Re: [cap-talk] Re: First point of consensus
Ka-Ping Yee
cap-talk at zesty.ca
Wed Feb 9 15:00:15 EST 2005
On Wed, 9 Feb 2005, [iso-8859-1] Tyler Close wrote:
> In (a), the trusted site chose the name "p\u0430ypal.com" for itself, a
> name that is readily confused with "paypal.com". The trusted site is
> doing the exact opposite of what the Shmoo URLs do. The trusted site is
> tricking its own users into going to a different site. I categorize
> this scenario as a site running a phishing attack against itself. Do
> you understand why I make this categorization?
I understand what you are saying, but i don't think your categorization
is valid. By "phishing attack against itself" what you really seem to
be saying is "they chose a bad domain name." You're assuming that
"paypal.com" is a priori "good" and "p\u0430ypal.com" is "bad" (an
assumption i neglected to specifically dispel). My point is independent
of which one is "good" or "bad" -- the point is that they are *confusable*.
Perhaps a better example would be two sites, one called "aa.com" and
one called "\u0430\u0430.com". Both could be perfectly legitimate.
But depending on whether i happen to have a Western or Cyrillic keymap,
i could end up going to the one i didn't intend. Do you see what i'm
getting at now?
> Do you have any other attack scenarios?
Just to be clear, here, keep in mind that i'm talking about attacks on
"type the URL into the address bar", not attacks on petnames. I think
that typing URLs into the address bar is fine as long as (a) the user
agrees to do it, (b) the user trusts DNS, and (c) IDNs are disabled.
The upshot of the whole argument i was trying to make in this thread is
that IDNs can break the address bar in ways for which i see no remedy.
-- ?!ng
More information about the cap-talk
mailing list