Forwarded Message from Neil Harris <neil@tonal.clara.co.uk> --- Fergie (Paul Ferguson) wrote:
...sez Vint...due to the prevalence of phishing:
http://www.msnbc.msn.com/id/8586332/
- ferg
Paul, I'm not registered as a poster on the Nanog list, so I thought I'd let you know that this problem is already well under control. After extensive analysis and discussion, the Mozilla community and Opera have already produced a fix for this, based on only displaying Unicode IDN labels where the registry publishes and enforces well-defined anti-homograph policies, and displaying the Punycode equivalent otherwise. All that is needed is a couple of lines of code in the Punycode -> Unicode translation code in the application, and a whitelist of TLDs. See http://www.mozilla.org/projects/security/tld-idn-policy-list.html for more details. This delegates the responsibility of catching homographs to the registries, rather than trying to catch them using ad-hoc heuristics at the browser end. In many cases, this can be as simple as restricting labels within a TLD to use a small set of non-confusable characters. In others, with wider character sets, techniques such as bundling and blocking sets of confusable labels using homograph tables can be used. RFC 3743 is a case in point. For an excellent summary of the technical details, which is intended to help anyone attempting to eliminate homographs from a naming system, see the latest, much-expanded, version of Unicode TR #36, which also links to machine-readable confusables tables. http://www.unicode.org/reports/tr36/ Already, some 21 TLDs are whitelisted, including .cn, .tw, a number of European ccTLDs, .museum, and .info. Any other registrars who want to be supported can simply E-mail Gerv at the Mozilla Foundation, or his Opera counterpart, and give them a pointer to their anti-spoofing rules. You might want to summarize to the list. -- Neil