On Mon, Mar 29, 2010 at 6:56 AM, Keith Gaughan <[log in to unmask]> wrote: > On Sun, Mar 28, 2010 at 06:21:26PM -0400, <deinx nxtxr> wrote: > >> Paul Bennett wrote: >> > On Fri, 26 Mar 2010 08:35:39 -0300, Calculator Ftvb >> > <[log in to unmask]> wrote: >> > >> >> True. However, computers could detect homoglyphs and provide notification >> >> when a domain name contains homoglyphs of Latin letters. >> >> (Homoglyph-detection would have to be dynamic, rather than hard-coded, >> >> due >> >> to the immense number of characters...) >> > >> > Yes. It's possible for a browser to scan a domain name, and let the user >> > know when it contains characters from different character sets, before >> > letting them actually go to that URL. I don't know how secure I feel >> > about letting the various browser vendors do this properly, however... >> >> Given the poor quality of most software these days, I don't feel >> comfortable with that either. In general it's best to just rely on your >> own bookmarks, or key in the domain yourself. > > The problem is currently being solved on a registry level by disallowing > the registration of IDNs that contain characters that don't fit specific > language profiles, so it shouldn't matter if about the quality of > software, if the registration of IDNs containing homoglyphs is > prevented. So one could still commit fraud if the faux domain consists of characters entirely withing the same script. Some domains could still be faked entirely within Cyrillic for example. A sequence like "ace" for example could be in either script, and it is possible there could be legit organizations in each realm. I think it may be best just to lump homoglyphs together and with each domain registration, include all permutations. > The real source of the problem was that when Internationalised Domain > Names were introduced, nobody in the domain registries stopped to > consider the possibility of the homoglyph attack, thus a whole bunch > of domains were registered that used the exploit (as the article > Christophe pointed to explains). Obviously that was the case. At lot of organization these days seem to lack foresight.