RE: Non-English Domain Names Likely Delayed
I don't know of any other IEEE/NANOG/IETF/ICANN-sanctioned method to completely confuse even a savvy IT user who is trying to determine the validity of an SSL site.
There are dozens of ways we know of, and probably more that lie undiscovered, to exploit vulnerabilities in DNS, browsers, and in human nature to conduct phishing.
Sure, there are bugs and hacks. The existence of such does not justify approving new measures (in this case, a glaring security hole) as a global standard. In fact, quite the opposite: folks are generally trying to fix such problems, not push them forward in public policy agenda. It's clear that no one intended for the side effect of a complete meltdown in the user layer of SSL (where the only thing you can do is double-check the URL in your browser and verify there's a padlock icon in your status bar), but the side effect is there and it's naive to pretend that fairness to non-English folks or globalization justifies a hole this large. Certainly, the vulnerability is just as much a problem for the targeted benefactors of this change. -Jason -- Jason Sloderbeck Positive Networks jason @ positivenetworks . net -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Crist Clark Sent: Monday, July 18, 2005 4:43 PM Cc: NANOG Subject: Re: Non-English Domain Names Likely Delayed Isn't someone more eloquent than I going to point out that that spending a lot of effort eliminating homographs from DNS to stop phishing is a security measure on par with cutting cell service to underground trains to prevent bombings? It focuses on one small vulnerability that phishers exploit, and "fixing" this one vulnerability just may make things worse. It wastes resources that could go to coming up with a *real* solution, and it may provide a false sense of security. Worrying about homographs is probably something about which we should let the trademark lawyers get there undies in a bunch (knowing ICANN, that may very well be what's driving this, not phishing worries) while the IT security community concerns itself with a usable, and actually secure, end-to-end security model for e-commerce. -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387
On 18 Jul 2005, at 18:43, Jason Sloderbeck wrote:
I don't know of any other IEEE/NANOG/IETF/ICANN-sanctioned method to completely confuse even a savvy IT user who is trying to determine the validity of an SSL site.
If I was feeling especially cynical (and hey, who isn't on a Monday?) I'd say that the validity of an SSL site is a lot harder to judge than people think, and a savvy IT user would do well to trust very few of them. For a well-known common name with a global reputation, you might have a reasonable expectation that a successful wander down a certificate chain might be worth trusting: a CA would have to be fairly remiss to issue a certificate to some random customer who claimed to be Amazon or Microsoft (or Amäzon or Micrøsoft, for that matter). However, when it comes to a web store whose name isn't well-known, "good certificate" frequently means little more than "the operator of the site is able to mark up some letterhead and send a fax". And of course, nobody here would be guilty of clicking "accept" on a warning that the validity of a self-signed certificate cannot be determined. Thought not. Maybe a bit of healthy distrust is overdue for injection into the CA economy. Joe
participants (2)
-
Jason Sloderbeck -
Joe Abley