W3C home > Mailing lists > Public > public-iri@w3.org > November 2009

Re: phishing in IRIs

From: Martin J. Dürst <duerst@it.aoyama.ac.jp>
Date: Fri, 27 Nov 2009 19:56:58 +0900
Message-ID: <4B0FB07A.5030308@it.aoyama.ac.jp>
To: Larry Masinter <masinter@adobe.com>
CC: Shawn Steele <Shawn.Steele@microsoft.com>, "PUBLIC-IRI@W3.ORG" <PUBLIC-IRI@w3.org>, Pete Resnick <presnick@qualcomm.com>, Ted Hardie <ted.ietf@gmail.com>
Hello Shawn, Larry,

On 2009/11/27 5:45, Larry Masinter wrote:
> I would support a separate, longer document addressing
> phishing in particular; it would be great if this
> could be referenced by the IRI document itself.

I don't have anything against documents on phishing at all, but it may 
be difficult to reference it from the IRI document because the IRI spec 
is supposed to be finished very soon.

Because of this and because of arguments given earlier, I agree with 
Shawn that spoofing/phishing should be essentially outside the WG charter.

> Perhaps
> it could be a BCP. This might be a way of getting
> specific review of the broader security issues.
> Shawn, are you interested in editing such a document?
> I'd also suggest some coordination with the HTTPBIS
> security section:
> http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-08#section-11
> "Phishers abuse domain name certainly, but they still use all-ASCII."
> The concern is that once IRIs with IDN are deployed
> that this will create an entirely new, rich attack
> surface. Putting in preventative measures
> before deployment rather than after-the-fact
> would be prudent.

I agree that we cannot just say that IRI or IDN spoofing is a non-issue 
because it's currently a very small issue. However, my understanding is 
that the mechanisms currently in place against spoofing in Web browsers 
would easily extend to IDNs, so IDN spoofing or IRI spoofing doesn't 
have to be treated as an issue separate from domain name spoofing or URI 

[In my understanding, the two main measures against spoofing are 
trademark violation and related claims that make the registry remove the 
domain name in question, and "check-back-home" schemes implemented in 
various browsers that check against a known blacklist and warn users. 
But I might be wrong on this, I'm not an expert in this area.]

Regards,    Martin.

> Larry
> --
> http://larry.masinter.net
> -----Original Message-----
> From: Shawn Steele [mailto:Shawn.Steele@microsoft.com]
> Sent: Wednesday, November 25, 2009 12:12 PM
> To: "Martin J. Dürst"
> Cc: Larry Masinter; PUBLIC-IRI@W3.ORG; Pete Resnick; Ted Hardie
> Subject: RE: phishing in IRIs
>> What I am saying is that spoofing of IRIs with the domain name part is a much greater problem than spoofing with IRIs in the rest of the IRI.
> I don't disagree with that :)  But you extended it (I thought) to "the IDNs in the IRIs", which I don't see any evidence of.  Phishers abuse domain name certainly, but they still use all-ASCII.
>> The IETF has a tradition of putting security considerations in the main document, not as a separate document.
> I'm concerned that to fully address the issues of security considerations in IRIs would take quite a bit of space.  I'm also concerned that some aspects might be lead to a lot of discussion, as there probably isn't one "right" way to handle IRI security.  An effective security document for IRIs IMO would be comparable to trying to address how to handle spam in email.  So maybe the WG could consider mentioning some security concerns in the main document and provide a further document that describes security in more detail?  For example, I think the discussion of safe-yourbank.com IRIs is interesting, but I'm not sure the main document is the right place for all of that discussion.
> -Shawn

#-# Martin J. Dürst, Professor, Aoyama Gakuin University
#-# http://www.sw.it.aoyama.ac.jp   mailto:duerst@it.aoyama.ac.jp
Received on Friday, 27 November 2009 10:57:54 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:39:40 UTC