[Cryptography] On those spoofed domain names...
Nico Williams
nico at cryptonector.com
Mon Mar 19 12:00:41 EDT 2018
On Sun, Mar 18, 2018 at 05:00:03PM +0100, Florian Weimer wrote:
> * Nico Williams:
>
> > We were always going to have a confusability problem anyways because of
> > typos and font confusability issues. The problem isn't that the UC
> > didn't prevent confusability (it couldn't have). It's that the
> > community didn't recognize the problem and write code and standards for
> > registries/registrars that would make it easier to cope with the
> > problem.
>
> There are several slightly incompatible standards, without any
> signaling mechanism. Both the IETF, Unicode, and registries
> contributed to various efforts, reinterpreting and altering the work
> of others.
To some degree each community has to have its own standards. The UC is
central here in that they have the expertise to produce a good first
approximation of sets of confusable glyphs.
As you and others and I point out here and elsewhere, confusable glyphs
are hardly the whole story.
> > There's no need to cry over this. Instead we need to demand that
> > registrars prevent registration of domains that are typo-, font-, and/or
> > homoglyph-confusable. We also need to write code that does fuzzy
> > confusable matching.
>
> Browsers try to focus the attention on the registry-controlled part,
> but I don't know how effective this is in practice.
>
> In a quick test, I see things like this (all branded sites, likely
> legitimate):
>
> Paymentech, LLC (US) | https://secure.paymentech.com/signin/pages/log
> https://opt.chasepaymentech.com/reader/
> smallbusiness.adpinfo.com/Bank-of-America_and_ADP_limited_offer_
> Jack Henry & Associates, Inc. (US) | https://www.netteller.com/login2008/
> Fiserv, Inc. (US) | https://www.netbranch.app.fiserv.com/fasecu/
> https://sagelink.ns3web.org
> https://secure.cuaccount-access.com/geneseecoopfcu/?Submit=Logi
>
> These sites wouldn't have any users if people actually followed the
> security advice we give to them.
Note that there's no Unicode in sight there. One is a typo domain.
Nico
--
More information about the cryptography
mailing list