IDNA 2008 security

[Shawn Steele]

This is getting off-topic from IDNA, however I don't think John's proposal helps much:

> <a href="http://badguy.example.com/">http://goodguy.example.com/</a>
> would trigger a loud warning, as would
> <a href="http://goodguy.example.com.badguy.example.net/">http://goodguy.example.com/</a>
> and
> <a href="http://10.0.0.1/">http://goodguy.example.com/</a>

> That might move the phishers to
> <a href="http://badguy.example.com/">Click here</a>
> which would presumably not produce an explicit warning, but that
> would at least provide all but the most clueless of users a hint
> that looking at the links would be a good idea.

In that case I think most users would fall in your "most clueless" group.  I see marketing mail from buy.com that regularly has links like this:

<a href="http://links.mkt019.com/ctt?kn=14&m=2295754&r=OTIxNTk5MTYS1&b=0&j=NjI1NjgyOTAS1&mt=1&rt=0">Philips 10.2" LCD Digital Photo Frame, 10FF2CMI/27</a>

There's no parity there between the text and the link, and the link has no indication at all that it's going to get you to a buy.com web site.  It really annoys me that marketers I may be interested in don't bother sending mail from the domain name I "trust", and that the links aren't from there.  Apparently normal people don't care.

So I don't know how non-techies are supposed to be able to figure out that they need to check the actual and also understand the link even if they do check it.

IMO this devolves into basically "URLs can't be trusted."  WE know how to tell goodguy.com apart from goodguy.badguy.trusted.com, but "normal" people have no clue, and that's why phishing works.  Following that logic, homograph and other IDN concerns are merely a minor variation of the problem.

So browsers need a higher level mechanism to help users tell good from bad.  If they don't want to allow mixed-scripts in the address bar (like IE), then great, but IDN can't help much here.

- Shawn