NNSquad - Network Neutrality Squad
NNSquad Home Page
[ NNSquad ] Re: Example of how "de-Latinized" domain names can be subverted
As John Levine reminded me when I tried to use '方思腾@bobf.frankston.com' -- email addresses are still limited to the older character sets. Also can you really register nonLatin characters in .COM?
The bigger issue is misusing the DNS as a directory. But that's a problem I've long lamented. And the problems of confusion are not at all new with "rn" and "m" looking the same in some typefaces and rolecks vs rolex etc etc etc. And you don't own your identifier so that one missed check or if you foolishly die then your domain name gets repurposed and all links, in effect, hijacked. The DNS guarantees the net will unravel. And the @ sign means your identity is owned by a provider.
So while I think that the use of additional glyphs is a bad idea it's only incrementally worse than the DNS itself. We can have better mechanisms but that's another topic related to Ambient Connectivity (http://rmf.vc/?n=IAC) and persistent relationships.
In message <20091229055555.GA18076@vortex.com>, Lauren Weinstein
>Example of how "de-Latinized" domain names can be subverted
>http://bit.ly/6YbTBR (Dean Collins' Blog)
>Dean, the "fun" has only just begun. Some of us have been warning of
>this consequence for ... well ... pretty much since day one of the
There's two substantive issues in this blog posting...
... the first is that someone other than PayPal could register the
Hebrew version of "PayPal" (the evidence for this is that someone has
registered the Chinese version of mobileappstore.com and is seeking
money for it).
There's nothing "new" here (it's directly equivalent to someone
registering paypal.com.az or mobileappstore.com.az and will be dealt
with under the usual rules for domain name ownership.
So in practice, PayPal (apocryphally Pepsi just purchases all the
possible variants) will spend the money on the lawyers to seize the
domain -- and most other people (with less deep pockets) will just grin
and bear it... chances are that the speculator who registered it will
let it slide at the end of the year, so if the "proper owner" really
cares, then they can pick it up at that point.
The second issue is slightly more "new" (albeit commented upon for
years). The blog notes that some of the glyphs for Russian and other
languages look like "standard ASCII" glyphs -- and hence
will "look like" http://paypal.com in the taskbar ...
... that's certainly true, and if widely exploited by the criminals then
we'll need to change the standard advice again as to "how do you know
it's really PayPal". Nothing new there in that we keep on changing the
"standard advice", and will continue to do so until the way in which
browsers tell us where we're really visiting is completely overhauled.
However, PayPal can easily get this Cyrillic name de-registered using
dispute resolution (or promptly suspended if it's being used for
phishing) just as they currently deal with paypall.com pa.ypal.com
paypa1.com and all the other variants we see on a daily basis...
... I rather liked the recently registered "eauofinvestigation.com"
which doesn't look too sinister until you see it being used with the
subdomain of "federalbur"
So once again, there's no "new" threat here, just a minor variant of an
BTW: IDN names have been available for ages [the recent change by ICANN
is all about TLDs not IDN per se], and the May 2009 Anti-Phishing
Working Group (APWG) survey found that phishers had registered
5,591 domain names (that's just 18.5% of all the domains involved in
hosting phishing sites -- the majority are legitimate sites that have
been hacked into).
They recorded just 10 IDN names used in phishing attacks -- and all 10
were hacked into sites.
ie: the phishers registered precisely zero IDN names
Of course this may change ... but it hasn't yet!
[ I would also like to see more discussion of how non-ASCII domains
affect older mail user agents (especially text based) and older
mailing list handling software. There's lots of both still
around and processing piles of e-mail every day.
-- Lauren Weinstein
NNSquad Moderator ]
Richard Clayton <email@example.com>
tel: 01223 763570, mobile: 07887 794090
Computer Laboratory, University of Cambridge, CB3 0FD