[Cryptography] On those spoofed domain names...

Ray Dillinger bear at sonic.net
Fri Mar 9 17:50:07 EST 2018 

 On 03/09/2018 12:27 PM, Dave Horsfall wrote:
> Krebs On Security has an interesting example of how domain names can be
> spoofed in international alphabets; there was a thread here a while ago
> with the esteemed John Levine (and I learned lots!).
> 
> https://krebsonsecurity.com/2018/03/look-alike-domains-and-visual-confusion/

We've beaten up on the Unicode committee so often, on this list, for the
lookalike characters that mislead humans, and the alternate encodings
that break hashes, and the alternate codepoint sequences for the same
character that screw with any search for substrings, and .... it just
goes on and on.

We don't have to beat up on them again.  We really shouldn't.  And yet,
I just can't look at krebs' article without comment.

An this, in my estimation, is a big design failure on the part of the
Unicode committee.  The perfectly reasonable impulse that drove it was
an inevitable interpretation of their mission, but "design by
accumulation" is not design.  It produces piles, not structures.  And
Unicode is a pile.

Data gathering is the first part of good design, but, impatient for
results, they made the mistake of doing the data gathering only and
slapping the term 'standard' on page after page of mappings that should
have been considered to only be the notes outlining their scope.

They'll never finish a standard.  They don't even want to anymore.
They'll still be working on that thing a hundred years from now, and
they're even now promoting a view of characters and language that
justifies continuing to work on it forever, instead of finishing it,
using it for the several centuries it'll take until significant reasons
develop why it's not working, and making a new standard then.

Adults are wasting their time cataloging new poo emoji that someone
invents every week and forgets a year later, because "language is
unbelievably complex...."  And they'll do it forever.

Unicode now contains characters that no one, ever, will need to write
except to document Unicode.  And every one of them is a security risk to
the extent that it can be confused with any of the others.  That's
stupid design.

			Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180309/517509d9/attachment.sig>

More information about the cryptography mailing list