[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Cryptography] On those spoofed domain names...
- From: William Allen Simpson <william.allen.simpson AT gmail.com>
- Subject: Re: [Cryptography] On those spoofed domain names...
- Date: Sun, 11 Mar 2018 06:57:56 -0400
- Arc-authentication-results: i=1; mx.google.com; dkim=neutral (body hash did not verify) firstname.lastname@example.org header.s=20161025 header.b=lUG8h7Aq; spf=pass (google.com: best guess record for domain of cryptography-bounces+ben=bentasker.co.uk AT metzdowd.com designates 126.96.36.199 as permitted sender) smtp.mailfrom=cryptography-bounces+ben=bentasker.co.uk AT metzdowd.com; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:to:dkim-signature :delivered-to:arc-authentication-results; bh=keNEAYrpxMGOLUycTENApc9GsHmRzo2ohVko5WYKhiU=; b=tZ+dFbF0es/4gp5CycqALtpuDAUcBOGCcmQMQEkNR7wcFaHUT0KbVO3EvAxWDjxePx LMUsTif8SftVcNE6yrQnoiOkYDWx6b4duP/rGA3qJtJrbvsvWoPpgb1w92YpSlXdZRVq CSam6PwiCUMoWrKQwILP9XACBGXxzF7xuEbeJ5AgijNffr0AfPaFtO3ZE5KjmK+m7rMS /q7zxK63YdsriIcG7EGhfxAd+nt0XcQrq/fUJRverszOYmuvBAGsuEdrPc7uTcpgpSGw fOK/BpXpQU7tVBtyDb+dnX6bEI3OqWzoJ/kKruJEmYCFLSMdWKnfVAzuT2CGc92tJX+S Qwlg==
- Arc-seal: i=1; a=rsa-sha256; t=1520790384; cv=none; d=google.com; s=arc-20160816; b=Yx/qGg2BSXat0jVszO3L9EzoxhwM97GjVgjn5n4acWe8nnNehAm/dVsdLQZBTXm2ur h2+EHcup4/3ZzjdgP0r9Fu+ucquQBHjqdG3Nr5UU6R08IdjnSNcPAI9i6VdbJaDTUW0b ldWmfsov6/IPRF8lSRflWnAGR77CcJRF25qlZqeFU4rIf92DvQcAoIkkk5tEvGyO5U5r etDIZtz0ywUliM8M6HfwrmCb/rb9mMoRo8OJjWr+J9GywiE/OfHptiWxwETXXm8o76eb fvZ9RxdMVJGOWzGqVVCRPr/n03UqG3WFm9GDdxzWFqKVqBPjj1IKwZ3xOtwCShY2z9fe f4Kg==
- Cc: cryptography mailing list <cryptography AT metzdowd.com>
- List-archive: <http://www.metzdowd.com/pipermail/cryptography/>
- Sender: "cryptography" <cryptography-bounces+ben=bentasker.co.uk AT metzdowd.com>
- To: John Ioannidis <ji AT tla.org>, Ray Dillinger <bear AT sonic.net>
On 3/10/18 1:32 PM, John Ioannidis wrote:
While I do not disagree that Unicode is an abomination, it is not Unicode's fault that the IETF decided that internationalized domain names with native character sets was a good idea.
IIRC, pushed by some Greeks? (and a lot of East Asians).
The underlying *security* problem is that people trust the name they read. Or that even if they've read it "correctly" it somehow means something. That's certainly not Unicode's fault.
Agreed. Amusingly, I had to rescue this message from my spam folder, as
Gmail tells me:
Be careful with this message. Someone might be trying to trick you by
using similar looking characters in their email address or links (for
example replacing the letter "O" with the number "0").
Even with your examples in the body, not the address....
Anyway, this problem goes even farther. With "zero-touch" Internet of
Things, they want us to trust our lamp/refrigerator/television to be
trusted to bypass the firewall and talk to somewhere outside, simply
because it has some manufacturer's signed certificate in/on it.
That is, because we can read that it says "LG" on the outside, and the
machine itself can verify its own signature, we should trust it.
Trust is not transitive.
The cryptography mailing list
cryptography AT metzdowd.com