Next message (by thread): Non-English Domain Names Likely Delayed
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]