Re: Homograph spoofing (follow-up to "fake glyph" message)

Nicholas Bodley wrote:

>Here's a concise and recent document about the problem; it's relatively
>well written:
><http://www.icann.org/announcements/announcement-23feb05.htm>
>Excerpt:
>"Homograph domain name spoofing works by exploiting the visual
>resemblance, or near resemblance of certain characters and symbols."
>
>The thought crossed my mind that font designers might want to consider, in
>the long run, designs that would not be easily prone to spoofing. I think
>it's not hard to say why that's a bad idea, in some respects.
>
>Regards,
>
>
>

At the risk of not sounding like myself, I think this issue is not
really writing systems related as much as security related. Hacking the
writing system won't change the underlying security fundamentals - that
of authentication and trust.

Maybe the early days of the internet will be recalled as a period when
no authentication of a web site's claim to originate where it appeared
to was necessary, and most security efforts went the other way around
("viewer must authenticate to see the site").

Maybe that will have turned out to be a bit naive in whether or not it
scales.

And I think we can see that is starting to change. Unicode-oriented
folks, myself included, have pointed out the security risks related to
unified character encodings at every step of the way.

Usually, these have taken place in standards discussion forums, where
the issue of implementing a interoperability standard that would
independent of language came up.

Now at last, some of those standards are starting to see the light of
day in wide implementations, and it is no surprise to anyone involved
that the risks are there.

But there likely are technical solutions possible, even given the
openness of the overall internet architecture, that don't involve
restricting domain names to certain characters (ICANN has enough to deal
with then to try to impose that!). for one thing, you would have no way
of knowing if your (most likely remote, but based on open source code)
domain name server was properly compliant or not.

But limiting valid domain names to only some characters to address
higher level scams such as phishing is like trying to stop repeated
robberies in your house by installing more opaque drapes on the windows
instead of installing locks at the openings.

DNS servers are an extremely sensitive part of the system and network
administrators are loathe to change working ones. Mail servers too, and
that is why incorporating a variety of writing systems into the modern
tools of communication such as email has been difficult and slow.

Speaking of mail servers, it was the mistakes made in the original
specifications for SMTP (Simple Mail Transport Protocol) and the
well-known difficulties of correcting them once the protocol was in
widespread use that is the genesis for every protocol and
interoperability group to look to Unicode for relief.

Best,

Barry