Re: ICANN Approves Non-Latin Domain Name Characters

["Larry Seltzer" <larry () larryseltzer com>]

Just kidding about the "looking for quotes" line. I won't implicate
anyone here unless you tell me you want to be quoted, and then I'll just
garble the quote to humiliate you.

Really, I'll treat this thread as an educational experience, make up my
own mind and talk about that. So far my guess is that, based on pretty
much all prior experience on the Internet, there have to be exploitable
software bugs and social engineering opportunities in this, probably
significant ones. How much support is there right now in available
software for punycode?

Here's a stupid question: Is it possible that there are buffer overflows
out there just from all the extra bytes in domain names?

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer () ziffdavis com 
http://blogs.pcmag.com/securitywatch/


-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Larry Seltzer
Sent: Saturday, October 31, 2009 9:40 AM
To: funsec () linuxbox org
Subject: Re: [funsec] ICANN Approves Non-Latin Domain Name Characters

Oh I know all this, just looking for quotes. 

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer () ziffdavis com 
http://blogs.pcmag.com/securitywatch/


-----Original Message-----
From: Paul Ferguson [mailto:fergdawgster () gmail com] 
Sent: Saturday, October 31, 2009 9:35 AM
To: Larry Seltzer
Cc: funsec () linuxbox org
Subject: Re: [funsec] ICANN Approves Non-Latin Domain Name Characters

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, Oct 31, 2009 at 6:14 AM, Larry Seltzer <larry () larryseltzer com>
wrote:

>
http://www.pcmag.com/article2/0,2817,2355068,00.asp?kc=PCRSS05079TX1K000
0
> 992
>
>
>
> So have the security implications of these new domain names really
been
> thought through?

No.

If nothing else, expanding the TLD space expands the abuse footprint.

Further, expanding the TLD footprint in areas which are not clearly
'recognizable' by some applications, etc., will certainly have a
tendency
to be targets for abuse by criminals.

Of course, this may sound obvious -- and it is.

But expanding the TLD space into the IDN direction is not all sunshine
and
rainbows -- it also opens up a whole new gateway for enormous abuse and
exploitation.

It should be obvious to anyone with a clue. :-)

- - ferg

p.s. I'm in Taipei at the moment, which should underscore the issues
that I
am talking about, et al.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFK7Dzhq1pz9mNUZTMRAgxlAJ9FzZzBmRmoPfN4EHhSRo2g19/WvQCgzCJO
5V6IySqInkTmQlkoxSqb1tk=
=COHl
-----END PGP SIGNATURE-----


-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.