On Sat, Feb 11, 2012 at 11:13 PM, <Valdis.Kletnieks@vt.edu> wrote:
On Sun, 12 Feb 2012 10:25:53 +0900, Masataka Ohta said:
Valdis.Kletnieks@vt.edu wrote: It's interesting how some people are insisting that the IDN code has to be *perfect* and make it *totally* impossible to create a phishable spoof of a domain - but aren't willing to take the extra step of banning the characters in the Latin Ascii charset that are spoofable. [snip]
There aren't really any characters in the latin ASCII charset that are so spoofable. 0 and O, |, I, l, and 1 do come close, depending on the font chosen. This is easily avoidable, because there are so few spoofable characters, you can easily just avoid using a spoofable one in your domain name, or register all variants. These are minor compared to the issues you get expanding the possible URL character sets to all unicode, through IDN support. The extended character sets available under IDN provide a large number of spoofable characters from various different charsets that are indistinguishable. For phishing to not be a serious risk, IDN implementations have to have some kind of security policy. A start would be: don't display IDN characters, unless they are within a character set the user is expected to be familiar with. For example, for a web browser that ships in North America, only the locally relevant IDN character sets should be enabled by default. If you should want to see IDN characters from Cyrillic character sets, or Chinese Ideographs, there should be a requirement you very deliberately install support for specific character set you need. Or install a localized browser that has the specific IDN charsets allowed by policy. There should also be a browser-enforced policy that different charsets cannot be mixed in the same domain name. Then any increase in phishing risk is limited to regions / language localized browsers where the character set with spoofable characters makes sense and is in common use. Ideally there should be a table of every pair of characters that "look somewhat similar to each other" in every character set, and every registrar ensuring appearance uniqueness for every new domain registration. -- -JH