Re: [idn] punctuation

[tedd <tedd@sperling.com>]

Erik et al:

> But even if we were to color the whole domain name:
>
> foo.com|bar.baz.xx
>
> The user might still think that this site is somehow related to 
> foo.com and therefore safe (as was also pointed out). So you'd have 
> to display the "unusual" characters like '|' differently. Or 
> something. Sigh. Seems hopeless.

Yes, it may seem hopeless. I believe that the "fruit-loop" solution 
would fall short of expectations. However, browser makers may find 
opportunity in providing a more in-your-face homographic solution by 
analyzing url's and alerting users of potential problems (i.e., 
beating them about the head). But this possibility/solution is beyond 
the scope of this group.

> Are the phishers going to have a field day with IDN, or what?

Yes, they probably are going to have a field day, but I don't think 
there is much that can be done about that. Much of this problem will 
be dealt with in the courts -- where it should be.

As for end-users, remember less than ten years ago the average user 
didn't care squat about spam, but now they think different. This 
homographic phenomena will run its course as well and solutions will 
be found.

> But is this problem really limited to IDN? What about the following 
> legal ASCII DNS name:
>
> foo.com--secure-user-services-and-products.tech-mecca.biz
>
> Does this mean that we should try to switch left-to-right readers 
> (most of the world) over to big-endian domain names? Please tell me 
> I'm overreacting!

Possibly... but perhaps everyone is overreacting. IMO no safeguards 
will stop illegal use of anything. Stop signs don't stop everyone 
regardless of size, color, placement, fines, and laws regarding stop 
signs. Likewise, and no offense, the efforts of this group will be no 
different. There will be abuse regardless.

The most I think anyone can do is to focus on approaches like the 
"Delimiter solution" such as those noted at: http://nameprep.org/ 
Therein, I think there is solid logic in this approach.

You might even go after punctuation or symbols, but then there are 
honest reasons for people having punctuation and symbols in domain 
names -- do you want to prohibit them because of the possibility of 
abuse? Abuse, I might add, that could/should be dealt with via ICANN 
and/or the courts -- where both sides can present their arguments. 
Not everyone who uses a symbol in a domain name is wrong or is 
attempting to commit fraud.

For example, I have the domain "not-equal sign" dot com. Why? It 
seemed kind of neat at the time, and being disabled, I was thinking 
of using it as a discrimination related web site. But, I had a 
business approach me yesterday saying that they wanted to purchase 
the name because the design (the not-equal sign) resembles their 
product, which is a cat toy -- imagine that.

So, for what purpose/use can a symbol domain name be? It depends upon 
the market and regardless if you believe in, or approve of, market 
forces, there are honest reasons for such domain names. So, let's not 
throw the baby out with the bath water.

There are going to be many avenues for abuse, and I suspect many more 
than this group can imagine. I know that after reading: 
http://www.unicode.org/reports/tr36/tr36-2.html I was alerted to more 
than what I wanted to know. However, my advice (being one of the 
lessor thinkers in this group) is to concentrate on solid logic, like 
the delimiter argument, and not on what "may" happen.

I'm not saying "give-up" -- I'm simply saying "don't overreact".

tedd
--
--------------------------------------------------------------------------------
http://sperling.com/