+1
Thanks,
Harish Chowdhary,
ISOC IETF FELLOW
inSIG 2017 FELLOW
www.nixi.in | www.indiaig.in
From: ua-discuss-request@icann.org
Sent: Wed, 21 Feb 2018 17:30:13 GMT+0530
To: ua-discuss@icann.org
Subject: UA-discuss Digest, Vol 38, Issue 11
Send UA-discuss mailing list submissions to
ua-discuss@icann.org
To subscribe or unsubscribe via the World Wide Web, visit
https://mm.icann.org/mailman/listinfo/ua-discuss
or, via email, send a message with subject or body 'help' to
ua-discuss-request@icann.org
You can reach the person managing the list at
ua-discuss-owner@icann.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of UA-discuss digest..."
Today's Topics:
1. Re: Another difficulty to overcome ... (Asmus Freytag)
2. Re: Another difficulty to overcome ... (Mark Svancarek)
3. Re: Another difficulty to overcome ... (Andrew Sullivan)
4. Re: Another difficulty to overcome ... (Andrew Sullivan)
----------------------------------------------------------------------
Message: 1
Date: Tue, 20 Feb 2018 10:05:08 -0800
From: Asmus Freytag <asmusf@ix.netcom.com>
To: ua-discuss@icann.org
Subject: Re: [UA-discuss] Another difficulty to overcome ...
Message-ID: <441b9b4f-3546-6acf-6d6e-e369286b3040@ix.netcom.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
On 2/20/2018 12:54 AM, Jim DeLaHunt wrote:
>
> Multiple people have made the argument that having a browser show
> A-labels ("punycode") instead of U-labels ("regular IDN") is desirable
> as a way of fighting phishing.
>
> My rebuttal has three parts:
>
> 1. The underlying problem is that the registry (here, .com) permitted
> registration of a domain name which was confusable with another
> one. The right place to fight this kind of phishing with
> confusable characters is at the domain registry level.
> 2. Even if you could magically prevent all confusable 2nd-level
> domain name registrations, phishing would still be a problem.
> Fraudsters have many tools, confusable 2nd-level names is only one
> of them. There are also confusable names at the 4th or 5th levels
> (e.g. microsoft.com.innocuous.deceptive.com), and misleading links
> in message bodies, and so on.
> 3. The people for whom A-labels instead of U-labels [are more
> readable] are a privileged set of latin-script reading Internet
> users. The second billion internet users will predominantly be
> people who read a different script than latin. U-labels are a
> requirement for them to have legible domain names for legitimate
> sites. A-labels mean they don't get domain names which they can
> read. And they deserve to be able to read their domain names and
> email addresses.
>
> This is an excellent audience for me to test my rebuttal. Is it
> solid?? Can I improve it?
>
One edit above in []
There's a fallacy that A-labels are less confusable. Even for users of
the Latin script. In fact, they obscure the intended destination almost
as badly as URL shortening does... Otherwise we could all just use
hashes like those used in URL shortening - and I'm not sure I'd call the
latter a win for security.
Finally, there are some nice spoofing methods specific to a-labels.
A./
>
> Cheers,
> ???? ?Jim DeLaHunt, Vancouver, Canada
>
> On 2018-02-19 23:36, Ronald Geens wrote:
>> All,
>>
>> ? ?I am aware of the good work going on in the UASG to get IDN at all
>> levels natively supported in web-adresses and email and I fully
>> support that.
>>
>> On the other hand there is darker side of the web that people want to
>> be protected from.
>> I just read this blog about some people that may actually find it
>> better to see puny-code in stead of regular IDN in order to detect
>> spam and phishing.
>> https://ma.ttias.be/show-idn-punycode-firefox-avoid-phishing-urls/?which
>> is an opposite view of what UASG is trying to achieve.
>>
>> ? ?Does/Will the UASG have a standpoint in this matter ? Is this in
>> scope of UASG or will we rely on the anti-virus industry or even
>> registrars/registries to protect the world from abuses like this ?
