North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Non-English Domain Names Likely Delayed

  • From: Neil Harris
  • Date: Mon Jul 18 10:24:33 2005

Brandon Butterworth wrote:

Already, some 21 TLDs are whitelisted, including .cn, .tw, a number
of European ccTLDs, .museum, and .info. Any other registrars who
want to be supported can simply E-mail Gerv at the Mozilla
Foundation, or his Opera counterpart, and give them a pointer to
their anti-spoofing rules.

I don't think it's a good idea to introduce a system with a known
vulnerability and try and work around it by having some people agree
they'll police the exploit. No doubt the people protecting us
will be tempted to exploit it themselves by trying to sell
the spoofs to the spoofed domain owner as essential international
branding (.mobi, yeah. .com is shorter and people should learn
about content negotiation to present suitable content to mobiles,
no need to buy your domains all over again)

If this goes ahead the browser needs a default on button for
"please don't expose me to this spoofing attack"

brandon




Unfortunately, the problem is inherent in human writing systems. Consider rnicrosoft.com and paypaI.com.

The good news is that fairly simple homograph rules can be applied to collapse the namespace into visually distinct labels: see TR #36. See also https://bugzilla.mozilla.org/show_bug.cgi?id=279099 for a lengthy group discussion of the issues involved.

As a side-effect of this, implementing either a blocking bundling or inclusive bundling policy has the effect of precluding a registry from selling potential spoofs to others. The former requires no change to existing software, apart from a check at name registration time; the latter requires either the generation of huge zonefiles, or a few lines of code and a ~128kbyte static lookup table to be added to DNS server software: see RFC 3743 for more detail than you ever wanted to know about bundling.

Neither is beyond the wit of man, particularly given commercial pressure from registry customers.

Neil
(my personal views only, not that of any organization)