[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cryptography] On those spoofed domain names...

On 3/10/18 1:32 PM, John Ioannidis wrote:
While I do not disagree that Unicode is an abomination, it is not Unicode's fault that the IETF decided that internationalized domain names with native character sets was a good idea.

IIRC, pushed by some Greeks? (and a lot of East Asians).

The underlying *security* problem is that people trust the name they read. Or that even if they've read it "correctly" it somehow means something. That's certainly not Unicode's fault.

Agreed.  Amusingly, I had to rescue this message from my spam folder, as
Gmail tells me:

  Be careful with this message. Someone might be trying to trick you by
  using similar looking characters in their email address or links (for
  example replacing the letter "O" with the number "0").

Even with your examples in the body, not the address....

Anyway, this problem goes even farther.  With "zero-touch" Internet of
Things, they want us to trust our lamp/refrigerator/television to be
trusted to bypass the firewall and talk to somewhere outside, simply
because it has some manufacturer's signed certificate in/on it.

That is, because we can read that it says "LG" on the outside, and the
machine itself can verify its own signature, we should trust it.

Trust is not transitive.
The cryptography mailing list
cryptography AT metzdowd.com