Home page logo

nanog logo nanog mailing list archives

Re: Dear RIPE: Please don't encourage phishing
From: Valdis.Kletnieks () vt edu
Date: Sun, 12 Feb 2012 00:13:27 -0500

On Sun, 12 Feb 2012 10:25:53 +0900, Masataka Ohta said:
Valdis.Kletnieks () vt edu wrote:

(The actual policy for the .UA registrar is more subtle. They *do* in fact
allow "U+0441 Cyrillic Small Letter ES" which is visually a C to us Latin-glyph
users.  However, they require at least one character that's visually unique to
Cyrillic in the domain name.

Unique within what?

Is a Cyrillic character, which looks like Latin E with diaeresis,
a unique Cyrillic character?

Is "CYRILLIC CAPITAL LETTER GHE", which looks like Greek Gamma,
a unique Cyrillic character?

Is Greek Gamma, which looks like "CYRILLIC CAPITAL LETTER GHE",
a unique Greek character?

Doesn't actually matter, because the .ua registry isn't allowing Greek Gamma
or Latin-E-with-diaresis, in domain names.  So you can't find a domain
bankname-containing-ghe.ua and spoof it with bankname-containing-gamma.ua.

I suppose you *could* find a 'greek-bankame-containing-gamma-and-only-chars-spoofable-in-cyrillic.gr'
and create a 'bankname-containing-ghe-and-cyrillic.ua'.  But quite frankly,
turning off IDN doesn't fix that problem - greekbank.gr is spoofable
by greekbank.ua and greekbank.com.  We *already* have companies
that will register 'foobar.com', 'foobar.net', 'foobar.org' and every other variant
they can to prevent squatters in the other TLDs.

They also don't allow mixed Cyrillic/Latin
scripts in one domain name).

Is a Russian word containing no unique (unique to ASCII)
Cyrillic characters encoded as Latin character using ASCII,
even though a Russian word containing unique (whatever unique
means) Cyrillic character encoded as Cyrillic characters?

No, it means you get to pick 'all-latin-chars.ua' or 'all-cyrillic-chars.ua'.
And due to the requirement that a cyrillic name have a special char
in it, you can's spoof an all-latin-chars.ua name.

The only protection is to disable IDN.

You also have to ban the use of numbers in domain names, because you
need to prevent people being tricked by micros0ft.com and m1crosoft.com.

Good luck on that.

Oh, and 'i' and 'l' need to be banned as well, because a san-serif uppercase I
looks a lot like a san-serif lowercase l. (In fact, in the font I'm currently using,
the two are pixel-identical).

I don't see anybody calling for the banning of 'i' and 'l' in domain names due to that.

It's interesting how some people are insisting that the IDN code has to be
*perfect* and make it *totally* impossible to create a phishable spoof of
a domain - but aren't willing to take the extra step of banning the characters
in the Latin Ascii charset that are spoofable.

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]