On Mon, Mar 29, 2010 at 6:56 AM, Keith Gaughan <[log in to unmask]> wrote:
> On Sun, Mar 28, 2010 at 06:21:26PM -0400, <deinx nxtxr> wrote:
>> Paul Bennett wrote:
>> > On Fri, 26 Mar 2010 08:35:39 -0300, Calculator Ftvb
>> > <[log in to unmask]> wrote:
>> >
>> >> True. However, computers could detect homoglyphs and provide notification
>> >> when a domain name contains homoglyphs of Latin letters.
>> >> (Homoglyph-detection would have to be dynamic, rather than hard-coded,
>> >> due
>> >> to the immense number of characters...)
>> >
>> > Yes. It's possible for a browser to scan a domain name, and let the user
>> > know when it contains characters from different character sets, before
>> > letting them actually go to that URL. I don't know how secure I feel
>> > about letting the various browser vendors do this properly, however...
>> Given the poor quality of most software these days, I don't feel
>> comfortable with that either.  In general it's best to just rely on your
>> own bookmarks, or key in the domain yourself.
> The problem is currently being solved on a registry level by disallowing
> the registration of IDNs that contain characters that don't fit specific
> language profiles, so it shouldn't matter if about the quality of
> software, if the registration of IDNs containing homoglyphs is
> prevented.

So one could still commit fraud if the faux domain consists of
characters entirely withing the same script.  Some domains could still
be faked entirely within Cyrillic for example.  A sequence like "ace"
for example could be in either script, and it is possible there could
be legit organizations in each realm.

I think it may be best just to lump homoglyphs together and with each
domain registration, include all permutations.

> The real source of the problem was that when Internationalised Domain
> Names were introduced, nobody in the domain registries stopped to
> consider the possibility of the homoglyph attack, thus a whole bunch
> of domains were registered that used the exploit (as the article
> Christophe pointed to explains).

Obviously that was the case.  At lot of organization these days seem
to lack foresight.