Home page logo
/

nanog logo nanog mailing list archives

Re: Dear RIPE: Please don't encourage phishing
From: Jimmy Hess <mysidia () gmail com>
Date: Sat, 11 Feb 2012 23:45:08 -0600

On Sat, Feb 11, 2012 at 11:13 PM,  <Valdis.Kletnieks () vt edu> wrote:
On Sun, 12 Feb 2012 10:25:53 +0900, Masataka Ohta said:
Valdis.Kletnieks () vt edu wrote:
It's interesting how some people are insisting that the IDN code has to be
*perfect* and make it *totally* impossible to create a phishable spoof of
a domain - but aren't willing to take the extra step of banning the characters
in the Latin Ascii charset that are spoofable.
[snip]

There aren't really any characters in the latin ASCII charset that are
so spoofable.
0 and O,   |, I, l,  and 1  do come close,  depending on the font
chosen.     This is easily avoidable, because there are so few
spoofable characters,  you can easily just avoid using a spoofable one
in your domain name,   or register all variants.  These are minor
compared to the issues you get expanding the possible URL  character
sets to all unicode, through IDN support.

The extended character sets available under IDN provide a large number
of spoofable characters from various different charsets that are
indistinguishable.


For phishing to not be a serious risk, IDN implementations have to
have some kind of security policy.

A start would be: don't display IDN characters,   unless   they are
within a character set the user is expected to be familiar with.   For
example,  for a web browser that ships in North America,  only the
locally relevant IDN character sets should be enabled  by default.

If you should want to see IDN characters from Cyrillic character sets,
 or  Chinese Ideographs,
there should be a requirement you very deliberately install support
for specific character set you need.


Or install a localized browser that has the specific IDN charsets
allowed by policy.
There should also be a browser-enforced policy that different charsets
cannot be mixed in the same domain name.

Then any increase in phishing risk is limited to regions / language
localized  browsers
where the character set with spoofable characters makes sense  and is
in common use.


Ideally there  should be a table of every pair of characters that
"look somewhat similar to each other"   in every character set,   and
every registrar  ensuring  appearance uniqueness for every  new domain
registration.


--
-JH


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault