I like Jim's rebuttal in entirety, but would re-order 123 --> 321 per Chaals comments. -----Original Message----- From: UA-discuss <ua-discuss-bounces@icann.org> On Behalf Of Chaals McCathie Nevile Sent: Tuesday, February 20, 2018 1:41 AM To: ua-discuss@icann.org Subject: Re: [UA-discuss] Another difficulty to overcome ... The strongest argument against showing A-labels is the technical side of point 3, and IMHO it is sufficient to make the case. Point 2 is a true statement but doesn't address the problem. Point 1 is about what else should be done to address the problem, but does not directly rebut the suggestion. In more detail, (for anyone in this choir who wants the full sermon ;) ) People who more naturally read a non-latin script - the primary market for non-latin script - are generally more able to read that accurately and less able to spot oddities in latin script or another script they don't read. This isn't a question of "deserving" to be allowed to use your own script (although it is true people do deserve that IMHO). It is about ensuring that people can effectively notice whether something is a meaningful URL they were looking for, or a corrupted version. It is easier for most people in their own script than noticing a corrupted version of a punycode string. This is also generally true for e.g. Europeans who do read Latin script. Dahlström, Dahlstrom, and Dahlstrőm *are* similar, and could be used for phishing attacks (one of them is part of a friend's email address). but xn--ksjdlfn and xn--sekdrtb are actually gibberish, and spotting whether gibberish has a mistake is pretty difficult for normal people. A better idea might be larger fonts, to make differences clearer. On user demand, offering a strict non-ambiguous *transliteration* could help (whether that is from or to a script such as Latin, or doesn't involve it at all as between say Thai and Arabic). But transliteration introduces some thorny and well-known problems. I hope that is the reason it isn't widely available, rather than just because a bunch of engineers assume everything begins with Latin script anyway... cheers cheers. On Tue, 20 Feb 2018 09:54:40 +0100, Jim DeLaHunt <jfrom.uasg@jdlh.com> wrote:
Multiple people have made the argument that having a browser show A-labels ("punycode") instead of U-labels ("regular IDN") is desirable as a way of fighting phishing.
My rebuttal has three parts:
1. The underlying problem is that the registry (here, .com) permitted registration of a domain name which was confusable with another one. The right place to fight this kind of phishing with confusable characters is at the domain registry level.
2. Even if you could magically prevent all confusable 2nd-level domain name registrations, phishing would still be a problem. Fraudsters have many tools, confusable 2nd-level names is only one of them. There are also confusable names at the 4th or 5th levels (e.g. microsoft.com.innocuous.deceptive.com), and misleading links in message bodies, and so on.
3. The people for whom A-labels instead of U-labels are a privileged set of latin-script reading Internet users. The second billion internet users will predominantly be people who read a different script than latin. U-labels are a requirement for them to have legible domain names for legitimate sites. A-labels mean they don't get domain names which they can read. And they deserve to be able to read their domain names and email addresses.
This is an excellent audience for me to test my rebuttal. Is it solid? Can I improve it? Cheers,
—Jim DeLaHunt, Vancouver, Canada
On 2018-02-19 23:36, Ronald Geens wrote:
All, I am aware of the good work going on in the UASG to get IDN at all levels natively supported in web-adresses and email and I fully support that. On the other hand there is darker side of the web that people want to be protected from. I just read this blog about some people that may actually find it better to see puny-code in stead of regular IDN in order to detect spam and phishing.
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fma.t tias.be%2Fshow-idn-punycode-firefox-avoid-phishing-urls%2F&data=04%7C 01%7Cmarksv%40microsoft.com%7Cf1f66762f22b4b0f20b908d578460c54%7C72f9 88bf86f141af91ab2d7cd011db47%7C1%7C1%7C636547164644768767%7CUnknown%7 CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3 D%3D%7C-1&sdata=5EXp%2Fkh8hb8Qzm24y8yPWeKJ3lLE28FzIv7CHvX2C4E%3D&rese rved=0 which is an opposite view of what UASG is trying to achieve.
Does/Will the UASG have a standpoint in this matter ? Is this in scope of UASG or will we rely on the anti-virus industry or even registrars/registries to protect the world from abuses like this ?
Best regards,
Ron Geens
DNS Belgium
-- --Jim DeLaHunt, jdlh@jdlh.com https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fblog.jdlh.co... (https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjdlh.com%2F&...) multilingual websites consultant
355-1027 Davie St, Vancouver BC V6E 4L2, Canada Canada mobile +1-604-376-8953
-- Chaals is Charles McCathie Nevile find more at https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fyandex.com&d...