What percent of the Joe Sixpacks out there could sucessfully manage their
named.root given a copy of 'DNS for Idiots' without generating at least
one trouble ticket?
uh, i have been managing domains for a looong while, manage half
a dozen cctld registries, ... and i only make a mistake once a
On 19-jul-2005, at 1:43, Crist Clark wrote:
If you make a bunch of assumptions
[...]
Plus, you have to trust DNS, which means you have to trust:
1) the root
2) the gTLD
3) the authorative servers for the domain
And for 99% of the users out there,
4) the caching servers for
At 9:40 PM -1000 2005-07-18, Randy Bush wrote:
uh, i have been managing domains for a looong while, manage half
a dozen cctld registries, ... and i only make a mistake once a
week or so.
If you're achieving those numbers, you're doing a lot better than
99.999% of the rest of the
At 10:31 AM +0200 2005-07-19, Iljitsch van Beijnum wrote:
And for 99% of the users out there,
4) the caching servers for their ISP/employer/other access
provider
Actually, you don't. If the DNS provides false information, the public
key crypto will catch this. Sure, you won't
On 19-jul-2005, at 12:11, Brad Knowles wrote:
[need to trust the DNS system]
Actually, you don't. If the DNS provides false information, the
public
key crypto will catch this. Sure, you won't be able to
communicate, but
you can't be fished that way.
What public key crypto are
Unfortunately, the problem is inherent in human writing systems.
Consider rnicrosoft.com and paypaI.com.
And people are no better than muppets in ensuring they don't
screw themselves up
The good news is that fairly simple homograph rules can be applied
Rules aren't safe, it involves
At 12:46 PM +0200 2005-07-19, Iljitsch van Beijnum wrote:
What public key crypto are you talking about?
The public key crypto that powers the authentication in SSL.
But that has nothing to do with the DNS. Moreover,
mikerowesoft.com would presumably have an SSL certificate issued
On 19-jul-2005, at 15:03, Brad Knowles wrote:
The public key crypto that powers the authentication in SSL.
But that has nothing to do with the DNS.
:-) That's exactly the point: DNS tricks won't buy you anything
(except denial of service) in the presence of SSL.
protecting
Isn't someone more eloquent than I going to point out that that spending
a lot of effort eliminating homographs from DNS to stop phishing ...
I sat in on some of the discussion at ICANN in Lux, and I simultaneously
heard that the problem is fundamentally insoluble, but ICANN has to do
something
Brad Knowles wrote:
My point was that, if you're going to try to protect the users
against homophone/homograph attacks, you need to do it in a
standardized way.
Morover, the standards for controlling that need to be held by
separate entities from those who are creating the tools
Iljitsch van Beijnum wrote:
On 19-jul-2005, at 1:43, Crist Clark wrote:
[snip]
If almost none of the phishing emails I get now bother
to play these kinds of games today, how much does this really help?
And burglars also manage to get inside your house even though you lock
the door. So
Brad Knowles wrote:
At 10:31 AM +0200 2005-07-19, Iljitsch van Beijnum wrote:
And for 99% of the users out there,
4) the caching servers for their ISP/employer/other access
provider
Actually, you don't. If the DNS provides false information, the public
key crypto will catch
Crist Clark wrote:
If the homograph problem isn't too hard, yeah, fix it. If it is hard,
it may not be worth it. From what I know, this isn't easy, but
technically, not impossible.
Yes. It's _really_ not difficult to fix, particularly for domains which
also enforce a
On Sun, Jul 17, 2005 at 04:29:52PM +,
Fergie (Paul Ferguson) [EMAIL PROTECTED] wrote
a message of 49 lines which said:
Forwarded Message from Neil Harris [EMAIL PROTECTED] ---
...
After extensive analysis and discussion, the Mozilla community and Opera
have already produced a fix for
On Sun, Jul 17, 2005 at 09:49:32PM -0700,
Dave Crocker [EMAIL PROTECTED] wrote
a message of 25 lines which said:
2. Who is the authority that decides whether a TLD uses an
acceptable policy?
That's the big problem with this so-called solution.
Stephane Bortzmeyer [EMAIL PROTECTED] writes:
Already, some 21 TLDs are whitelisted, including .cn, .tw, a number
of European ccTLDs, .museum, and .info. Any other registrars who
want to be supported can simply E-mail Gerv at the Mozilla
Foundation, or his Opera counterpart, and give them a
Already, some 21 TLDs are whitelisted, including .cn, .tw, a number
of European ccTLDs, .museum, and .info. Any other registrars who
want to be supported can simply E-mail Gerv at the Mozilla
Foundation, or his Opera counterpart, and give them a pointer to
their anti-spoofing rules.
