On Sun, 12 Feb 2012 10:25:53 +0900, Masataka Ohta said:
Valdis.Kletnieks@vt.edu wrote:
(The actual policy for the .UA registrar is more subtle. They *do* in fact allow "U+0441 Cyrillic Small Letter ES" which is visually a C to us Latin-glyph users. However, they require at least one character that's visually unique to Cyrillic in the domain name.
Unique within what?
Is a Cyrillic character, which looks like Latin E with diaeresis, a unique Cyrillic character?
Is "CYRILLIC CAPITAL LETTER GHE", which looks like Greek Gamma, a unique Cyrillic character?
Is Greek Gamma, which looks like "CYRILLIC CAPITAL LETTER GHE", a unique Greek character?
Doesn't actually matter, because the .ua registry isn't allowing Greek Gamma or Latin-E-with-diaresis, in domain names. So you can't find a domain bankname-containing-ghe.ua and spoof it with bankname-containing-gamma.ua. I suppose you *could* find a 'greek-bankame-containing-gamma-and-only-chars-spoofable-in-cyrillic.gr' and create a 'bankname-containing-ghe-and-cyrillic.ua'. But quite frankly, turning off IDN doesn't fix that problem - greekbank.gr is spoofable by greekbank.ua and greekbank.com. We *already* have companies that will register 'foobar.com', 'foobar.net', 'foobar.org' and every other variant they can to prevent squatters in the other TLDs.
They also don't allow mixed Cyrillic/Latin scripts in one domain name).
Is a Russian word containing no unique (unique to ASCII) Cyrillic characters encoded as Latin character using ASCII, even though a Russian word containing unique (whatever unique means) Cyrillic character encoded as Cyrillic characters?
No, it means you get to pick 'all-latin-chars.ua' or 'all-cyrillic-chars.ua'. And due to the requirement that a cyrillic name have a special char in it, you can's spoof an all-latin-chars.ua name.
The only protection is to disable IDN.
You also have to ban the use of numbers in domain names, because you need to prevent people being tricked by micros0ft.com and m1crosoft.com. Good luck on that. Oh, and 'i' and 'l' need to be banned as well, because a san-serif uppercase I looks a lot like a san-serif lowercase l. (In fact, in the font I'm currently using, the two are pixel-identical). I don't see anybody calling for the banning of 'i' and 'l' in domain names due to that. It's interesting how some people are insisting that the IDN code has to be *perfect* and make it *totally* impossible to create a phishable spoof of a domain - but aren't willing to take the extra step of banning the characters in the Latin Ascii charset that are spoofable.