IDNA and U+08A1 and related cases (was: Re: Barry Leiba's Discuss on draft-ietf-json-i-json-05: (with DISCUSS and COMMENT))

[Shawn Steele]

> As a corollary: more competition by [constrained] TLDs is good because 
> if -say- com. allows too many embarrassing confusable domains to be registered, 
> leading to noticeable and noticed phishing attacks, 

I think that underestimates the users....  But "does it matter"?

I've received 4 emails today that made it through whatever spam filters for whatever reason.  All 4 of them seemed to provide the opportunity for phishing attacks, and 0 of them leveraged IDN.  For that matter, they weren't even trying to be that clever with the ASCII paths.

I think the impact on phishing and confusables may be embarrassing perhaps, but don't have much true impact on security.  How many times have you mistyped a URL and ended up somewhere else?  Often with advertising and stuff trying to make a few cents off of the target URL typos?  

Too many companies send emails from "company at fulfillment.example.com" (totally random) or send you to "company.orderprocessing.example.com" and expect you to complete a link.  So phishing stuff with @secure.com is going to succeed.  They don't need confusable.  (I've even seen papers that suggest that scammers sometimes prefer obvious traps because they really want to get the gullible folks - obvious bad URLs could filter those out.)

-Shawn