I don't know of any other IEEE/NANOG/IETF/ICANN-sanctioned method to completely confuse even a savvy IT user who is trying to determine the validity of an SSL site.
There are dozens of ways we know of, and probably more that lie undiscovered, to exploit vulnerabilities in DNS, browsers, and in human nature to conduct phishing.
Sure, there are bugs and hacks. The existence of such does not justify approving new measures (in this case, a glaring security hole) as a global standard. In fact, quite the opposite: folks are generally trying to fix such problems, not push them forward in public policy agenda. It's clear that no one intended for the side effect of a complete meltdown in the user layer of SSL (where the only thing you can do is double-check the URL in your browser and verify there's a padlock icon in your status bar), but the side effect is there and it's naive to pretend that fairness to non-English folks or globalization justifies a hole this large. Certainly, the vulnerability is just as much a problem for the targeted benefactors of this change. -Jason -- Jason Sloderbeck Positive Networks jason @ positivenetworks . net -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Crist Clark Sent: Monday, July 18, 2005 4:43 PM Cc: NANOG Subject: Re: Non-English Domain Names Likely Delayed Isn't someone more eloquent than I going to point out that that spending a lot of effort eliminating homographs from DNS to stop phishing is a security measure on par with cutting cell service to underground trains to prevent bombings? It focuses on one small vulnerability that phishers exploit, and "fixing" this one vulnerability just may make things worse. It wastes resources that could go to coming up with a *real* solution, and it may provide a false sense of security. Worrying about homographs is probably something about which we should let the trademark lawyers get there undies in a bunch (knowing ICANN, that may very well be what's driving this, not phishing worries) while the IT security community concerns itself with a usable, and actually secure, end-to-end security model for e-commerce. -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387