[149691] in North American Network Operators' Group
Re: Dear RIPE: Please don't encourage phishing
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Sun Feb 12 00:14:55 2012
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
In-Reply-To: Your message of "Sun, 12 Feb 2012 10:25:53 +0900."
<4F371521.7090809@necom830.hpcl.titech.ac.jp>
From: Valdis.Kletnieks@vt.edu
Date: Sun, 12 Feb 2012 00:13:27 -0500
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1329023607_2778P
Content-Type: text/plain; charset=us-ascii
On Sun, 12 Feb 2012 10:25:53 +0900, Masataka Ohta said:
> Valdis.Kletnieks@vt.edu wrote:
>
> > (The actual policy for the .UA registrar is more subtle. They *do* in fact
> > allow "U+0441 Cyrillic Small Letter ES" which is visually a C to us Latin-glyph
> > users. However, they require at least one character that's visually unique to
> > Cyrillic in the domain name.
>
> Unique within what?
>
> Is a Cyrillic character, which looks like Latin E with diaeresis,
> a unique Cyrillic character?
>
> Is "CYRILLIC CAPITAL LETTER GHE", which looks like Greek Gamma,
> a unique Cyrillic character?
>
> Is Greek Gamma, which looks like "CYRILLIC CAPITAL LETTER GHE",
> a unique Greek character?
Doesn't actually matter, because the .ua registry isn't allowing Greek Gamma
or Latin-E-with-diaresis, in domain names. So you can't find a domain
bankname-containing-ghe.ua and spoof it with bankname-containing-gamma.ua.
I suppose you *could* find a 'greek-bankame-containing-gamma-and-only-chars-spoofable-in-cyrillic.gr'
and create a 'bankname-containing-ghe-and-cyrillic.ua'. But quite frankly,
turning off IDN doesn't fix that problem - greekbank.gr is spoofable
by greekbank.ua and greekbank.com. We *already* have companies
that will register 'foobar.com', 'foobar.net', 'foobar.org' and every other variant
they can to prevent squatters in the other TLDs.
> > They also don't allow mixed Cyrillic/Latin
> > scripts in one domain name).
>
> Is a Russian word containing no unique (unique to ASCII)
> Cyrillic characters encoded as Latin character using ASCII,
> even though a Russian word containing unique (whatever unique
> means) Cyrillic character encoded as Cyrillic characters?
No, it means you get to pick 'all-latin-chars.ua' or 'all-cyrillic-chars.ua'.
And due to the requirement that a cyrillic name have a special char
in it, you can's spoof an all-latin-chars.ua name.
> The only protection is to disable IDN.
You also have to ban the use of numbers in domain names, because you
need to prevent people being tricked by micros0ft.com and m1crosoft.com.
Good luck on that.
Oh, and 'i' and 'l' need to be banned as well, because a san-serif uppercase I
looks a lot like a san-serif lowercase l. (In fact, in the font I'm currently using,
the two are pixel-identical).
I don't see anybody calling for the banning of 'i' and 'l' in domain names due to that.
It's interesting how some people are insisting that the IDN code has to be
*perfect* and make it *totally* impossible to create a phishable spoof of
a domain - but aren't willing to take the extra step of banning the characters
in the Latin Ascii charset that are spoofable.
--==_Exmh_1329023607_2778P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iQIVAwUBTzdKdwdmEQWDXROgAQLZohAAnUct428TomQILaBgYvXHGAhPw2Vmu5+b
qfDoyZN2I/G9EojvKiAN2V1BbVQqsEqsosLkhmm3lEpvUhvSZdJqw4Bn2haXq0y7
hE/bwSr9OJBo1wnt6bALsKgu90DCj7f3o5lsWFdt3WEFmXXOv16QjstQprhJ9sZU
gW+DZ8DmYUkQa7u1aqdOAZIsg12e2CMFlZKeGxuzYhMIa1cAE+Jm5Ahm50mCA+fs
MGAIYzJShHJ66q+DK/XzXkSftcHkXu+E9Aryjf0N1yVBxr2ybXBv+QB5AwmXqjAL
mpyhFh5W1d6JUaVLxbd4rMa0bMwJuX0NeWNyvAWMF1fkLA0vGPI8lXUK7NrxS9yq
GShTYf7kBLpeemEnoBKc+0WBzdYpK2w6i+JiPsCHDWnX4CdFcfUbwf10RLUvCPkQ
kH9ocTliXrOgjsI4rzTZbACwU1iqMjigp03C8CT0uucCobXDN0la1UQrZScdk7ys
eTtYPllFOPqqPons0znR7mJBP757117wyc713pdmHDGg2GntmwVMUHfL8rdJ1pp2
YIhMLNxUAvyU15dhyVeyMC6yRxFFsKPtOKWatWWndBejjiO1ZM74YqTaQj+L68Hd
lbsOAWSrsANO7nI7tLXJgo5YODPjKkHHH8piQPMNRW6L8cv1Mbs4xY/jb53qbbcW
ZWO4c5CNa9U=
=CUZs
-----END PGP SIGNATURE-----
--==_Exmh_1329023607_2778P--
