On 19-jul-2005, at 15:03, Brad Knowles wrote:
The public key crypto that powers the authentication in SSL.
But that has nothing to do with the DNS.
:-) That's exactly the point: DNS tricks won't buy you anything (except denial of service) in the presence of SSL.
"protecting" users agains the fact that similar looking/sounding names actually map to completely different things ultimately can't be done, so it's better to not do it at all so users get burned by relatively harmless examples of this phenomenon (www.gougle.com and the like) so they understand it and foster the appropriate level of distrust.
Actually, that's a statement that I can agree with.
Excellent.
My point was that, if you're going to try to protect the users against homophone/homograph attacks, you need to do it in a standardized way.
And my point is, that in the absence of a standardized way a non- standardized way will do temporarily.
Morover, the standards for controlling that need to be held by separate entities from those who are creating the tools which will implement those standards -- witness Microsoft's recent downgrading of Claria/Gator as a malware vendor, simply because they're looking at buying the company.
Sure, why not. I'm not convinced it will help, though. (Giving in to the conspiracy theorists doesn't work: they'll just think it's a conspiracy.)