Re: IDN problem.... :(

From: Gregg Reynolds (
Date: Mon Feb 14 2005 - 08:11:46 CST

  • Next message: Michael Everson: "Typography and language on the BBC"

    Asmus Freytag wrote:
    > At 06:29 PM 2/12/2005, Christopher Fynn wrote:
    >> If there were a list of homographs maybe they could be treated as aliases
    >> for the purpose of URLs and domain name registration - so IRAQ.COM
    >> with a Latin Q and IRAQ.COM with a Kurdish Q would point to the same
    >> address.
    >> Registering a name containing a character or characters in the
    >> homograph list would automatically get you all the variants too.
    > We discussed this issue during a break at the UTC last week, and I
    > suggested pretty much the same thing. Rather than a true *homograph*
    > mapping, what's needed is a *confusables folding*.
    > If registration authorities could be convinced to use that to block all
    > 'look-alike' registrations, the playground for phishers would shrink
    > dramatically.

    Hmmm, that sounds like trouble, putting that kind of authority into the
    hands of private companies accountable to nobody. It's just asking for
    lawsuits; one man's look-alike pair is another's apples and oranges.

    A list of confusables would be useful, but I'm not so sure it's within
    the scope of a standards activity. The marketplace would produce a
    better one, faster, and put it to better use, if it were really needed.
      BTW, is there any real, hard evidence that this is truly a problem and
    not just a scare? I've rec'd lots of phishing stuff, and warnings
    against it are all over the web, but I have yet to hear a single
    instance of somebody actually falling for it and losing money. No doubt
    it's happened, but where are the data?

    I wonder if something akin to PKI keyservers could be used to address
    the problem. You submit a url to a URL a disambiguation server and in
    return you get a list of look-alike urls, so the browser doesn't have to
    do it. Such a list could be automaticaly generated or populated by
    interested parties, like paypal. You could add some sort of info to
    assist in authentication. Such a server could also automatically detect
    possibly fraudulent sites - if the html of both paypa1 and paypal
    contain lots of "paypal" strings, then one or both can be marked
    suspicious. Browsers then do something sensible with the info. Google
    could probably implement something like that overnight. Maybe it should
    be a new protocol.


    This archive was generated by hypermail 2.1.5 : Mon Feb 14 2005 - 08:11:56 CST