[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] quick & dirty (but not too dirty) homograph defense

To: IETF idn working group <idn@ops.ietf.org>
Subject: Re: [idn] quick & dirty (but not too dirty) homograph defense
From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>
Date: Sun, 20 Feb 2005 23:27:33 +0000
In-reply-to: <42189B19.2040403@vanderpoel.org>
References: <20050219221719.GB5457~@nicemice.net> <4217D839.7040502@dready.org> <20050220100328.GA14603~@nicemice.net> <42189B19.2040403@vanderpoel.org>
Reply-to: IETF idn working group <idn@ops.ietf.org>
User-agent: Mutt/1.5.6+20040722i

Erik van der Poel <erik@vanderpoel.org> wrote:

> How do you propose to shut the phishers out of .com when a popular
> IDN plug-in (i-Nav) for the most popular browser (Microsoft Internet
> Explorer) is made by *VeriSign*, the very company that controls the
> .com registry?

If i-Nav leaves its users exposed to phishing attacks, and the users are
bothered by it, then I would expect them to switch to a different IDN
plug-in. isc.org released an alpha3 version of such a plug-in a year
ago, so maybe that could be whipped into shape quickly.

> Besides, in networking, it's better to be conservative.  You don't
> start with a short blacklist and then grow it when you find others.
> No, you start with a whitelist, and grow that.

I agree, but in this case, we have already missed the start.  If
we introduce a whitelist now, after IDN deployment is already well
underway, we are effectively punishing an unknown number of innocent
early adopters, which seems like a betrayal.  If we had forseen this
problem, we could have set up the whitelist in the beginning, and
registries & registrars would have known to get themselves added to the
whitelist before making any promises to their customers.

AMC

Follow-Ups:
- Re: [idn] quick & dirty (but not too dirty) homograph defense
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] quick & dirty (but not too dirty) homograph defense
  - From: "JFC (Jefsey) Morfin" <jefsey@jefsey.com>

References:
- [idn] quick & dirty (but not too dirty) homograph defense
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>
- Re: [idn] quick & dirty (but not too dirty) homograph defense
  - From: William Tan <wil@dready.org>
- Re: [idn] quick & dirty (but not too dirty) homograph defense
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>
- Re: [idn] quick & dirty (but not too dirty) homograph defense
  - From: Erik van der Poel <erik@vanderpoel.org>

Prev by Date: Re: [idn] quick & dirty (but not too dirty) homograph defense
Next by Date: Re: [idn] upstream and downstream
Previous by thread: Re: [idn] quick & dirty (but not too dirty) homograph defense
Next by thread: Re: [idn] quick & dirty (but not too dirty) homograph defense
Index(es):
- Date
- Thread