W3C home > Mailing lists > Public > public-iri@w3.org > November 2009

RE: phishing in IRIs (was: Re: Using Punicode for host names in IRI -> URI translation; phishing; comparison)

From: Shawn Steele <Shawn.Steele@microsoft.com>
Date: Mon, 23 Nov 2009 17:54:59 +0000
To: "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, "Larry Masinter" <masinter@adobe.com>
CC: "PUBLIC-IRI@W3.ORG" <PUBLIC-IRI@w3.org>, Pete Resnick <presnick@qualcomm.com>, Ted Hardie <ted.ietf@gmail.com>
Message-ID: <E14011F8737B524BB564B05FF748464A04455D04@TK5EX14MBXC139.redmond.corp.microsoft.com>
> Also, it should be noticed that the main attack vector for
> phishing/spoofing are IDNs, not IRIs in general. 

Huh? I have yet to see a phishing email that uses IDN for a host name.  I'd be less certain about general http links, but I haven't casually stumbled across them. 

Instead attackers choose other vectors to get my attention.  (Drive-by-malicious ads, etc.)  Not to mention which, it's currently impossible to determine legitimacy by an ASCII URL.  I got what I believe is a real toysrus black friday ad, and it sent me to something like "toysrus.localadservice.com" (I forget the exact name).  Anyway, how can I tell that's a "real" toysrus site?  If I make an order starting at that link did I just give a phisher my CC info?  Phishers could easily abuse our trust in these cases.

Anyway, I agree that this is out of scope and best left to other mechanisms, ones that can catch ASCII too.  Educating retailers to use their own domain when farming out their mailing list to a service provider or ad hosting agency would help too.  (Eg: serviceprovider.toysrus.com instead of the other way around).

- Shawn
Received on Monday, 23 November 2009 17:55:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 30 April 2012 19:51:55 GMT