[Cryptography] On those spoofed domain names...
William Allen Simpson
william.allen.simpson at gmail.com
Sun Mar 11 06:57:56 EDT 2018
On 3/10/18 1:32 PM, John Ioannidis wrote:
> While I do not disagree that Unicode is an abomination, it is not Unicode's fault that the IETF decided that internationalized domain names with native character sets was a good idea.
>
IIRC, pushed by some Greeks? (and a lot of East Asians).
> [...]
> The underlying *security* problem is that people trust the name they read. Or that even if they've read it "correctly" it somehow means something. That's certainly not Unicode's fault.
>
Agreed. Amusingly, I had to rescue this message from my spam folder, as
Gmail tells me:
Be careful with this message. Someone might be trying to trick you by
using similar looking characters in their email address or links (for
example replacing the letter "O" with the number "0").
Even with your examples in the body, not the address....
Anyway, this problem goes even farther. With "zero-touch" Internet of
Things, they want us to trust our lamp/refrigerator/television to be
trusted to bypass the firewall and talk to somewhere outside, simply
because it has some manufacturer's signed certificate in/on it.
That is, because we can read that it says "LG" on the outside, and the
machine itself can verify its own signature, we should trust it.
Trust is not transitive.
More information about the cryptography
mailing list