>>
>> Best regards,
>>
>> Ron Geens
>> DNS Belgium
>
> --
> --Jim DeLaHunt,jdlh@jdlh.com http://blog.jdlh.com/ (http://jdlh.com/)
> multilingual websites consultant
>
> 355-1027 Davie St, Vancouver BC V6E 4L2, Canada
> Canada mobile +1-604-376-8953
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ua-discuss/attachments/20180220/74b05f41/attachment-0001.html>
------------------------------
Message: 2
Date: Tue, 20 Feb 2018 18:08:25 +0000
From: Mark Svancarek <marksv@microsoft.com>
To: Chaals McCathie Nevile <chaals@yandex.ru>, "ua-discuss@icann.org"
<ua-discuss@icann.org>
Subject: Re: [UA-discuss] Another difficulty to overcome ...
Message-ID:
<BL0PR2101MB08838933734E2C5FA1474E96D1CF0@BL0PR2101MB0883.namprd21.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
I like Jim's rebuttal in entirety, but would re-order 123 --> 321 per Chaals comments.
-----Original Message-----
From: UA-discuss <ua-discuss-bounces@icann.org> On Behalf Of Chaals McCathie Nevile
Sent: Tuesday, February 20, 2018 1:41 AM
To: ua-discuss@icann.org
Subject: Re: [UA-discuss] Another difficulty to overcome ...
The strongest argument against showing A-labels is the technical side of point 3, and IMHO it is sufficient to make the case. Point 2 is a true statement but doesn't address the problem. Point 1 is about what else should be done to address the problem, but does not directly rebut the suggestion.
In more detail, (for anyone in this choir who wants the full sermon ;) )
People who more naturally read a non-latin script - the primary market for non-latin script - are generally more able to read that accurately and less able to spot oddities in latin script or another script they don't read.
This isn't a question of "deserving" to be allowed to use your own script (although it is true people do deserve that IMHO).
It is about ensuring that people can effectively notice whether something is a meaningful URL they were looking for, or a corrupted version. It is easier for most people in their own script than noticing a corrupted version of a punycode string.
This is also generally true for e.g. Europeans who do read Latin script.
Dahlstr?m, Dahlstrom, and Dahlstr?m *are* similar, and could be used for phishing attacks (one of them is part of a friend's email address). but xn--ksjdlfn and xn--sekdrtb are actually gibberish, and spotting whether gibberish has a mistake is pretty difficult for normal people.
A better idea might be larger fonts, to make differences clearer.
On user demand, offering a strict non-ambiguous *transliteration* could help (whether that is from or to a script such as Latin, or doesn't involve it at all as between say Thai and Arabic). But transliteration introduces some thorny and well-known problems. I hope that is the reason it isn't widely available, rather than just because a bunch of engineers assume everything begins with Latin script anyway...
cheers
cheers.
On Tue, 20 Feb 2018 09:54:40 +0100, Jim DeLaHunt <jfrom.uasg@jdlh.com>
wrote:
> Multiple people have made the argument that having a browser show
> A-labels ("punycode") instead of U-labels ("regular IDN") is
> desirable as a way of fighting phishing.
>
> My rebuttal has three parts:
>
>
> 1. The underlying problem is that the registry (here, .com)
> permitted registration of a domain name which was confusable
> with another one. The right place to fight this kind of phishing
> with confusable characters is at the domain registry level.
>
> 2. Even if you could magically prevent all confusable 2nd-level
> domain name registrations, phishing would still be a problem.
> Fraudsters have many tools, confusable 2nd-level names is only
> one of them. There are also confusable names at the 4th or 5th
> levels (e.g. microsoft.com.innocuous.deceptive.com), and
> misleading links in message bodies, and so on.
