Dear RIPE: Please don't encourage phishing
mysidia at gmail.com
Sun Feb 12 05:45:08 UTC 2012
On Sat, Feb 11, 2012 at 11:13 PM, <Valdis.Kletnieks at vt.edu> wrote:
> On Sun, 12 Feb 2012 10:25:53 +0900, Masataka Ohta said:
>> Valdis.Kletnieks at vt.edu wrote:
> It's interesting how some people are insisting that the IDN code has to be
> *perfect* and make it *totally* impossible to create a phishable spoof of
> a domain - but aren't willing to take the extra step of banning the characters
> in the Latin Ascii charset that are spoofable.
There aren't really any characters in the latin ASCII charset that are
0 and O, |, I, l, and 1 do come close, depending on the font
chosen. This is easily avoidable, because there are so few
spoofable characters, you can easily just avoid using a spoofable one
in your domain name, or register all variants. These are minor
compared to the issues you get expanding the possible URL character
sets to all unicode, through IDN support.
The extended character sets available under IDN provide a large number
of spoofable characters from various different charsets that are
For phishing to not be a serious risk, IDN implementations have to
have some kind of security policy.
A start would be: don't display IDN characters, unless they are
within a character set the user is expected to be familiar with. For
example, for a web browser that ships in North America, only the
locally relevant IDN character sets should be enabled by default.
If you should want to see IDN characters from Cyrillic character sets,
or Chinese Ideographs,
there should be a requirement you very deliberately install support
for specific character set you need.
Or install a localized browser that has the specific IDN charsets
allowed by policy.
There should also be a browser-enforced policy that different charsets
cannot be mixed in the same domain name.
Then any increase in phishing risk is limited to regions / language
where the character set with spoofable characters makes sense and is
in common use.
Ideally there should be a table of every pair of characters that
"look somewhat similar to each other" in every character set, and
every registrar ensuring appearance uniqueness for every new domain
More information about the NANOG