Hi all
If I understood correctly what I read on this issue:
- LDH characters = Letters (Latin A-Z and a-z, without accents, dieresis, tilde etc), Digits (0-9), and the Hyphen-minus sign
- Internationalized domain names (IDN) can be written with non-LDH characters
- IDNs were meant as a gesture of respect towards languages and cultures where writing doesn't stick to the LDH characters
- Sure, URL spoofing for phishing purposes can be done with LDH-only domain names (using zero instead of o, for instance), but the addition of non-LDH characters in IDNs makes the spoofing more difficult to detect. For instance, the Cyrillic "Ð"(*) cannot be told by sight from the Latin "a", though their ASCII coding is different. As "a" unfortunately occurs in "bank" "paypal", phishers have availed themselves of that. Besides, non-LDH characters also include "no-break space", which hugely increases the possibilities of "Homograph spoofing" (see "The state of spoofed IDN attacks", last updated Feb. 11, 2005, http://www.shmoo.com/idn/homograph.txt )
- Basic Explorer-tribe browsers don't support the reading of IDN's, but you can get a plug-in to do that
- Mozilla-tribe browsers support the reading of IDN's by default, so their users are more likely to become victims of IDN-based phishing schemes.
- See the Feb. 7 2005 Secunia warning about these phishing schemes: http://secunia.com/advisories/14163/
Now an article in Heise Online http://www.heise.de/newsticker/meldung/56110 (in German) suggests a workaround for Mozilla etc. users: disable IDN reading in the browser. Except that the disabling apparently lasts only until you quit your browser anyway. When you re-open it, IDN reading is automatically enabled again.
Anyway, in a discussion in Mozillazine about the Secunia warning, http://mozillazine.org/talkback.html?article=6038 , some people have maintained that disabling IDN reading would be discriminatory against minority cultures and languages . Others then suggested adding something to the software that would warn users that a URL contains non-LDH characters. Defenders of minority rights retorted it would be just as discriminatory as blocking them, because the alarm would also flag legitimate IDNs using non-LDH characters, thus equating them to phishing pages using these non-LDH characters.
Byzantine nit-picking or fundamental ethical issue? You tell me. I like the fact that minority respect is the focus of that discussion on Mozillazine. It shows once more that the free software movement is about freedom before being about tech (see http://www.gnu.org/philosophy/philosophy.html ). But are there not areas where minority rights must be fought for more urgently than domain names? And aren't the very people belonging to these minorities likely to become victim of these IDN phishing scams, because they are more likeky than others to enable their browsers to read IDNs?
cheers
Claude -- Claude Almansi www.adisi.ch
(*) real cyrillic "Ð" here: my daughter studies Russian so I have enabled the Russian keyboard in Windows XP home. But some of you might only see a squiggle if you haven't enabled Unicode (UTF-8)
_______________________________________________ DIGITALDIVIDE mailing list DIGITALDIVIDE@mailman.edc.org http://mailman.edc.org/mailman/listinfo/digitaldivide To unsubscribe, send a message to [EMAIL PROTECTED] with the word UNSUBSCRIBE in the body of the message.
