On 2/15/12 8:32 AM, Mark Andrews wrote:
> ... Before deciding to go the IDNA route, treating DNS
> labels as UTF-8 was discussed, evaluated and rejected.
well, sort of. we started with "idn" as a wg label.
the smtp weenies opined that they'd never have a flag day and anything
other than a boot en
In message <86mx8kqpy7@seastrom.com>, "Robert E. Seastrom" writes:
>
> valdis.kletni...@vt.edu writes:
>
> > On Wed, 15 Feb 2012 10:44:38 +0100, Stephane Bortzmeyer said:
> >
> >> Challenge taken.
> >>
> >> RFC 2277, "IETF Policy on Character Sets and Languages", section 3.1,
> >> "Protocols
valdis.kletni...@vt.edu writes:
> On Wed, 15 Feb 2012 10:44:38 +0100, Stephane Bortzmeyer said:
>
>> Challenge taken.
>>
>> RFC 2277, "IETF Policy on Character Sets and Languages", section 3.1,
>> "Protocols MUST be able to use the UTF-8 charset [...] Protocols MAY
>> specify, in addition, how to
On Wed, 15 Feb 2012 10:44:38 +0100, Stephane Bortzmeyer said:
> Challenge taken.
>
> RFC 2277, "IETF Policy on Character Sets and Languages", section 3.1,
> "Protocols MUST be able to use the UTF-8 charset [...] Protocols MAY
> specify, in addition, how to use other charsets [something DNS does
>
On Mon, Feb 13, 2012 at 05:21:02PM +1100,
Mark Andrews wrote
a message of 25 lines which said:
> > utf-8 is the one used in the ietf community.
>
> I challenge you to find a RFC that say it is UTF-8.
Challenge taken.
RFC 2277, "IETF Policy on Character Sets and Languages", section 3.1,
"P
>> dns resolution is eight bit clear.
> It may be 8 bit clear but only 0-127 have defined meaning.
> 128-255 may be UTF-8 but they could equally be ISO-LATIN-*.
nothing means anything
In message , Randy Bush writes:
> >> dns itself is purely eight bit transparent. =A0one can even have a dot as
> >> a non-separator. =A0p.r.c could be a tld. =A0it's strictly length/value.
> > That's true, but there is no standard character representation for
> > octet values 128 - 255.
>
> utf
Jimmy Hess wrote:
> As soon as you have a browser parsing punycode stuff, any string
> containing unicode characters has a unique punycode encoding / RFC
> 3491 / RFC 3492.
Labels (not "any string") which happens to be pure ASCII
are still case insensitive, which is DNS.
Note that, according t
On Sun, Feb 12, 2012 at 09:36:54PM -0800, Randy Bush wrote:
> > DNS is case-insensitive when you are talking about 7-bit ASCII
>
> < pedantry >
>
> dns itself is purely eight bit transparent. one can even have a dot as
> a non-separator. p.r.c could be a tld. it's strictly length/value.
>
> o
>> dns itself is purely eight bit transparent. one can even have a dot as
>> a non-separator. p.r.c could be a tld. it's strictly length/value.
> That's true, but there is no standard character representation for
> octet values 128 - 255.
utf-8 is the one used in the ietf community.
> Only o
On Sun, Feb 12, 2012 at 11:36 PM, Randy Bush wrote:
>> DNS is case-insensitive when you are talking about 7-bit ASCII
> < pedantry >
> dns itself is purely eight bit transparent. one can even have a dot as
> a non-separator. p.r.c could be a tld. it's strictly length/value.
That's true, but t
> DNS is case-insensitive when you are talking about 7-bit ASCII
< pedantry >
dns itself is purely eight bit transparent. one can even have a dot as
a non-separator. p.r.c could be a tld. it's strictly length/value.
of course, everyone and their dog has placed restrictions on it for this
use
2012/2/12 Masataka Ohta :
> valdis.kletni...@vt.edu wrote:
[snip]
> So, I can understand your attempt to insist on lowercase,
> but it does not work because DNS does not allow it.
