Re: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's review of the DMARC spec)
Dave Crocker <dcrocker@gmail.com> Mon, 08 July 2013 06:22 UTC
Return-Path: <dcrocker@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C8A511E8199 for <dmarc@ietfa.amsl.com>; Sun, 7 Jul 2013 23:22:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6U9PlMBq+Yba for <dmarc@ietfa.amsl.com>; Sun, 7 Jul 2013 23:22:04 -0700 (PDT)
Received: from mail-oa0-x232.google.com (mail-oa0-x232.google.com [IPv6:2607:f8b0:4003:c02::232]) by ietfa.amsl.com (Postfix) with ESMTP id 0BF3611E8193 for <dmarc@ietf.org>; Sun, 7 Jul 2013 23:22:03 -0700 (PDT)
Received: by mail-oa0-f50.google.com with SMTP id k7so5795663oag.23 for <dmarc@ietf.org>; Sun, 07 Jul 2013 23:22:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=zX1WZXLk3jsa++BRh6zp+yuEtaSe4F02lfucgMK90Xs=; b=eLOfI6j+czdjZUrIQUeLGFd3bXeBpNO74/Q7MjG/cMvmatjKPVWOI8+NJeDhY+iNj+ q6nCdGj9itk23V16PBj6fgPqEV9ewWu48CFUJa+e25W1f5j+iiA07o8tzD/5Wpeu9LKq 2n2Ja9mvTVr6yTP1dk0ZbSQgVSwhhdpGzYHnpzseg2oG1uX9jJop/Gwq6rAAilDypEfP vigPo9Vn/9kO18iuVj4X37yMRvgqb0TgE3YAx7akEsqQ+/M5/EW1N75eLyd0xfEiTEVr SNBcR6jhT3ctf7mGxKgr0T65RZAGZKJDQMxZUAuCYq2UX2cQxZyvsH/J26JAw+edhfil tL3Q==
X-Received: by 10.60.138.137 with SMTP id qq9mr19173415oeb.8.1373264522502; Sun, 07 Jul 2013 23:22:02 -0700 (PDT)
Received: from [192.168.1.66] (76-218-9-215.lightspeed.sntcca.sbcglobal.net. [76.218.9.215]) by mx.google.com with ESMTPSA id el16sm31922731oeb.2.2013.07.07.23.22.00 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 07 Jul 2013 23:22:01 -0700 (PDT)
Message-ID: <51DA5A75.4020307@gmail.com>
Date: Sun, 07 Jul 2013 23:21:41 -0700
From: Dave Crocker <dcrocker@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Matt Simerson <matt@tnpi.net>
References: <519B47DC.20008@cisco.com> <CAL0qLwYZOp1FNVSAmzXYkZG_O3Yv+EQrAKKLpRiE5svcOMamTA@mail.gmail.com> <6.2.5.6.2.20130523002139.0da7ac58@resistor.net> <CAL0qLwYT6BS=HGLX1-u80aqaJWefipT5tcg5Ut_549y4rOej9g@mail.gmail.com> <51D858EB.3030202@gmail.com> <CAL0qLwZAVH=bK=jZKuk4ZkcELSXQ0SB5_WoHKETTZwo5f43Qtw@mail.gmail.com> <CAL0qLwb-m7BEBQ7snR4zQqMWu0H17P-+aOaxb=4t8pY58dXGRw@mail.gmail.com> <D9CB0D71-453D-48BC-8049-0A89B6CC6394@tnpi.net> <11ACB6D3-2A24-4813-AEF8-5DF52208FB3C@tnpi.net>
In-Reply-To: <11ACB6D3-2A24-4813-AEF8-5DF52208FB3C@tnpi.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: SM <sm@resistor.net>, "dmarc@ietf.org" <dmarc@ietf.org>, "Murray S. Kucherawy" <superuser@gmail.com>, Eliot Lear <lear@cisco.com>
Subject: Re: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's review of the DMARC spec)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2013 06:22:05 -0000
On 7/7/2013 7:27 PM, Matt Simerson wrote: > <t hangText="Cousin Domain:"> A registered domain name that > is deceptively similar the name of a known entity. The entity > name is familiar to users and therefore > imparts a degree of trust. The deceptive similarity can > trick the user by embedding the essential parts of the > entity name in a new string (e.g., > "companysecurity.example" to attack "company.example"), > or it can use some variant of the entity name, such as > replacing 'i' with '1'. This latter form is sometimes > known as a "homograph attack". </t> > > On Jul 7, 2013, at 7:25 PM, Matt Simerson <matt@tnpi.net> wrote: >> On Jul 7, 2013, at 12:25 AM, "Murray S. Kucherawy" <superuser@gmail.com> wrote: >>> How's this, if you'll pardon the XML? >> I simplified the description by removing the 'target' abstraction. There are legitimate purposes for cousin domains, such as helping poor spellers and heading off typosquatting. >> >> I