URLs in Urdu?

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.sciam.com/2002/0602issue/0602scicit5.html

June 2002
By: Wendy M. Grossman

Is this the Web address of tomorrow: ? At the moment, non-Latin
alphabets and scripts are not compatible with ASCII, the lingua franca
of the Internet also known as plain text. But as of March only 40
percent of the 561-million-strong global online population were native
English speakers, according to online marketing firm Global Reach.  
Work has been proceeding for some time, therefore, to internationalize
the system that assigns domain names (sciam.com, for example) to the
dotted clumps of numbers that computers use (such as 192.1.1.0).

The technical side of things has been managed by the Internationalized
Domain Name Working Group of the Internet Engineering Task Force
(IETF). In April, VeriSign, the single largest registrar of domain
names, claimed to have registered about a million international names.  
But turning Web addresses into a multilingual forum may open the door
to a dangerous new hazard--hackers could set up fake sites whose
domain names look just like the ASCII version.

One example is a homograph of microsoft.com incorporating the Russian
Cyrillic letters "c" and "o," which are almost indistinguishable from
their Latin alphabet counterparts. The two students who registered it,
Evgeniy Gabrilovich and Alex Gontmakher of the Technion-Israel
Institute of Technology in Haifa did so to make a point: they suggest
that a hacker could register such a name and take advantage of users'
propensity to click on, rather than type in, Web links. These fake
domain names could lead to a spoof site that invisibly captures bank
account information or other sensitive details.

In their paper, published in the Communications of the ACM, they paint
scary, if not entirely probable, scenarios. For instance, a hacker
would be able to put up an identical-looking page, hack several major
portals to link to the homographed site instead of the real one, and
keep it going unnoticed for perhaps years.

On a technical level, homograph URLs are not confusing. International
domain names depend on Unicode, a standard that provides numeric codes
for every letter in all scripts worldwide. And at its core, the
internationalization of the domain name system is a veneer: the
machines underneath can still only read ASCII.

According to the proposed standard, the international name will be
machine-translated at registration into an ASCII string composed of an
identifying prefix followed by two hyphens followed by a unique chunk
of letters and numbers: "iesg--de-jg4avhby1noc0d," for example. This
string would be translated back into Unicode and compared with the
retranslation of the original. So right now anyone using a standard
browser can easily see the difference between an internationalized
domain name and an ordinary one.

This situation, however, is temporary. Technical drafts by the IETF
state that users should not be exposed to the ugly ASCII strings, so
increasingly users will have little way of identifying homographs.  
Computer scientist Markus G. Kuhn of the University of Cambridge notes
that for users to be sure they are connected to the desired site, they
will have to rely on the secure version of the Web protocol (https)  
and check that the site has a matching so-called X.509 certificate.  
"That has been common recommended practice for electronic banking and
commerce for years and is not affected by Unicode domain names," Kuhn
observes. Certification agencies (which include VeriSign) ensure that
encoded names are not misleading and that the registration corresponds
with the correct real-world entity.

But experience shows that the Internet's majority of unsophisticated
users "are vulnerable to all kinds of simple things because they have
no concept of what's actually going on," explains Lauren Weinstein,
co-founder of People for Internet Responsibility. Getting these users
to inspect site certificates is nearly impossible. Weinstein therefore
thinks that a regulatory approach will be necessary to prohibit
confusing names. Such an approach could be based on the current
uniform dispute resolution procedure of the Internet Corporation for
Assigned Names and Numbers (ICANN), the organization that oversees the
technical functions of handing out domain names. But it will require
proactive policing on the part of the registrars, such as VeriSign,
something they have typically resisted.

But are international domain names even necessary? Kuhn, who is
German, doesn't think so: "Familiarity with the ASCII repertoire and
basic proficiency in entering these ASCII characters on any keyboard
are the very first steps in computer literacy worldwide."  
Internationalizing names might succeed only in turning the global
network into a Tower of Babel.
 

 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.