[snip]
Not exactly... DNS is case-insensitive when you are talking about
7-bit ASCII; the set of alphabetic characte
>
>
> Oh, and 'i' and 'l' need to be banned as well, because a san-serif uppercase I
> looks a lot like a san-serif lowercase l. (In fact, in the font I'm currently
> using,
> the two are pixel-identical).
>
> I don't see anybody calling for the banning of 'i' and 'l' in domain names
> due to
valdis.kletni...@vt.edu wrote:
>> The problem is greekbank.gr is spoofable as greekbank.gr.
>
> That would be the .gr registry's problem then.
As it is the problem of IDN, same problem exist everywhere.
> They could take the same
> solution as the .ua registry -force lowercase and allow all-lat
On Sun, 12 Feb 2012 16:59:36 +0900, Masataka Ohta said:
> The problem is greekbank.gr is spoofable as greekbank.gr.
That would be the .gr registry's problem then. They could take the same
solution as the .ua registry -force lowercase and allow all-latin or all-greek
names.
Oh, what do you know..
On 2/12/2012 1:19 PM, Rich Kulawiec wrote:
> On Sun, Feb 12, 2012 at 04:44:13AM -0500, Vinny Abello wrote:
>> All recent email clients I've come across give you anti-phishing
>> warnings in one way or another if the URL does not match the
>> actual link.
>
> Which is great, but doesn't help you i
In article you
write:
>btw, i'm quite sure that -banks- of all things have the resources to just
>take the transaction part for consumers -off their pcs- and simply send
>them a dedicated device with an ethernet port to do the transactions on.
More likely USB, but yes, a doozit with a small sc
Heck, even Klingon made it to the private UTF-8 registry,
http://en.wikipedia.org/wiki/Klingon_writing_systems
:)
Jeff
btw, i'm quite sure that -banks- of all things have the resources to just
take the transaction part for consumers -off their pcs- and simply send
them a dedicated device with an ethernet port to do the transactions on.
the same way they do in shops.
no more bothering with "omg what if they cli
That's why I recommend that banks et.al. don't put *any* URLs in their
messages. If they make this an explicit policy and pound it into the
heads of their customers that ANY message containing a URL is not from
them, and that they should always use their bookmarks to get to the
bank's site, then
On Sun, Feb 12, 2012 at 04:44:13AM -0500, Vinny Abello wrote:
> All recent email clients I've come across give you anti-phishing
> warnings in one way or another if the URL does not match the actual link.
Which is great, but doesn't help you if the URL and the link are:
http://firstnatio
>>What is truly evil is non text/plain email.
>
>Have we fallen through a time warp into 1996?
Evidently yes. Look, it's a known-not-to-work SMTP callback:
>:
>Connected to 69.172.205.65 but sender was rejected.
>Remote host said: 578 jo...@iecc.com address rejected with reverse-check
--
Regar
The DNS "industry" is putting us a long way from when RFC 2826 was written.
That's true, but you can't just blow off the majority of people in the
world who use languages that you can't write in the ASCII character set.
It's a hard problem. I wouldn't say that ICANN's approach has been
opti
The DNS "industry" is putting us a long way from when RFC 2826 was written.
Christian
On 12 Feb 2012, at 01:31, John Levine wrote:
>> Nice. Basically, unless the TLD registrar has a public policy that
>> basically says
>> "We don't allow names with cyrillic C to collide with MICROSOFT", thei
>What is truly evil is non text/plain email.
Have we fallen through a time warp into 1996?
