From: Neil Harris (neil@tonal.clara.co.uk)
Date: Mon Feb 14 2005 - 09:40:07 CST
Gregg Reynolds wrote:
> Asmus Freytag wrote:
>
>> At 06:29 PM 2/12/2005, Christopher Fynn wrote:
>>
>>> If there were a list of homographs maybe they could be treated as
>>> aliases
>>> for the purpose of URLs and domain name registration - so IRAQ.COM
>>> with a Latin Q and IRAQ.COM with a Kurdish Q would point to the same
>>> address.
>>>
>>> Registering a name containing a character or characters in the
>>> homograph list would automatically get you all the variants too.
>>
>>
>>
>> We discussed this issue during a break at the UTC last week, and I
>> suggested pretty much the same thing. Rather than a true *homograph*
>> mapping, what's needed is a *confusables folding*.
>>
>> If registration authorities could be convinced to use that to block
>> all 'look-alike' registrations, the playground for phishers would
>> shrink dramatically.
>
>
> Hmmm, that sounds like trouble, putting that kind of authority into
> the hands of private companies accountable to nobody. It's just
> asking for lawsuits; one man's look-alike pair is another's apples and
> oranges.
>
> A list of confusables would be useful, but I'm not so sure it's within
> the scope of a standards activity. The marketplace would produce a
> better one, faster, and put it to better use, if it were really
> needed. BTW, is there any real, hard evidence that this is truly a
> problem and not just a scare? I've rec'd lots of phishing stuff, and
> warnings against it are all over the web, but I have yet to hear a
> single instance of somebody actually falling for it and losing money.
> No doubt it's happened, but where are the data?
>
> I wonder if something akin to PKI keyservers could be used to address
> the problem. You submit a url to a URL a disambiguation server and in
> return you get a list of look-alike urls, so the browser doesn't have
> to do it. Such a list could be automaticaly generated or populated by
> interested parties, like paypal. You could add some sort of info to
> assist in authentication. Such a server could also automatically
> detect possibly fraudulent sites - if the html of both paypa1 and
> paypal contain lots of "paypal" strings, then one or both can be
> marked suspicious. Browsers then do something sensible with the
> info. Google could probably implement something like that overnight.
> Maybe it should be a new protocol.
>
> -g
>
>
That involves
1: Creating a new protocol, getting it through the various standards
bodies, or getting software vendors to agree on a de-facto protocol
2: Making someone responsible for serving the warnings (who's going to
bear the legal liability?)
3. Choosing who to believe out of the various warning providers (where
is the chain of trust?)
4. Making all this a continuously avaliable, fault-tolerant, globally
accessible service, scalable to billions of daily hits.
5. Preventing the new mechanism from becoming, of itself, another new
way of generating denial of service attacks or spoofing attacks (by, for
example, saying that the spoofed site is the real one, and the real one
the spoofed one)
Remember that things like PKI support for DNS and IPv6 have been
standardized for years, and are only just beginning to be rolled out.
Putting all those problems together makes me think that this is unlikely
to be a workable proposal.
-- Neil
This archive was generated by hypermail 2.1.5 : Mon Feb 14 2005 - 09:41:03 CST