>
> 3. The people for whom A-labels instead of U-labels are a
> privileged set of latin-script reading Internet users. The
> second billion internet users will predominantly be people who
> read a different script than latin. U-labels are a requirement
> for them to have legible domain names for legitimate sites.
> A-labels mean they don't get domain names which they can read.
> And they deserve to be able to read their domain names and email
> addresses.
> This is an excellent audience for me to test my rebuttal. Is it
> solid? Can I improve it? Cheers,
>
> ?Jim DeLaHunt, Vancouver, Canada
>
> On 2018-02-19 23:36, Ronald Geens
> wrote:
>
>
>>
>> All,
>> I am aware of the good work going on in the UASG
>> to get IDN at all levels natively supported in web-adresses and
>> email and I fully support that.
>> On the other hand there is darker side of the web
>> that people want to be protected from.
>> I just read this blog about some people that may
>> actually find it better to see puny-code in stead of regular IDN
>> in order to detect spam and phishing.
>>
>>
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fma.t
>> tias.be%2Fshow-idn-punycode-firefox-avoid-phishing-urls%2F&data=04%7C
>> 01%7Cmarksv%40microsoft.com%7Cf1f66762f22b4b0f20b908d578460c54%7C72f9
>> 88bf86f141af91ab2d7cd011db47%7C1%7C1%7C636547164644768767%7CUnknown%7
>> CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3
>> D%3D%7C-1&sdata=5EXp%2Fkh8hb8Qzm24y8yPWeKJ3lLE28FzIv7CHvX2C4E%3D&rese
>> rved=0
>> which
>> is an opposite view of what UASG is trying to achieve.
>>
>> Does/Will the UASG have a standpoint in this
>> matter ? Is this in scope of UASG or will we rely on the
>> anti-virus industry or even registrars/registries to protect the
>> world from abuses like this ?
>>
>> Best regards,
>>
>> Ron Geens
>>
>> DNS Belgium
>>
>>
>
> -- --Jim DeLaHunt, jdlh@jdlh.com https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fblog.jdlh.com%2F&data=04%7C01%7Cmarksv%40microsoft.com%7Cf1f66762f22b4b0f20b908d578460c54%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636547164644768767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=zsgXxJAX%2FvmuAS2OaK7GEtxOP2oh816zNG3d7cugGJg%3D&reserved=0
> (https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjdlh.com%2F&data=04%7C01%7Cmarksv%40microsoft.com%7Cf1f66762f22b4b0f20b908d578460c54%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636547164644768767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=VQBSfH2vD4Z5snL9nZiMAQheZrszgF0%2FMHZwM%2B2tRr0%3D&reserved=0)
> multilingual websites consultant
>
> 355-1027 Davie St, Vancouver BC V6E 4L2, Canada
> Canada mobile +1-604-376-8953
>
>
--
Chaals is Charles McCathie Nevile
find more at https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fyandex.com&data=04%7C01%7Cmarksv%40microsoft.com%7Cf1f66762f22b4b0f20b908d578460c54%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636547164644768767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=zTS4b%2Bl9vylzCpslPxZjLoInKeE1btfIJcJSouOz3CQ%3D&reserved=0
------------------------------
Message: 3
Date: Tue, 20 Feb 2018 13:18:44 -0500
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: ua-discuss@icann.org
Subject: Re: [UA-discuss] Another difficulty to overcome ...
Message-ID: <20180220181844.qamd4mz5t6fx5pgz@mx4.yitter.info>
Content-Type: text/plain; charset=us-ascii
Hi,
On Tue, Feb 20, 2018 at 12:54:40AM -0800, Jim DeLaHunt wrote:
>
> 1. The underlying problem is that the registry (here, .com) permitted
> registration of a domain name which was confusable with another one. The
> right place to fight this kind of phishing with confusable characters is at
> the domain registry level.
I sort of agree with that, but I want to note some cautions.
