IDNA and U+08A1 and related cases (was: Re: Barry Leiba's Discuss on draft-ietf-json-i-json-05: (with DISCUSS and COMMENT))

Shawn Steele Shawn.Steele at
Tue Jan 27 02:17:10 CET 2015

> As a corollary: more competition by [constrained] TLDs is good because 
> if -say- com. allows too many embarrassing confusable domains to be registered, 
> leading to noticeable and noticed phishing attacks, 

I think that underestimates the users....  But "does it matter"?

I've received 4 emails today that made it through whatever spam filters for whatever reason.  All 4 of them seemed to provide the opportunity for phishing attacks, and 0 of them leveraged IDN.  For that matter, they weren't even trying to be that clever with the ASCII paths.

I think the impact on phishing and confusables may be embarrassing perhaps, but don't have much true impact on security.  How many times have you mistyped a URL and ended up somewhere else?  Often with advertising and stuff trying to make a few cents off of the target URL typos?  

Too many companies send emails from "company at" (totally random) or send you to "" and expect you to complete a link.  So phishing stuff with is going to succeed.  They don't need confusable.  (I've even seen papers that suggest that scammers sometimes prefer obvious traps because they really want to get the gullible folks - obvious bad URLs could filter those out.)


More information about the Idna-update mailing list