Dear RIPE: Please don't encourage phishing

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Sat Feb 11 23:13:27 CST 2012


On Sun, 12 Feb 2012 10:25:53 +0900, Masataka Ohta said:
> Valdis.Kletnieks at vt.edu wrote:
>
> > (The actual policy for the .UA registrar is more subtle. They *do* in fact
> > allow "U+0441 Cyrillic Small Letter ES" which is visually a C to us Latin-glyph
> > users.  However, they require at least one character that's visually unique to
> > Cyrillic in the domain name.
>
> Unique within what?
>
> Is a Cyrillic character, which looks like Latin E with diaeresis,
> a unique Cyrillic character?
>
> Is "CYRILLIC CAPITAL LETTER GHE", which looks like Greek Gamma,
> a unique Cyrillic character?
>
> Is Greek Gamma, which looks like "CYRILLIC CAPITAL LETTER GHE",
> a unique Greek character?

Doesn't actually matter, because the .ua registry isn't allowing Greek Gamma
or Latin-E-with-diaresis, in domain names.  So you can't find a domain
bankname-containing-ghe.ua and spoof it with bankname-containing-gamma.ua.

I suppose you *could* find a 'greek-bankame-containing-gamma-and-only-chars-spoofable-in-cyrillic.gr'
and create a 'bankname-containing-ghe-and-cyrillic.ua'.  But quite frankly,
turning off IDN doesn't fix that problem - greekbank.gr is spoofable
by greekbank.ua and greekbank.com.  We *already* have companies
that will register 'foobar.com', 'foobar.net', 'foobar.org' and every other variant
they can to prevent squatters in the other TLDs.

> > They also don't allow mixed Cyrillic/Latin
> > scripts in one domain name).
>
> Is a Russian word containing no unique (unique to ASCII)
> Cyrillic characters encoded as Latin character using ASCII,
> even though a Russian word containing unique (whatever unique
> means) Cyrillic character encoded as Cyrillic characters?

No, it means you get to pick 'all-latin-chars.ua' or 'all-cyrillic-chars.ua'.
And due to the requirement that a cyrillic name have a special char
in it, you can's spoof an all-latin-chars.ua name.

> The only protection is to disable IDN.

You also have to ban the use of numbers in domain names, because you
need to prevent people being tricked by micros0ft.com and m1crosoft.com.

Good luck on that.

Oh, and 'i' and 'l' need to be banned as well, because a san-serif uppercase I
looks a lot like a san-serif lowercase l. (In fact, in the font I'm currently using,
the two are pixel-identical).

I don't see anybody calling for the banning of 'i' and 'l' in domain names due to that.

It's interesting how some people are insisting that the IDN code has to be
*perfect* and make it *totally* impossible to create a phishable spoof of
a domain - but aren't willing to take the extra step of banning the characters
in the Latin Ascii charset that are spoofable.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 865 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20120212/bf03e128/attachment.bin>


More information about the NANOG mailing list