[Cryptography] On those spoofed domain names...
Florian Weimer
fw at deneb.enyo.de
Sun Mar 18 12:00:03 EDT 2018
* Nico Williams:
> We were always going to have a confusability problem anyways because of
> typos and font confusability issues. The problem isn't that the UC
> didn't prevent confusability (it couldn't have). It's that the
> community didn't recognize the problem and write code and standards for
> registries/registrars that would make it easier to cope with the
> problem.
There are several slightly incompatible standards, without any
signaling mechanism. Both the IETF, Unicode, and registries
contributed to various efforts, reinterpreting and altering the work
of others.
> There's no need to cry over this. Instead we need to demand that
> registrars prevent registration of domains that are typo-, font-, and/or
> homoglyph-confusable. We also need to write code that does fuzzy
> confusable matching.
Browsers try to focus the attention on the registry-controlled part,
but I don't know how effective this is in practice.
In a quick test, I see things like this (all branded sites, likely
legitimate):
Paymentech, LLC (US) | https://secure.paymentech.com/signin/pages/log
https://opt.chasepaymentech.com/reader/
smallbusiness.adpinfo.com/Bank-of-America_and_ADP_limited_offer_
Jack Henry & Associates, Inc. (US) | https://www.netteller.com/login2008/
Fiserv, Inc. (US) | https://www.netbranch.app.fiserv.com/fasecu/
https://sagelink.ns3web.org
https://secure.cuaccount-access.com/geneseecoopfcu/?Submit=Logi
These sites wouldn't have any users if people actually followed the
security advice we give to them.
More information about the cryptography
mailing list