1. It is not possible as a general matter to ensure that nothing
"confusable" ever gets registered. We have no control over the
fonts people are using, or the visual acuity of people, or the
context in which the label is presented. All of those have a
great deal to do with whether people get phished, quite apart from
the content of the labels.
2. The "no-script-mixing" rules that many of us are arguing for
are also drags on innovation, and in some locales there are good
reasons to mix scripts. That tension won't go away just because
we said so.
3. The distinction between identifiers and branding appears to be
almost totally lost on people, with even the Unicode Technical
Committee, who recommend against emojis in identifiers, saying
that they're ok in domain names (contrary to the IDNA2008
specifications). I don't have any idea what to do about this,
because most people don't understand how context-free and
locale-free identifiers could possibly work reliably. (That
includes me.)
4. There is no way to make rules for the entire DNS, because it
is a distributed datbase with distributed authority.
More generally, however, the position, "Use the A-label form" is in
effect the position, "Don't use IDNA." For the most conspicuous fact
about A-labels is that they're equivalently meaningless to everyone.
That hardly seems like a usability win.
> 3. The people for whom A-labels instead of U-labels
There is nobody for whom A-labels are useful. A-labels are those
things that have the prefix (xn--) and a punycode-encoded string in
them. 'anvilwalrusden.com' has two labels, neither of which is an
A-label, though they're both LDH-labels. This is covered in painful
detail in RFC 5890, so I refer the gentle reader to that.
Best regards,
A
--
Andrew Sullivan
ajs@anvilwalrusden.com
------------------------------
Message: 4
Date: Tue, 20 Feb 2018 13:23:42 -0500
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: ua-discuss@icann.org
Subject: Re: [UA-discuss] Another difficulty to overcome ...
Message-ID: <20180220182342.6z75tmq4736dd4dq@mx4.yitter.info>
Content-Type: text/plain; charset=us-ascii
On Tue, Feb 20, 2018 at 10:40:31AM +0100, Chaals McCathie Nevile wrote:
>
> People who more naturally read a non-latin script - the primary
> market for non-latin script - are generally more able to read that
> accurately and less able to spot oddities in latin script or another
> script they don't read.
This is only partly relevant, because even an ASCII label can cause
trouble. If you doubt this, and you use an Apple product, I suggest
that you try to transcribe a string in the default font in either iOS
or OSX (Keychain Access) where the string contains exactly one of
capital I, lower-case L, capital O, or the digit zero. There are
certainly similar cases with composed Latin characters, and there are
several well-worked-over examples in Arabic script -- the latter where
characters that are all but guaranteed to use the same glyph are
nevertheless different characters.
> It is about ensuring that people can effectively notice whether
> something is a meaningful URL they were looking for, or a corrupted
> version. It is easier for most people in their own script than
> noticing a corrupted version of a punycode string.
The basic problem here is that domain names were a _lousy_ basis on
which to build security policies, but we did it. (That sort of thing
happens all the time. The automobile was a lousy basis around which
to do social planning, but every North American city of any size shows
that we did that, too. We shape our tools and thereafter they shape
us.)
Best regards,
A
--
Andrew Sullivan
ajs@anvilwalrusden.com
------------------------------
Subject: Digest Footer
_______________________________________________
UA-discuss mailing list
UA-discuss@icann.org
https://mm.icann.org/mailman/listinfo/ua-discuss
------------------------------
End of UA-discuss Digest, Vol 38, Issue 11
******************************************
-------------------------------------------------------------------------------------------------------------------------------
[NIXI is on Social-Media too. Kindly follow us at:
Facebook: https://www.facebook.com/nixiindia & Twitter: @inregistry ]
This e-mail is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. If you are not the
intended recipient, please contact the sender by reply e-mail and destroy
all copies and the original message. Any unauthorized review, use,
disclosure, dissemination, forwarding, printing or copying of this email
is strictly prohibited and appropriate legal action will be taken.
-------------------------------------------------------------------------------------------------