IDNA and U+08A1 and related cases (was: Re: Barry Leiba's Discuss on draft-ietf-json-i-json-05: (with DISCUSS and COMMENT))
Shawn.Steele at microsoft.com
Tue Jan 27 02:17:10 CET 2015
> As a corollary: more competition by [constrained] TLDs is good because
> if -say- com. allows too many embarrassing confusable domains to be registered,
> leading to noticeable and noticed phishing attacks,
I think that underestimates the users.... But "does it matter"?
I've received 4 emails today that made it through whatever spam filters for whatever reason. All 4 of them seemed to provide the opportunity for phishing attacks, and 0 of them leveraged IDN. For that matter, they weren't even trying to be that clever with the ASCII paths.
I think the impact on phishing and confusables may be embarrassing perhaps, but don't have much true impact on security. How many times have you mistyped a URL and ended up somewhere else? Often with advertising and stuff trying to make a few cents off of the target URL typos?
Too many companies send emails from "company at fulfillment.example.com" (totally random) or send you to "company.orderprocessing.example.com" and expect you to complete a link. So phishing stuff with @secure.com is going to succeed. They don't need confusable. (I've even seen papers that suggest that scammers sometimes prefer obvious traps because they really want to get the gullible folks - obvious bad URLs could filter those out.)
More information about the Idna-update