R's,
John
--
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
On 2/11/2012 4:37 PM, Keith Medcalf wrote:
>> Unfortunately that's not under control of those businesses. This
>> plain text email you sent comes across with clickable mailto and
>> http links in your signature in most modern email clients despite
>> you having sent it in plain text. "Helpful" emai
valdis.kletni...@vt.edu wrote:
> Doesn't actually matter, because the .ua registry isn't allowing Greek Gamma
> or Latin-E-with-diaresis, in domain names.
Such local conventions have nothing to do with internationalization.
> But quite frankly,
> turning off IDN doesn't fix that problem - greekb
On Feb 11, 2012, at 10:57 PM, Joel jaeggli wrote:
> On 2/11/12 19:34 , Sven Olaf Kamphuis wrote:
>> yes, domain names that cannot be typed in with any keyboard/charset on
>> any computer out there, excellent idea, devide and conquerer, i wonder
>> who came up with that idiotic plan again, probably
On 2/11/12 19:34 , Sven Olaf Kamphuis wrote:
> yes, domain names that cannot be typed in with any keyboard/charset on
> any computer out there, excellent idea, devide and conquerer, i wonder
> who came up with that idiotic plan again, probably the ITU or one of
> their infiltrants in icann.
If it'
On Sat, Feb 11, 2012 at 11:13 PM, wrote:
> On Sun, 12 Feb 2012 10:25:53 +0900, Masataka Ohta said:
>> valdis.kletni...@vt.edu wrote:
> It's interesting how some people are insisting that the IDN code has to be
> *perfect* and make it *totally* impossible to create a phishable spoof of
> a domain
valdis.kletni...@vt.edu wrote:
>> (and that despite the fact that it's perfectly well possible to write -any
>> language out there- in the first 7 bits of ascii)
Yes, any language including FORTRAN.
> And it's *equally* possible to write "any language out there" using a
> 7-bit encoding of the C
On Sun, 12 Feb 2012 10:25:53 +0900, Masataka Ohta said:
> valdis.kletni...@vt.edu wrote:
>
> > (The actual policy for the .UA registrar is more subtle. They *do* in fact
> > allow "U+0441 Cyrillic Small Letter ES" which is visually a C to us
> > Latin-glyph
> > users. However, they require at lea
Neil Harris wrote:
> I'm not a flag-waver for IDN, so much as a proponent of ways to make IDN
> safer, given that it already exists.
It's like trying to make DES safer.
> Lots of people have thought about this quite carefully.
Not at all. They (including some Japanese) just wished IDN
work igno
On Sun, 12 Feb 2012 03:47:24 GMT, Sven Olaf Kamphuis said:
> (and that despite the fact that it's perfectly well possible to write -any
> language out there- in the first 7 bits of ascii)
And it's *equally* possible to write "any language out there" using a
7-bit encoding of the Cyrillic characte
as if it wasn't annoying enough already that some n00bs are using URI's
with characters you can't type in (and in most cases don't even display
correctly), icann has a better idea! hostnames you can't type in!
all those struggeling regimes that want to keep local control over our
internets are
yes, domain names that cannot be typed in with any keyboard/charset on any
computer out there, excellent idea, devide and conquerer, i wonder who
came up with that idiotic plan again, probably the ITU or one of their
infiltrants in icann.
how about, we simply don't code any software or adjust
On 12/02/12 00:09, Masataka Ohta wrote:
> Neil Harris wrote:
>
>> Techniques to deal with this sort of spoofing already exist: see
>>
>> http://www.mozilla.org/projects/security/tld-idn-policy-list.html
> It does not make sense that .COM allows Cyrillic characters:
>
> http://www.iana.org/domains/i
>Nice. Basically, unless the TLD registrar has a public policy that basically
>says
>"We don't allow names with cyrillic C to collide with MICROSOFT", their
>hostnames
>all get displayed as xn--gobbledygook.
