[Cryptography] Typesetting vs. identifiers, On those spoofed domain names...

[Nico Williams]

On Sat, Mar 10, 2018 at 12:04:49AM -0500, John Levine wrote:
> >There's no need to cry over this.  Instead we need to demand that
> >registrars prevent registration of domains that are typo-, font-, and/or
> >homoglyph-confusable.  We also need to write code that does fuzzy
> >confusable matching.
> 
> Also right.  If you bother to learn about normalization and IDNA and
> PRECIS and label generation rules, you can come up with usable subsets
> of Unicode for identifiers.  It's not perfect as the Krebs article
> rediscovered; you can't totally avoid homoglyphs, but that is not new
> (MICR0SOFT and paypaI) and there are ways to mitigate the damage.

I don't think we need subsets.  We just need standards (and code) to
detect confusable identifiers, then we can have first-come-first-served
policies with anti-confusable-squatting policies.

Even without Unicode confusables issues we all know about typo-
squatting.  This is a difficult issue even without Unicode in the
picture.  Nothing here is Unicode's fault, not really.

> Unfortunately, as we saw in recent exchanges here, some people want
> Unicode to be easy ("just give me a list of homoglyphs") and in the
> DNS world, there are perverse incentives to sell as many 2LDs as
> possible, regardless of how unsuitable they are as identifiers.

A list of sets of homoglyphs is feasible, but it will take time to come
up with something remotely complete.  It will also cost money.  And it
will have to be an ongoing process because Unicode is not closed to new
glyphs (it can't be, as it's not complete and never could be).

Nico
--