IDNA 2008 security
Stephane Bortzmeyer
bortzmeyer at nic.fr
Tue Dec 2 08:59:40 CET 2008
On Mon, Dec 01, 2008 at 04:21:35PM -0800,
Dick Sites <dsites at google.com> wrote
a message of 14 lines which said:
> There is nothing in this draft that addresses known
> real-worldphishing exploits and disallows them. That seems like a
> trulyunfortunate oversight.
Phishing is explicitely out of scope for IDNA 2009. See the charter in
<http://www.ietf.org/html.charters/idnabis-charter.html>:
> There are a variety of generally unsolvable problems, notably the
> problem of characters that are confusingly similar in appearance
> (often known as the "phishing" problem) that are not specifically
> part of the scope of the WG although some of the preliminary results
> of the design team suggest that the improvements contemplated in the
> specifications might mitigate some of the ways in which the current
> IDNA specifications can be abused for phishing purposes.
This was a right decision: most real-world phishing (and I see a lot
of phishing reports) make no attempt to produce confusable URLs,
probably because most users do not check the URL (or do not understand
the naming hierarchy so paypal.example.com looks like paypal.com for
them).
The last phishing report I saw this morning was not even using a
domain name and advertised an URL with an embedded IP address.
> The oversight suggests that this draft is just a collection ofrules
> and not a serious effort to improve security on the web.
Indeed, it is not a security-related work and rightly so.
More information about the Idna-update
mailing list