More or less. ICANN has been wrestling with the lookalike character
issue in domain na
valdis.kletni...@vt.edu wrote:
> (The actual policy for the .UA registrar is more subtle. They *do* in fact
> allow "U+0441 Cyrillic Small Letter ES" which is visually a C to us
> Latin-glyph
> users. However, they require at least one character that's visually unique to
> Cyrillic in the domain
On Fri, Feb 10, 2012 at 10:56 AM, Steven Bellovin wrote:
You know, clickable objects in automated business communications are a
standard practice,
the larger the organization sending the message, the more complicated
and annoying their standard e-mail template full of HTML eyecandy, the
more cli
Neil Harris wrote:
> Techniques to deal with this sort of spoofing already exist: see
>
> http://www.mozilla.org/projects/security/tld-idn-policy-list.html
It does not make sense that .COM allows Cyrillic characters:
http://www.iana.org/domains/idn-tables/tables/com_cyrl_1.0.html
i script of a
> Unfortunately that's not under control of those businesses. This plain text
> email you sent comes across with clickable mailto and http links in your
> signature in most modern email clients despite you having sent it in plain
> text. "Helpful" email program defaults won't force people to copy a
On Sat, 11 Feb 2012 09:09:25 PST, Randy Bush said:
> My $0.02 on this issue is if the message is rich text I hover over the
> link
> and see where it actually sends me.
> >>> idn has made this unsafe
> > Techniques to deal with this sort of spoofing already exist: see
> > http://www
On Feb 11, 2012, at 12:13 PM, chris wrote:
> The internet was way cooler before that
Yes, and a lot of us could run open relays on our SMTP servers to help each
other out, and a full usenet feed fit on a plain ol' 9600 baud link.
But no way I could have at home the kind of bandwidth I can get
The internet was way cooler before that
chris
On Feb 11, 2012 12:09 PM, "Randy Bush" wrote:
> My $0.02 on this issue is if the message is rich text I hover over
> the link
> and see where it actually sends me.
> >>> idn has made this unsafe
> > Techniques to deal with this sort of spoo
My $0.02 on this issue is if the message is rich text I hover over the link
and see where it actually sends me.
>>> idn has made this unsafe
> Techniques to deal with this sort of spoofing already exist: see
> http://www.mozilla.org/projects/security/tld-idn-policy-list.html
> for one qui
On 11/02/12 01:16, Masataka Ohta wrote:
> Randy Bush wrote:
>
>>> My $0.02 on this issue is if the message is rich text I hover over the link
>>> and see where it actually sends me.
>> idn has made this unsafe
> I pointed it out at IETF Munich in 1997 that with an example of:
>
> MICROSOFT.CO
security vs. convenience...
-Vinny
-Original Message-
From: Landon Stewart [mailto:lstew...@superb.net]
Sent: Friday, February 10, 2012 7:24 PM
To: Brandon Butterworth
Cc: nanog@nanog.org
Subject: Re: Dear RIPE: Please don't encourage phishing
On 10 February 2012 16:09, Brandon Butterworth
On Fri, 10 Feb 2012 16:24:11 PST, Landon Stewart said:
> I don't click it. Not sure how long it's going to take, probably a
> generation, for people to use some sense before mindlessly clicking on
> stuff.
Only if you find a way to keep more idiots from being born. :)
I don't think anybody wants
On Friday 10 February 2012 17:24, Landon Stewart wrote:
> My $0.02 on this issue is if the message is rich text I hover over the link
> and see where it actually sends me. If I don't know what that link is then
> I don't click it.
Oh really? How about trying this Go to Google and search "is
Randy Bush wrote:
>> My $0.02 on this issue is if the message is rich text I hover over the link
>> and see where it actually sends me.
>
> idn has made this unsafe
I pointed it out at IETF Munich in 1997 that with an example of:
MICROSOFT.COM
where 'C' of MICROSOFT is actually a Cyril
> My $0.02 on this issue is if the message is rich text I hover over the link
> and see where it actually sends me.
idn has made this unsafe
randy
On 10 February 2012 16:09, Brandon Butterworth wrote:
> > So it's necessary to throw the baby out with the bathwater, and tell them
> > never to click on a link...