don't think the distinction of end-users is helpful. It implies that some class of users are not susceptible to cousin domain attacks. There's ample evidence that is not the case. I think the distinction between domain names and other kinds of names can be useful to make explicitly. The use of 'target' is needed for referential disambiguation between the attacker's domain name and the one that is the basis for the attack. However I do think "end-" isn't as helpful as I had intended; so 'users' should suffice. Hence a few more tweaks: <t hangText="Cousin Domain:"> A registered domain name that is deceptively similar to a target domain name or other name of a known entity. The target name is familiar to many users, and therefore imparts a degree of trust. The deceptive similarity can trick the user by embedding the essential parts of the target name in a new string (such as, "companysecurity.example" to attack "company.example"), or it can use some variant of the target name, such as replacing 'i' with '1', which is known as a "homograph attack". </t> d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
- [dmarc-ietf] Fwd: Eliot's review of the DMARC spec Murray S. Kucherawy
- Re: [dmarc-ietf] Fwd: Eliot's review of the DMARC… SM
- Re: [dmarc-ietf] Fwd: Eliot's review of the DMARC… John Levine
- Re: [dmarc-ietf] Eliot's review of the DMARC spec Tim Draegen
- Re: [dmarc-ietf] Fwd: Eliot's review of the DMARC… Matt Simerson
- Re: [dmarc-ietf] Fwd: Eliot's review of the DMARC… John R Levine
- Re: [dmarc-ietf] Eliot's review of the DMARC spec Murray S. Kucherawy
- Re: [dmarc-ietf] Fwd: Eliot's review of the DMARC… Murray S. Kucherawy
- Re: [dmarc-ietf] Eliot's review of the DMARC spec Eliot Lear
- Re: [dmarc-ietf] Eliot's review of the DMARC spec John Levine
- Re: [dmarc-ietf] Eliot's review of the DMARC spec Murray S. Kucherawy
- [dmarc-ietf] Review of draft-kucherawy-dmarc-base… SM
- Re: [dmarc-ietf] Eliot's review of the DMARC spec John R Levine
- Re: [dmarc-ietf] Review of draft-kucherawy-dmarc-… Franck Martin
- [dmarc-ietf] cousin domain definition (was Re: Fw… Dave Crocker
- Re: [dmarc-ietf] Review of draft-kucherawy-dmarc-… SM
- Re: [dmarc-ietf] cousin domain definition (was Re… Matt Simerson
- Re: [dmarc-ietf] cousin domain definition (was Re… Dave Crocker
- Re: [dmarc-ietf] cousin domain definition (was Re… Elizabeth Zwicky
- Re: [dmarc-ietf] cousin domain definition (was Re… Matt Simerson
- Re: [dmarc-ietf] Review of draft-kucherawy-dmarc-… Franck Martin
- Re: [dmarc-ietf] cousin domain definition (was Re… Franck Martin
- Re: [dmarc-ietf] cousin domain definition (was Re… Dave Crocker
- Re: [dmarc-ietf] cousin domain definition (was Re… John Levine
- Re: [dmarc-ietf] cousin domain definition (was Re… Murray S. Kucherawy
- Re: [dmarc-ietf] Review of draft-kucherawy-dmarc-… SM
- Re: [dmarc-ietf] Review of draft-kucherawy-dmarc-… Murray S. Kucherawy
- Re: [dmarc-ietf] cousin domain definition (was Re… Murray S. Kucherawy
- Re: [dmarc-ietf] cousin domain definition (was Re… Matt Simerson
- Re: [dmarc-ietf] cousin domain definition (was Re… Matt Simerson
- Re: [dmarc-ietf] cousin domain definition (was Re… Dave Crocker
- Re: [dmarc-ietf] cousin domain definition (was Re… MH Michael Hammer (5304)
- Re: [dmarc-ietf] cousin domain definition (was Re… Steve Jones
- Re: [dmarc-ietf] cousin domain definition (was Re… Barry Leiba
- Re: [dmarc-ietf] cousin domain definition (was Re… Scott Kitterman
- Re: [dmarc-ietf] cousin domain definition (was Re… Steve Jones
- Re: [dmarc-ietf] cousin domain definition (was Re… Matt Simerson