[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] who should be doing IDN filtering

To: Paul Hoffman <phoffman@imc.org>
Subject: Re: [idn] who should be doing IDN filtering
From: "Michael Froomkin - U.Miami School of Law" <froomkin@law.miami.edu>
Date: Thu, 17 Feb 2005 12:53:23 -0500 (EST)
Cc: IETF idn working group <idn@ops.ietf.org>
In-reply-to: <p0621028cbe3a784a6773@[10.20.30.249]>
References: <Pine.LNX.4.61.0502161902070.10267@localhost> <20050217095832.GD12777~@nicemice.net> <p0621028cbe3a784a6773@[10.20.30.249]>
Reply-to: froomkin@law.tm

Assuming we can't cut ICANN out of the picture, isn't one solution to lobby ICANN to allow for new TLDs with policies that forbid misleading IDNs and let the marketplace sort it out?

Maybe the IETF could issue a statement of some sort on the security implications of failing to allow such TLDs into the marketplace?

On Thu, 17 Feb 2005, Paul Hoffman wrote:

At 9:58 AM +0000 2/17/05, Adam M. Costello wrote:
I think registries should be doing filtering, but I don't think browsers
should depend on it, because it's already too late, as the paypal
example proves.  I think browsers (and in general, applications that
receive domain names from untrusted sources and display them to the user
as IDNs) ought to provide a second line of defense by trying to expose
suspicious domain names.
I fully agree with Adam here. If there is no way to enforce registries doing the right thing (and ICANN has shown no ability to enforce nearly anything), then relying on them for security is silly. This is particularly true if some registries pay more attention to their customers who want to pay for mixed-script domain names than they pay to ICANN.
> ...assuming we can make the language tag available via some dns tricks or
some API...
I don't see that happening.  The IDN working group decided quite
deliberately that domain names would not contain any meta-info like
language tags; they're just text strings.
Right. If you want to re-engineer the IDN bits-on-the-wire protocol in ways that were considered and rejected, feel free to submit a new Internet Draft and see if there is community interest.
Still, I expect that some not-terribly-complex heuristics, based only
on the bare character strings, could go a long way toward exposing
suspicious domain names.
Reducing phishing is sufficient because we can never eliminate it.
--Paul Hoffman, Director
--Internet Mail Consortium


--
http://www.icannwatch.org   Personal Blog: http://www.discourse.net
A. Michael Froomkin   |    Professor of Law    |   froomkin@law.tm
U. Miami School of Law, P.O. Box 248087, Coral Gables, FL 33124 USA
+1 (305) 284-4285  |  +1 (305) 284-6506 (fax)  |  http://www.law.tm
                         -->It's cool here.<--

Follow-Ups:
- Re: [idn] who should be doing IDN filtering
  - From: John C Klensin <klensin@jck.com>

References:
- [idn] who should be doing IDN filtering
  - From: Eric Johanson <ericj@shmoo.com>
- Re: [idn] who should be doing IDN filtering
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>
- Re: [idn] who should be doing IDN filtering
  - From: Paul Hoffman <phoffman@imc.org>

Prev by Date: Re: [idn] homograph attacks
Next by Date: Re: [idn] who should be doing IDN filtering
Previous by thread: Re: [idn] who should be doing IDN filtering
Next by thread: Re: [idn] who should be doing IDN filtering
Index(es):
- Date
- Thread