From: Shawn Steele (email@example.com)
Date: Mon Feb 14 2005 - 01:29:23 CST
> Um, this is actually a very *good* idea, I think. If I'm about to click
> on "paypal.com" and my browser shows me (on the status line, where I
> always look, or else in a tooltip) that I'm about to go to
> xn--paypl-7ve.com, that probably is a pretty good warning.
That seems like a pretty US-centric approach. For some countries lots of names will probably end up looking like xn--gibberish, and in those cases it'll be pretty much impossible for the user to know if xn--min-dma.com and xn--min-8la.com are different or not. Many wouldn't even have any Latin in the punycode name. So while flagging non-ascii domains might help some people it won't help everyone.
> I fear that all of these ideas for issuing warnings or marking the
> dubious constructs in some browser status region are only going to
> be of help to the small percentage of people who are savvy enough
> to understand the problem.
I have a similar fear. Suppose we (the software, registrars, etc) manage to prevent 99% of the look-alike names from being registered or being used or whatever. The "bad guys" aren't going to restrict themselves to the 99% of cases that manage to get caught. Rather they are going to find that 1 character that was overlooked and take advantage of that.
If we've trained the users that we catch bad URLs and they get a warning or its not registrerable or whatever, then we've told the users that they can trust the names they see. So then the URL spoofing attack is even worse because user's won't be wary of it. Unfortunately it'll be hard to train the non-technical users to be careful, just as it is with e-mail phishing attacks.
Personally I'm not worried about following links on the web. If I visit an untrusted site and has a link to some other site, there's no way I can tell if that site is trustworthy or not. IDN names won't change that. If some site mentions an auction or paypal notice or whatever, I might follow the link, but I'm going to type in the URL myself before I enter personal information. (I confess that I have followed links to amazon after seeing a book review, so I should probably be more careful about that myself)
A coworker wondered out loud about some sort of certificate that would let you know a web site was who it said it was. That would move the burden of name verification to a certificate authority instead of the registrar or the client, so that idea might not help much, but it might be worth further consideration. Hopefully a certificate authority would have more of an inclination to see if the name was fishy.
This archive was generated by hypermail 2.1.5 : Mon Feb 14 2005 - 01:29:30 CST