W3C home > Mailing lists > Public > public-iri@w3.org > November 2009

RE: phishing in IRIs

From: Shawn Steele <Shawn.Steele@microsoft.com>
Date: Tue, 24 Nov 2009 04:58:09 +0000
To: "Martin J. Dürst" <duerst@it.aoyama.ac.jp>
CC: Larry Masinter <masinter@adobe.com>, "PUBLIC-IRI@W3.ORG" <PUBLIC-IRI@w3.org>, Pete Resnick <presnick@qualcomm.com>, Ted Hardie <ted.ietf@gmail.com>
Message-ID: <E14011F8737B524BB564B05FF748464A044564F0@TK5EX14MBXC139.redmond.corp.microsoft.com>

> what I wanted to say is that when it comes to phishing/spoofing with
> IRIs, the main place that actually happens are the IDNs in the IRIs, not
> the other parts of an IRI (scheme/path/query). 

I would disagree with this as well :)

http://secure.com/paypal is another technique, and there the path is used to provide the misdirection.  Even when the domain name's being abused, current attacks seem to rarely use IDN, it's simply not needed because the users aren't careful (or don't know how to be careful) anyway.  

I think the impracticality of a secure IRI might make an interesting paper, or BCP, however IDN is just a (small) part of that.

- Shawn
Received on Tuesday, 24 November 2009 04:58:50 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:39:40 UTC