RE: Phishing and enforcing Confusables.txt

From: Shawn Steele (
Date: Mon Nov 29 2010 - 15:11:44 CST

  • Next message: M.-A. Lemburg: "Unihan number types and values"

    ICANN cannot control what the registrars do, and the registrars have varying policies around names. Some are much more restrictive or lax than others.

    Basically, you cannot assume that a domain name is "secure" from phishing based on the name itself. Regardless of homographs. You & I probably realize that "" isn't really "safe". My grandma or father --- not so much. Homographs might be mildly interesting as a possible indicator of an attack, but 99.999999% of the current phishing attacks don't use a real "homograph".

    Whitelists/blacklists/trusted certificates, etc, are all much more reliable indicators.


    -----Original Message-----
    From: Shriramana Sharma []
    Sent: Monday, November 29, 2010 12:01 PM
    To: Mark Davis ☕; Shawn Steele; UnicoDe List
    Cc: Mani Manivannan
    Subject: Re: Phishing and enforcing Confusables.txt

    On Mon, Nov 29, 2010 at 11:24 PM, Mark Davis ☕ <> wrote:
    > By "registry" I mean at any level. So just as .com regulates
    > everything of the form, the entity responsible for
    > controls everything of the form Thus
    > there are literally millions of registries.

    Just so that nobody gets frightened and accuses Unicode of making security problems for their script -- the above comment only means that for all (of the millions of) websites the owners of have the power to ensure that is NOT confusable with And the .com registry owners have the same power to ensure that is not confusable with

    Now the question is, is there only one owner of .com? ICANN? Who?

    If this entity chooses to enforce confusables (does it?) then
    *wherever* a domain is registered it cannot be confusable with an existing domain name? To be precise, if my old example of ಅರಗ.com is registered in India, then అరగ.com cannot be registered *anywhere in the world*?

    Is that right? The above is what is desired to avoid phishing...


    This archive was generated by hypermail 2.1.5 : Mon Nov 29 2010 - 15:14:56 CST