IETF Logo Mail Archive

Re: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's review of the DMARC spec)

Dave Crocker <dcrocker@gmail.com> Mon, 08 July 2013 06:22 UTC

Return-Path: <dcrocker@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C8A511E8199 for <dmarc@ietfa.amsl.com>; Sun, 7 Jul 2013 23:22:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6U9PlMBq+Yba for <dmarc@ietfa.amsl.com>; Sun, 7 Jul 2013 23:22:04 -0700 (PDT)
Received: from mail-oa0-x232.google.com (mail-oa0-x232.google.com [IPv6:2607:f8b0:4003:c02::232]) by ietfa.amsl.com (Postfix) with ESMTP id 0BF3611E8193 for <dmarc@ietf.org>; Sun, 7 Jul 2013 23:22:03 -0700 (PDT)
Received: by mail-oa0-f50.google.com with SMTP id k7so5795663oag.23 for <dmarc@ietf.org>; Sun, 07 Jul 2013 23:22:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=zX1WZXLk3jsa++BRh6zp+yuEtaSe4F02lfucgMK90Xs=; b=eLOfI6j+czdjZUrIQUeLGFd3bXeBpNO74/Q7MjG/cMvmatjKPVWOI8+NJeDhY+iNj+ q6nCdGj9itk23V16PBj6fgPqEV9ewWu48CFUJa+e25W1f5j+iiA07o8tzD/5Wpeu9LKq 2n2Ja9mvTVr6yTP1dk0ZbSQgVSwhhdpGzYHnpzseg2oG1uX9jJop/Gwq6rAAilDypEfP vigPo9Vn/9kO18iuVj4X37yMRvgqb0TgE3YAx7akEsqQ+/M5/EW1N75eLyd0xfEiTEVr SNBcR6jhT3ctf7mGxKgr0T65RZAGZKJDQMxZUAuCYq2UX2cQxZyvsH/J26JAw+edhfil tL3Q==
X-Received: by 10.60.138.137 with SMTP id qq9mr19173415oeb.8.1373264522502; Sun, 07 Jul 2013 23:22:02 -0700 (PDT)
Received: from [192.168.1.66] (76-218-9-215.lightspeed.sntcca.sbcglobal.net. [76.218.9.215]) by mx.google.com with ESMTPSA id el16sm31922731oeb.2.2013.07.07.23.22.00 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 07 Jul 2013 23:22:01 -0700 (PDT)
Message-ID: <51DA5A75.4020307@gmail.com>
Date: Sun, 07 Jul 2013 23:21:41 -0700
From: Dave Crocker <dcrocker@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Matt Simerson <matt@tnpi.net>
References: <519B47DC.20008@cisco.com> <CAL0qLwYZOp1FNVSAmzXYkZG_O3Yv+EQrAKKLpRiE5svcOMamTA@mail.gmail.com> <6.2.5.6.2.20130523002139.0da7ac58@resistor.net> <CAL0qLwYT6BS=HGLX1-u80aqaJWefipT5tcg5Ut_549y4rOej9g@mail.gmail.com> <51D858EB.3030202@gmail.com> <CAL0qLwZAVH=bK=jZKuk4ZkcELSXQ0SB5_WoHKETTZwo5f43Qtw@mail.gmail.com> <CAL0qLwb-m7BEBQ7snR4zQqMWu0H17P-+aOaxb=4t8pY58dXGRw@mail.gmail.com> <D9CB0D71-453D-48BC-8049-0A89B6CC6394@tnpi.net> <11ACB6D3-2A24-4813-AEF8-5DF52208FB3C@tnpi.net>
In-Reply-To: <11ACB6D3-2A24-4813-AEF8-5DF52208FB3C@tnpi.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: SM <sm@resistor.net>, "dmarc@ietf.org" <dmarc@ietf.org>, "Murray S. Kucherawy" <superuser@gmail.com>, Eliot Lear <lear@cisco.com>
Subject: Re: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's review of the DMARC spec)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2013 06:22:05 -0000

On 7/7/2013 7:27 PM, Matt Simerson wrote:
> <t hangText="Cousin Domain:"> A registered domain name that
>                         is deceptively similar the name of a known entity.  The entity
>                         name is familiar to users and therefore
>                         imparts a degree of trust.  The deceptive similarity can
>                         trick the user by embedding the essential parts of the
>                         entity name in a new string (e.g.,
>                         "companysecurity.example" to attack "company.example"),
>                         or it can use some variant of the entity name, such as
>                         replacing 'i' with '1'.  This latter form is sometimes
>                         known as a "homograph attack". </t>
>
> On Jul 7, 2013, at 7:25 PM, Matt Simerson <matt@tnpi.net> wrote:
>> On Jul 7, 2013, at 12:25 AM, "Murray S. Kucherawy" <superuser@gmail.com> wrote:
>>> How's this, if you'll pardon the XML?
>> I simplified the description by removing the 'target' abstraction. There are legitimate purposes for cousin domains, such as helping poor spellers and heading off typosquatting.
>>
>> I don't think the distinction of end-users is helpful. It implies that some class of users are not susceptible to cousin domain attacks. There's ample evidence that is not the case.


I think the distinction between domain names and other kinds of names 
can be useful to make explicitly.  The use of 'target' is needed for 
referential disambiguation between the attacker's domain name and the 
one that is the basis for the attack.  However I do think "end-" isn't 
as helpful as I had intended; so 'users' should suffice.

Hence a few more tweaks:

<t hangText="Cousin Domain:"> A registered domain name that is
      deceptively similar to a target domain name or other name of a
      known entity.  The target name is familiar to many users, and
      therefore imparts a degree of trust.  The deceptive similarity can
      trick the user by embedding the essential parts of the target name
      in a new string (such as, "companysecurity.example" to attack
      "company.example"), or it can use some variant of the target name,
      such as replacing 'i' with '1', which is known as a "homograph
      attack".  </t>


d/
-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net

v2.23.0 | Report a Bug | By Email