sharp s (Eszett)

Martin Duerst duerst at
Mon Mar 10 02:10:01 CET 2008

At 22:49 08/03/09, Stephane Bortzmeyer wrote:
>On Sun, Mar 09, 2008 at 11:19:27AM +0900,
> Martin Duerst <duerst at> wrote 
> a message of 43 lines which said:
>> >In particular, that leaves a hole if someone creates a funky
>> >A-label that could not have been formed via the U-label process. I
>> >think that hole that needs to be plugged,
>> Why? Whom are we trying to protect, against what?
>Indeed. There really seems to be a hidden agenda (coming from ICANN?)
>behind the IDNAbis project.

I did in no way intend to suggest this.

>All the studies on phishing have shown that almost no user takes into
>account the domain name in its credibility assessment algorithm,
>relying instead on the look of the page. So, trying to address the
>phishing problem through homographs is a bad start.

Very interesting. Can you provide some pointers?

>As a TLD, we receive a lot of a phishing reports for domains ending in
>".fr". It is extremely rare that the phisher makes an attempt, even a
>small one, to have a realistic domain name. We see domain names which
>are obviously completely unrelated to the target (and the phishing
>still works) or domain names which are related to the target but that
>no homograph policy could have prevented (such as
>paypal-secure.example for paypal.example or ebay.myowndomain.example
>for ebay.example).
>IDN spoofing is a nice subject for hackers but it is not widely used
>in the real world. Not enough to justify to change the IDN standard.

I think you have a point when you say that domain names aren't the
most important aspect of spoofing. For me, that means that trying
to be perfect in eliminating spoofing opportunities is not really
necessary. On the other hand, I think it does not hurt at all to try
to do a reasonably good job eliminating possibilities for confusion.
Fear of spoofing doesn't have to be the main motivation. It's simply
helpful for implementers and users if there are some rules and
guidelines, e.g. on whether NFC or NFD should be used for domain
names with accented characters.

Regards,    Martin.

#-#-#  Martin J. Du"rst, Assoc. Professor, Aoyama Gakuin University
#-#-#       mailto:duerst at     

More information about the Idna-update mailing list