From: Gregg Reynolds (unicode@arabink.com)
Date: Mon Feb 14 2005 - 08:11:46 CST
Asmus Freytag wrote:
> At 06:29 PM 2/12/2005, Christopher Fynn wrote:
>
>> If there were a list of homographs maybe they could be treated as aliases
>> for the purpose of URLs and domain name registration - so IRAQ.COM
>> with a Latin Q and IRAQ.COM with a Kurdish Q would point to the same
>> address.
>>
>> Registering a name containing a character or characters in the
>> homograph list would automatically get you all the variants too.
>
>
> We discussed this issue during a break at the UTC last week, and I
> suggested pretty much the same thing. Rather than a true *homograph*
> mapping, what's needed is a *confusables folding*.
>
> If registration authorities could be convinced to use that to block all
> 'look-alike' registrations, the playground for phishers would shrink
> dramatically.
Hmmm, that sounds like trouble, putting that kind of authority into the
hands of private companies accountable to nobody. It's just asking for
lawsuits; one man's look-alike pair is another's apples and oranges.
A list of confusables would be useful, but I'm not so sure it's within
the scope of a standards activity. The marketplace would produce a
better one, faster, and put it to better use, if it were really needed.
BTW, is there any real, hard evidence that this is truly a problem and
not just a scare? I've rec'd lots of phishing stuff, and warnings
against it are all over the web, but I have yet to hear a single
instance of somebody actually falling for it and losing money. No doubt
it's happened, but where are the data?
I wonder if something akin to PKI keyservers could be used to address
the problem. You submit a url to a URL a disambiguation server and in
return you get a list of look-alike urls, so the browser doesn't have to
do it. Such a list could be automaticaly generated or populated by
interested parties, like paypal. You could add some sort of info to
assist in authentication. Such a server could also automatically detect
possibly fraudulent sites - if the html of both paypa1 and paypal
contain lots of "paypal" strings, then one or both can be marked
suspicious. Browsers then do something sensible with the info. Google
could probably implement something like that overnight. Maybe it should
be a new protocol.
-g
This archive was generated by hypermail 2.1.5 : Mon Feb 14 2005 - 08:11:56 CST