IETF Logo Mail Archive

Re: [idn] nameprep2 and the slash homograph issue

Erik van der Poel <erik@vanderpoel.org> Wed, 23 February 2005 18:24 UTC

Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA23718 for <idn-archive@lists.ietf.org>; Wed, 23 Feb 2005 13:24:28 -0500 (EST)
Received: from majordom by psg.com with local (Exim 4.44 (FreeBSD)) id 1D418C-00067Z-Lq for idn-data@psg.com; Wed, 23 Feb 2005 18:21:04 +0000
Received: from [207.115.63.101] (helo=pimout2-ext.prodigy.net) by psg.com with esmtp (Exim 4.44 (FreeBSD)) id 1D418B-00067J-Lo for idn@ops.ietf.org; Wed, 23 Feb 2005 18:21:03 +0000
Received: from [10.1.1.2] (adsl-64-174-147-206.dsl.sntc01.pacbell.net [64.174.147.206]) by pimout2-ext.prodigy.net (8.12.10 milter /8.12.10) with ESMTP id j1NIKquq322402; Wed, 23 Feb 2005 13:20:56 -0500
Message-ID: <421CC983.1030507@vanderpoel.org>
Date: Wed, 23 Feb 2005 10:20:51 -0800
From: Erik van der Poel <erik@vanderpoel.org>
User-Agent: Mozilla Thunderbird 1.0 (X11/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "JFC (Jefsey) Morfin" <jefsey@jefsey.com>
CC: IETF idn working group <idn@ops.ietf.org>
Subject: Re: [idn] nameprep2 and the slash homograph issue
References: <421B8484.3070802@vanderpoel.org> <20050223072837.GA21463~@nicemice.net> <D872CCF059514053ECF8A198@scan.jck.com> <6.1.2.0.2.20050223175234.0355d270@mail.jefsey.com>
In-Reply-To: <6.1.2.0.2.20050223175234.0355d270@mail.jefsey.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on psg.com
X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.0.1
Sender: owner-idn@ops.ietf.org
Precedence: bulk
Content-Transfer-Encoding: 7bit

JFC (Jefsey) Morfin wrote:
> Actually I repeat that all the propositions to change what the user can 
> see is user hurting. The need for the click to send a request which the 
> one the user want, not the one the phisher want. IMHO one does not 
> increase security in hiding the existand of the danger, one increases 
> the risks.

Jefsey, it must be difficult to participate in this kind of group when 
English is not your main language, but I, for one, do appreciate your 
wise contributions, so I take them seriously.

However, I must disagree with this particular suggestion (if I 
understand you correctly). If a phisher spams users, it is not the email 
app's responsibility to direct the user to whatever site the app might 
guess is the "correct" one. No, I think it's better for the app to warn 
the user in some way that this is a phishy email, and might be evil.

This is similar to the advice that you should not give your Social 
Security Number (SSN) or credit card number to someone over the phone, 
unless *you* are the one dialing the phone number (using a well-known, 
published phone number).

Erik

v2.23.0 | Report a Bug | By Email