Browser IDN display policy: opinions sought

John C Klensin klensin at jck.com
Mon Dec 12 22:44:19 CET 2011



--On Monday, December 12, 2011 15:54 +0900 "\"Martin J.
Dürst\"" <duerst at it.aoyama.ac.jp> wrote:

>...
> Yes indeed. The browser vendors overreacted on issues such as
> script-mixing, stuff that the user isn't able to read, and so
> on, because overreacting was easier than a more careful
> reaction, and they were able to say that they did something.

I think "overreacted" is debatable.  It depends on one's
evaluation of the threat... and even one's guesses about how
much worse the threat might be if the browser vendors hadn't
tried to take precautions.  There is a very big difference
between an accidental source of confusion and a deliberate
attack on the user's perceptions and gullibility by a Bad Guy.
I saw signs of some pretty careful analysis, too.

> But they didn't do much for in-script attacks, because that's
> much more difficult. (Not that I'm advocating a browser that
> shows MlCR0S0FT.com with punycode.)

Quite the contrary.  If Gerv's "Type B" model were actually
effective and workable (another question, for better or worse),
it would address in-script attacks, and so-called whole-label or
whole-script attacks (two labels, each with all of its
characters in a single script, that look alike), because it is
model based on whether or not the registry has effective
policies to prevent such registrations.

>> If we tell, or appear to tell, the poor lusers that we are
>> protecting them against a particular variety of attack --such
>> as confusing names-- and end up doing that often enough to be
>> persuasive that we are accomplishing something while remaining
>> open to slightly-more-clever attacks, we actually decrease
>> effective security by encouraging the user to become less
>> wary.
 
> With regards to wrong messages, I'm not so concerned about the
> typical "luser", but about the people between the end users
> and the hard-core tech experts. I'm not so much concerned
> about the actual loss of money. People who are stupid enough
> to click before thinking will click before thinking, whatever
> the circumstances. The APWG and others will be busy to take
> down phishers as fast as they can independent of what we may
> or may not tell people. But I'm concerned about the wasted
> effort on implementations and the damage from suboptimal
> implementations (e.g. showing only a small part of what could
> be shown without any direct spam potential).

That is fair and clearly part of the tradeoff we (and Gerv and
his colleagues and competitors in particular) are facing.  You
are concerned about that issue.  He is concerned about a harm
that he could reasonably prevent.  The position he has taken
with "Type B" is actually a fairly moderation one: if one
accepts his position about avoidable harm and combines it with
your "stupid people" hypothesis (in this contenxt essentially
equivalent to the abbreviated form "luser"), then the action he
should be taking might be to display the link (in either A-label
or U-label form) but respond to anyone clicking on it by popping
up a rather threatening "IDNs in this domain are not policed for
spoofing behavior and this one might be Really Evil; if you want
to continue. type the square root of three into this box to at
least digits of accuracy" (the latter to prevent anyone
mindlessly clicking "yes" and to exclude any user who doesn't
know what a square root is entirely) :-(.  I think both concerns
are reasonable and the difficulties lie in the tradeoffs with no
"right" answers (other than, possibly, "browsers shouldn't have
to deal with this nonsense because someone further upstream has
done so".

best,
   john




More information about the Idna-update mailing list