RE: Phishing and enforcing Confusables.txt

From: Shawn Steele (Shawn.Steele@microsoft.com)
Date: Mon Nov 29 2010 - 15:11:44 CST

Next message: M.-A. Lemburg: "Unihan number types and values"

Previous message: Shawn Steele: "RE: Phishing and enforcing Confusables.txt"
In reply to: Shriramana Sharma: "Re: Phishing and enforcing Confusables.txt"
Next in thread: CE Whitehead: "RE: Phishing and enforcing Confusables.txt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Mail actions: [ respond to this message ] [ mail a new topic ]

ICANN cannot control what the registrars do, and the registrars have varying policies around names. Some are much more restrictive or lax than others.

Basically, you cannot assume that a domain name is "secure" from phishing based on the name itself. Regardless of homographs. You & I probably realize that "paypal.safe.com" isn't really "safe". My grandma or father --- not so much. Homographs might be mildly interesting as a possible indicator of an attack, but 99.999999% of the current phishing attacks don't use a real "homograph".

Whitelists/blacklists/trusted certificates, etc, are all much more reliable indicators.

-Shawn

-----Original Message-----
From: Shriramana Sharma [mailto:samjnaa@gmail.com]
Sent: Monday, November 29, 2010 12:01 PM
To: Mark Davis ☕; Shawn Steele; UnicoDe List
Cc: Mani Manivannan
Subject: Re: Phishing and enforcing Confusables.txt

On Mon, Nov 29, 2010 at 11:24 PM, Mark Davis ☕ <mark@macchiato.com> wrote:
> By "registry" I mean at any level. So just as .com regulates
> everything of the form xxx.bom, the entity responsible for
> .blogspot.com controls everything of the form xxx.blogspot.com. Thus
> there are literally millions of registries.

Just so that nobody gets frightened and accuses Unicode of making security problems for their script -- the above comment only means that for all (of the millions of) websites example.com the owners of example.com have the power to ensure that XXX.example.com is NOT confusable with YYY.example.com. And the .com registry owners have the same power to ensure that example.com is not confusable with example2.com...

Now the question is, is there only one owner of .com? ICANN? Who?

If this entity chooses to enforce confusables (does it?) then
*wherever* a domain is registered it cannot be confusable with an existing domain name? To be precise, if my old example of ಅರಗ.com is registered in India, then అరగ.com cannot be registered *anywhere in the world*?

Is that right? The above is what is desired to avoid phishing...

Shriramana.

Next message: M.-A. Lemburg: "Unihan number types and values"
Previous message: Shawn Steele: "RE: Phishing and enforcing Confusables.txt"
In reply to: Shriramana Sharma: "Re: Phishing and enforcing Confusables.txt"
Next in thread: CE Whitehead: "RE: Phishing and enforcing Confusables.txt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.5 : Mon Nov 29 2010 - 15:14:56 CST