>
> That baby was ugly anyway
>
>
HAHAHA.
My $0.02 on this issue is if the message is rich text I hover over the link
and see where
There used to be the old programming benchmark of how large a "program"
(in lines, as well as compiled bytes) it took to say "Hello, world."
The 21st century benchmark might now well be the size of a "Hello,
world" e-mail.
Or a web page with a similar statement.
Jeff
On 2/10/2012 6:46 PM, Rich
> So it's necessary to throw the baby out with the bathwater, and tell them
> never to click on a link...
That baby was ugly anyway
brandon
On Fri, Feb 10, 2012 at 09:37:01AM -0800, Leo Bicknell wrote:
> Remind me again why we live in this sad word Randy (correcly) described?
Because banks and many other institutions have prioritized all-singing,
all-dancing, bloated, horribly-badly-marked-up HTML email with
"stationary" and logos and
On Fri, Feb 10, 2012 at 09:29:30AM -0800, Randy Bush wrote:
> > So because of phishing, nobody should send messages with URLs in them?
>
> more and more these days, i have taken to not clicking the update messages,
> but going to the web site manyually to get it.
Web site? With the RIPE db one c
- Original Message -
> From: "Steven Bellovin"
> What's the line -- "I know I'm paranoid, but am I paranoid enough?"
"Just because people say you're paranoid, that doesn't mean that there
*aren't* people out to get you."
Cheers,
-- jra
--
Jay R. Ashworth Baylink
On Feb 10, 2012, at 12:37 01PM, Leo Bicknell wrote:
> In a message written on Fri, Feb 10, 2012 at 09:29:30AM -0800, Randy Bush
> wrote:
>> more and more these days, i have taken to not clicking the update messages,
>> but going to the web site manyually to get it.
>>
>> wy to much phishin
On Feb 10, 2012, at 12:29 30PM, Randy Bush wrote:
>> So because of phishing, nobody should send messages with URLs in them?
>
> more and more these days, i have taken to not clicking the update messages,
> but going to the web site manyually to get it.
Yup -- I wrote about that a while back
(
- Original Message -
> From: "Valdis Kletnieks"
> On Fri, 10 Feb 2012 14:44:29 EST, Jay Ashworth said:
> > a picture of an abandoned factory, with the doors flapping in the wind,
> > bceause the company went out of business because someone got spearphished.
>
> Has this ever been spotted
On Fri, 10 Feb 2012 14:44:29 EST, Jay Ashworth said:
> a picture of an abandoned factory, with the doors flapping in the wind,
> bceause the company went out of business because someone got spearphished.
Has this ever been spotted in the wild? Serious question - most of the
well-publicized
spea
- Original Message -
> From: "JC Dill"
> If you wanted to have a similar effect at $workplace, try a similar
> visual (e.g. a mockup of 2 screenshots, first clicking on a link in
> email then typing in a password on a webpage with a phishing URL (with a
> typo)) as the screen saver on all
On Fri, Feb 10, 2012 at 12:28:22PM -0500, Steven Bellovin wrote:
> If they're intended as a path to log in with a typed password, that's correct.
> Sad, but correct.
I agree. Training your customers/clients to click on URLs in email
messages is precisely equivalent to training them to be phish vi
On 10/02/12 10:00 AM, Jay Ashworth wrote:
Even lots of*technical* people just don't understand what "a security-
related URL"*is*, and there's almost always no way to teach them.
Freakonomics recently aired a story about the problem of getting Doctors
to follow hand hygiene rules and wash the
Original Message -
> From: "William Herrin"
> And if we could just train people to never send or accept email
> attachments, we could get rid of email-spread viruses. Not gonna
> happen -- the functionality is too useful.
>
> Security isn't just about what you can train someone to do...
