NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information

 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Re: Example of how "de-Latinized" domain names can be subverted

As John Levine reminded me when I tried to use '方思腾@bobf.frankston.com' -- email addresses are still limited to the older character sets. Also can you really register nonLatin characters in .COM?

The bigger issue is misusing the DNS as a directory. But that's a problem I've long lamented. And the problems of confusion are not at all new with "rn" and "m" looking the same in some typefaces and rolecks vs rolex etc etc etc. And you don't own your identifier so that one missed check or if you foolishly die then your domain name gets repurposed and all links, in effect, hijacked. The DNS guarantees the net will unravel. And the @ sign means your identity is owned by a provider.

So while I think that the use of additional glyphs is a bad idea it's only incrementally worse than the DNS itself. We can have better mechanisms but that's another topic related to Ambient Connectivity (http://rmf.vc/?n=IAC) and persistent relationships.

 

-----Original Message-----
From: nnsquad-bounces+nnsquad=bobf.frankston.com@nnsquad.org [mailto:nnsquad-bounces+nnsquad=bobf.frankston.com@nnsquad.org] On Behalf Of Richard Clayton
Sent: Tuesday, December 29, 2009 09:04
To: Lauren Weinstein
Cc: nnsquad@nnsquad.org
Subject: [ NNSquad ] Re: Example of how "de-Latinized" domain names can be subverted

 

In message <20091229055555.GA18076@vortex.com>, Lauren Weinstein

<lauren@vortex.com> writes

> 

>Example of how "de-Latinized" domain names can be subverted

> 

>http://bit.ly/6YbTBR  (Dean Collins' Blog)

> 

>Dean, the "fun" has only just begun.  Some of us have been warning of

>this consequence for ... well ... pretty much since day one of the

>concept.

 

There's two substantive issues in this blog posting...

 

... the first is that someone other than PayPal could register the

Hebrew version of "PayPal" (the evidence for this is that someone has

registered the Chinese version of mobileappstore.com and is seeking

money for it).

 

There's nothing "new" here (it's directly equivalent to someone

registering paypal.com.az or mobileappstore.com.az and will be dealt

with under the usual rules for domain name ownership.

 

So in practice, PayPal (apocryphally Pepsi just purchases all the

possible variants) will spend the money on the lawyers to seize the

domain -- and most other people (with less deep pockets) will just grin

and bear it...  chances are that the speculator who registered it will

let it slide at the end of the year, so if the "proper owner" really

cares, then they can pick it up at that point.

 

The second issue is slightly more "new" (albeit commented upon for

years). The blog notes that some of the glyphs for Russian and other

languages look like "standard ASCII" glyphs -- and hence

 

   http://xn--yl-6kcb1fc.com/

 

will "look like" http://paypal.com in the taskbar ...

 

... that's certainly true, and if widely exploited by the criminals then

we'll need to change the standard advice again as to "how do you know

it's really PayPal".  Nothing new there in that we keep on changing the

"standard advice", and will continue to do so until the way in which

browsers tell us where we're really visiting is completely overhauled.

 

However, PayPal can easily get this Cyrillic name de-registered using

dispute resolution (or promptly suspended if it's being used for

phishing) just as they currently deal with  paypall.com pa.ypal.com

paypa1.com and all the other variants we see on a daily basis...

 

   ... I rather liked the recently registered "eauofinvestigation.com"

   which doesn't look too sinister until you see it being used with the

   subdomain of  "federalbur"

 

So once again, there's no "new" threat here, just a minor variant of an

existing one.

 

BTW: IDN names have been available for ages [the recent change by ICANN

is all about TLDs not IDN per se], and the May 2009 Anti-Phishing

Working Group (APWG) survey found that phishers had registered

5,591 domain names (that's just 18.5% of all the domains involved in

hosting phishing sites -- the majority are legitimate sites that have

been hacked into).

 

They recorded just 10 IDN names used in phishing attacks -- and all 10

were hacked into sites.

 

  ie: the phishers registered precisely zero IDN names

 

Of course this may change ... but it hasn't yet!

 

    [ I would also like to see more discussion of how non-ASCII domains

      affect older mail user agents (especially text based) and older

      mailing list handling software.  There's lots of both still

      around and processing piles of e-mail every day.

 

          -- Lauren Weinstein

             NNSquad Moderator ]

 

 

- --

Richard Clayton                            <richard.clayton@cl.cam.ac.uk>

                                  tel: 01223 763570, mobile: 07887 794090

                    Computer Laboratory, University of Cambridge, CB3 0FD