nanog mailing list archives
Re: Dear RIPE: Please don't encourage phishing
From: Valdis.Kletnieks () vt edu
Date: Sun, 12 Feb 2012 00:13:27 -0500
On Sun, 12 Feb 2012 10:25:53 +0900, Masataka Ohta said:
Valdis.Kletnieks () vt edu wrote:(The actual policy for the .UA registrar is more subtle. They *do* in fact allow "U+0441 Cyrillic Small Letter ES" which is visually a C to us Latin-glyph users. However, they require at least one character that's visually unique to Cyrillic in the domain name.Unique within what? Is a Cyrillic character, which looks like Latin E with diaeresis, a unique Cyrillic character? Is "CYRILLIC CAPITAL LETTER GHE", which looks like Greek Gamma, a unique Cyrillic character? Is Greek Gamma, which looks like "CYRILLIC CAPITAL LETTER GHE", a unique Greek character?
Doesn't actually matter, because the .ua registry isn't allowing Greek Gamma or Latin-E-with-diaresis, in domain names. So you can't find a domain bankname-containing-ghe.ua and spoof it with bankname-containing-gamma.ua. I suppose you *could* find a 'greek-bankame-containing-gamma-and-only-chars-spoofable-in-cyrillic.gr' and create a 'bankname-containing-ghe-and-cyrillic.ua'. But quite frankly, turning off IDN doesn't fix that problem - greekbank.gr is spoofable by greekbank.ua and greekbank.com. We *already* have companies that will register 'foobar.com', 'foobar.net', 'foobar.org' and every other variant they can to prevent squatters in the other TLDs.
They also don't allow mixed Cyrillic/Latin scripts in one domain name).Is a Russian word containing no unique (unique to ASCII) Cyrillic characters encoded as Latin character using ASCII, even though a Russian word containing unique (whatever unique means) Cyrillic character encoded as Cyrillic characters?
No, it means you get to pick 'all-latin-chars.ua' or 'all-cyrillic-chars.ua'. And due to the requirement that a cyrillic name have a special char in it, you can's spoof an all-latin-chars.ua name.
The only protection is to disable IDN.
You also have to ban the use of numbers in domain names, because you need to prevent people being tricked by micros0ft.com and m1crosoft.com. Good luck on that. Oh, and 'i' and 'l' need to be banned as well, because a san-serif uppercase I looks a lot like a san-serif lowercase l. (In fact, in the font I'm currently using, the two are pixel-identical). I don't see anybody calling for the banning of 'i' and 'l' in domain names due to that. It's interesting how some people are insisting that the IDN code has to be *perfect* and make it *totally* impossible to create a phishable spoof of a domain - but aren't willing to take the extra step of banning the characters in the Latin Ascii charset that are spoofable.
Attachment:
_bin
Description:
Current thread:
- Re: Dear RIPE: Please don't encourage phishing, (continued)
- Re: Dear RIPE: Please don't encourage phishing Brandon Butterworth (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Landon Stewart (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Randy Bush (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Masataka Ohta (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Neil Harris (Feb 11)
- Re: Dear RIPE: Please don't encourage phishing Randy Bush (Feb 11)
- Re: Dear RIPE: Please don't encourage phishing chris (Feb 11)
- Re: Dear RIPE: Please don't encourage phishing Javier Henderson (Feb 11)
- Re: Dear RIPE: Please don't encourage phishing Valdis . Kletnieks (Feb 11)
- Re: Dear RIPE: Please don't encourage phishing Masataka Ohta (Feb 11)
- Re: Dear RIPE: Please don't encourage phishing Valdis . Kletnieks (Feb 11)
- Re: Dear RIPE: Please don't encourage phishing Jimmy Hess (Feb 11)
- Re: Dear RIPE: Please don't encourage phishing Masataka Ohta (Feb 12)
- Re: Dear RIPE: Please don't encourage phishing Valdis . Kletnieks (Feb 12)
- Re: Dear RIPE: Please don't encourage phishing Masataka Ohta (Feb 12)
- Re: Dear RIPE: Please don't encourage phishing Jimmy Hess (Feb 12)
- Re: Dear RIPE: Please don't encourage phishing Randy Bush (Feb 12)
- Re: Dear RIPE: Please don't encourage phishing Jimmy Hess (Feb 12)
- Re: Dear RIPE: Please don't encourage phishing Randy Bush (Feb 12)
- Re: Dear RIPE: Please don't encourage phishing Mark Andrews (Feb 12)
- Re: Dear RIPE: Please don't encourage phishing Randy Bush (Feb 12)
- Re: Dear RIPE: Please don't encourage phishing Landon Stewart (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Brandon Butterworth (Feb 10)