NNSquad - Network Neutrality Squad
[ NNSquad ] Re: Example of how "de-Latinized" domain names can be subverted
Dave and Lauren, A simple idea/request. Can firefox and other browsers (luckily we only have a handful of popular browsers) release a tool/widget I can install that lets me pick my language? It would then either translate or otherwise highlight alternative languages? E.g., the Cyrillic paypal.com would not dispaly as "paypal.com" on top for me. Of course, one could choose to allow direct display if one wanted. BUT not as default, and not without visual indication. [note, this is inspired by to my request to banks at their ATM where they first ask me for language, instead of letting me pick a default (in my case, English), and having an option on the side to change it. Saves a click and 2 seconds per transaction] Rahul On Tue, Dec 29, 2009 at 7:33 PM, Richard Clayton <richard@highwayman.com> wrote: > In message <20091229055555.GA18076@vortex.com>, Lauren Weinstein > <lauren@vortex.com> writes >> >>Example of how "de-Latinized" domain names can be subverted >> >>http://bit.ly/6YbTBR (Dean Collins' Blog) >> >>Dean, the "fun" has only just begun. Some of us have been warning of >>this consequence for ... well ... pretty much since day one of the >>concept. > > There's two substantive issues in this blog posting... > > ... the first is that someone other than PayPal could register the > Hebrew version of "PayPal" (the evidence for this is that someone has > registered the Chinese version of mobileappstore.com and is seeking > money for it). > > There's nothing "new" here (it's directly equivalent to someone > registering paypal.com.az or mobileappstore.com.az and will be dealt > with under the usual rules for domain name ownership. > > So in practice, PayPal (apocryphally Pepsi just purchases all the > possible variants) will spend the money on the lawyers to seize the > domain -- and most other people (with less deep pockets) will just grin > and bear it... chances are that the speculator who registered it will > let it slide at the end of the year, so if the "proper owner" really > cares, then they can pick it up at that point. > > The second issue is slightly more "new" (albeit commented upon for > years). The blog notes that some of the glyphs for Russian and other > languages look like "standard ASCII" glyphs -- and hence > > http://xn--yl-6kcb1fc.com/ > > will "look like" http://paypal.com in the taskbar ... > > ... that's certainly true, and if widely exploited by the criminals then > we'll need to change the standard advice again as to "how do you know > it's really PayPal". Nothing new there in that we keep on changing the > "standard advice", and will continue to do so until the way in which > browsers tell us where we're really visiting is completely overhauled. > > However, PayPal can easily get this Cyrillic name de-registered using > dispute resolution (or promptly suspended if it's being used for > phishing) just as they currently deal with paypall.com pa.ypal.com > paypa1.com and all the other variants we see on a daily basis... > > ... I rather liked the recently registered "eauofinvestigation.com" > which doesn't look too sinister until you see it being used with the > subdomain of "federalbur" > > So once again, there's no "new" threat here, just a minor variant of an > existing one. > > BTW: IDN names have been available for ages [the recent change by ICANN > is all about TLDs not IDN per se], and the May 2009 Anti-Phishing > Working Group (APWG) survey found that phishers had registered > 5,591 domain names (that's just 18.5% of all the domains involved in > hosting phishing sites -- the majority are legitimate sites that have > been hacked into). > > They recorded just 10 IDN names used in phishing attacks -- and all 10 > were hacked into sites. > > ie: the phishers registered precisely zero IDN names > > Of course this may change ... but it hasn't yet! > > [ I would also like to see more discussion of how non-ASCII domains > affect older mail user agents (especially text based) and older > mailing list handling software. There's lots of both still > around and processing piles of e-mail every day. > > -- Lauren Weinstein > NNSquad Moderator ] > > > - -- > Richard Clayton <richard.clayton@cl.cam.ac.uk> > tel: 01223 763570, mobile: 07887 794090 > Computer Laboratory, University of Cambridge, CB3 0FD > >