nanog mailing list archives
RE: Non-English Domain Names Likely Delayed
From: "Jason Sloderbeck" <jason () positivenetworks net>
Date: Mon, 18 Jul 2005 17:43:02 -0500
I don't know of any other IEEE/NANOG/IETF/ICANN-sanctioned method to completely confuse even a savvy IT user who is trying to determine the validity of an SSL site.
There are dozens of ways we know of, and probably more that lie
undiscovered,
to exploit vulnerabilities in DNS, browsers, and in human nature to
conduct
phishing.
Sure, there are bugs and hacks. The existence of such does not justify approving new measures (in this case, a glaring security hole) as a global standard. In fact, quite the opposite: folks are generally trying to fix such problems, not push them forward in public policy agenda. It's clear that no one intended for the side effect of a complete meltdown in the user layer of SSL (where the only thing you can do is double-check the URL in your browser and verify there's a padlock icon in your status bar), but the side effect is there and it's naive to pretend that fairness to non-English folks or globalization justifies a hole this large. Certainly, the vulnerability is just as much a problem for the targeted benefactors of this change. -Jason -- Jason Sloderbeck Positive Networks jason @ positivenetworks . net -----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of Crist Clark Sent: Monday, July 18, 2005 4:43 PM Cc: NANOG Subject: Re: Non-English Domain Names Likely Delayed Isn't someone more eloquent than I going to point out that that spending a lot of effort eliminating homographs from DNS to stop phishing is a security measure on par with cutting cell service to underground trains to prevent bombings? It focuses on one small vulnerability that phishers exploit, and "fixing" this one vulnerability just may make things worse. It wastes resources that could go to coming up with a *real* solution, and it may provide a false sense of security. Worrying about homographs is probably something about which we should let the trademark lawyers get there undies in a bunch (knowing ICANN, that may very well be what's driving this, not phishing worries) while the IT security community concerns itself with a usable, and actually secure, end-to-end security model for e-commerce. -- Crist J. Clark crist.clark () globalstar com Globalstar Communications (408) 933-4387
Current thread:
- Re: Non-English Domain Names Likely Delayed, (continued)
- Re: Non-English Domain Names Likely Delayed Crist Clark (Jul 19)
- Re: Non-English Domain Names Likely Delayed Crist Clark (Jul 19)
- Re: Non-English Domain Names Likely Delayed Neil Harris (Jul 19)
- Re: lo0kal1ke domains, Non-English Domain Names Likely Delayed John Levine (Jul 19)
- Re: Non-English Domain Names Likely Delayed Iljitsch van Beijnum (Jul 18)
- Re: Non-English Domain Names Likely Delayed Neil Harris (Jul 18)
- Re: Non-English Domain Names Likely Delayed Brad Knowles (Jul 18)
- Re: Non-English Domain Names Likely Delayed Valdis . Kletnieks (Jul 18)
- Re: Non-English Domain Names Likely Delayed Randy Bush (Jul 19)
- Re: Non-English Domain Names Likely Delayed Brad Knowles (Jul 19)
- Re: Non-English Domain Names Likely Delayed Joe Abley (Jul 18)