On Fri, Feb 10, 2012 at 1:00 PM, Jay Ashworth wrote:
>> From: "William Herrin"
>> Big problem with clickable objects which lead to PII (personally
>> identifiable information) or passwords. That's how phishing works -- a
>> disguised url that you either see at all or whose incorrect nature
>> sli
> We know how to sign and encrypt e-mail.
there is a public key distribution and trust problem
> We know how to sign DNS.
not very reliably yet
randy
Leo,
This has nothing to do with the competency of the folks on the
nanog list. It's a safe rule in general. Why? Because the stupid on the
Internet outnumbers all of us. It's just easier to not send clickable
links then it is to have the call center lit up because your users are
getting h
- Original Message -
> From: "William Herrin"
> Big problem with clickable objects which lead to PII (personally
> identifiable information) or passwords. That's how phishing works -- a
> disguised url that you either see at all or whose incorrect nature
> slips right past your brain. The
On Fri, 10 Feb 2012 09:37:01 PST, Leo Bicknell said:
> We know how to sign and encrypt web sites.
>
> We know how to sign and encrypt e-mail.
>
> We even know how to compare keys between the web site and e-mail via a
> variety of mechanisms.
>
> We know how to sign DNS.
>
> Remind me again why we
> While still perfectly intelligible, most folks who use English as a
> second language don't speak in the same voice as, say, Wells Fargo
> corporate communications.
yep. if it's intelligible, it can't really be from wells fargo corp
comms.
randy
> There's no reason my mail client shouldn't validate the signed e-mail
> came from the same entity as the signed web site I'd previously logged
> into, and give me a green light that the link actually points to said
> same web site with the same key. It should be transparent, and secure
> for the
The line gets crossed when you send an unsolicited message that includes a
clickable change password link, that a phisher would find interesting
to emulate.
After the fact, if a phisher gets one of your customers to click on such a
link, you'd like to tell them them in response, or preemptively,
In a message written on Fri, Feb 10, 2012 at 09:29:30AM -0800, Randy Bush wrote:
> more and more these days, i have taken to not clicking the update messages,
> but going to the web site manyually to get it.
>
> wy to much phishing, and it is getting subtle and good.
We know how to sign and
> It seems as if they're no longer written by non-native English
> speakers, which goes a long way towards making them more insidious.
> While still perfectly intelligible, most folks who use English as a
> second language don't speak in the same voice as, say, Wells Fargo
> corporate communication
On Fri, Feb 10, 2012 at 12:18 PM, Richard Barnes
wrote:
> On Fri, Feb 10, 2012 at 8:56 AM, Steven Bellovin wrote:
>> I received the enclosed note, apparently from RIPE (and the headers check
>> out).
>> Why are you sending messages with clickable objects that I'm supposed to use
>> to
>> change
On Feb 10, 2012, at 9:29 AM, Randy Bush wrote:
>> So because of phishing, nobody should send messages with URLs in them?
>
> more and more these days, i have taken to not clicking the update messages,
> but going to the web site manyually to get it.
>
> wy to much phishing, and it is getti
> So because of phishing, nobody should send messages with URLs in them?
more and more these days, i have taken to not clicking the update messages,
but going to the web site manyually to get it.
wy to much phishing, and it is getting subtle and good.
randy
If they're intended as a path to log in with a typed password, that's correct.
Sad, but correct.
On Feb 10, 2012, at 12:18 PM, Richard Barnes wrote:
> So because of phishing, nobody should send messages with URLs in them?
>
>
>
> On Fri, Feb 10, 2012 at 8:56 AM, Steven Bellovin wrote:
>> I re
So because of phishing, nobody should send messages with URLs in them?
On Fri, Feb 10, 2012 at 8:56 AM, Steven Bellovin wrote:
> I received the enclosed note, apparently from RIPE (and the headers check
> out).
> Why are you sending messages with clickable objects that I'm supposed to use
> t
82 matches
Mail list logo