I don't
Stephane Bortzmeyer wrote:
Forwarded Message from Neil Harris [EMAIL PROTECTED] ---
...
After extensive analysis and discussion, the Mozilla community and Opera
have already produced a fix for this,
Which is highly questionable and that is rejected by most european
ccTLDs.
Brandon Butterworth wrote:
Already, some 21 TLDs are whitelisted, including .cn, .tw, a number
of European ccTLDs, .museum, and .info. Any other registrars who
want to be supported can simply E-mail Gerv at the Mozilla
Foundation, or his Opera counterpart, and give them a pointer to
their
At 3:22 PM +0100 2005-07-18, Neil Harris wrote:
Neither is beyond the wit of man, particularly given commercial pressure
from registry customers.
The registry customers don't pay the bills of ICANN and the
governments who maintain the ccTLDs. The registries pay those bills,
and they
Dave Crocker wrote:
After extensive analysis and discussion, the Mozilla community and
Opera have already produced a fix for this, based on only displaying
Unicode
IDN labels where the registry publishes and enforces well-defined
anti-homograph policies, and displaying the Punycode
Stephane, can I ask you what your detailed objections are to the
Moz/Opera mechanism, and could you let me know your proposal for an
alternative mechanism for preventing IDN spoofing?
I would suggest that an alternative mechanism should include
a set of code points to be used for the
On 18-jul-2005, at 16:42, Brad Knowles wrote:
The registry customers don't pay the bills of ICANN and the
governments who maintain the ccTLDs.
Governments? You have some strange ideas about ccTLDs.
The registries pay those bills, and they get their money (in part)
from those who
At 5:03 PM +0200 2005-07-18, Iljitsch van Beijnum wrote:
The registry customers don't pay the bills of ICANN and the
governments who maintain the ccTLDs.
Governments? You have some strange ideas about ccTLDs.
Okay, fine -- government-authorized organizations, then. Such as
SIDN
Isn't someone more eloquent than I going to point out that that spending
a lot of effort eliminating homographs from DNS to stop phishing is a
security measure on par with cutting cell service to underground trains
to prevent bombings? It focuses on one small vulnerability that phishers
exploit,
On 18-jul-2005, at 22:49, Brad Knowles wrote:
The registry customers don't pay the bills of ICANN and the
governments who maintain the ccTLDs.
Governments? You have some strange ideas about ccTLDs.
Okay, fine -- government-authorized organizations, then. Such
as SIDN for
Iljitsch van Beijnum wrote:
On 18-jul-2005, at 22:49, Brad Knowles wrote:
...snip...
If you're not a programmer with direct commit access to Mozilla
and Opera, just how exactly do you expect to have any control over
this process?
Hopefully they make this stuff user configurable.
: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Crist Clark
Sent: Monday, July 18, 2005 4:43 PM
Cc: NANOG
Subject: Re: Non-English Domain Names Likely Delayed
Isn't someone more eloquent than I going to point out that that spending
a lot of effort eliminating homographs from DNS to stop
Iljitsch van Beijnum wrote:
On 18-jul-2005, at 23:43, Crist Clark wrote:
Isn't someone more eloquent than I going to point out that that spending
a lot of effort eliminating homographs from DNS to stop phishing is a
security measure on par with cutting cell service to underground trains
to
On 18 Jul 2005, at 18:43, Jason Sloderbeck wrote:
I don't know of any other IEEE/NANOG/IETF/ICANN-sanctioned method to
completely confuse even a savvy IT user who is trying to determine the
validity of an SSL site.
If I was feeling especially cynical (and hey, who isn't on a Monday?)
Forwarded Message from Neil Harris [EMAIL PROTECTED] ---
Fergie (Paul Ferguson) wrote:
...sez Vint...due to the prevalence of phishing:
http://www.msnbc.msn.com/id/8586332/
- ferg
Paul,
I'm not registered as a poster on the Nanog list, so I thought I'd let
you know that this problem is
After extensive analysis and discussion, the Mozilla community and Opera
have already produced a fix for this, based on only displaying Unicode
IDN labels where the registry publishes and enforces well-defined
anti-homograph policies, and displaying the Punycode equivalent
1. It's
Sorry to be like this on a nice saturday morning, but...
What exactly are people who are too stupid to know the difference
between a LANGUAGE and a SCRIPT doing here?
I say we patent the latin script and refuse to license it to the US.
...sez Vint...due to the prevalence of phishing:
http://www.msnbc.msn.com/id/8586332/
- ferg
--
Fergie, a.k.a. Paul Ferguson
Engineering Architecture for the Internet
[EMAIL PROTECTED] or [EMAIL PROTECTED]
ferg's tech blog: http://fergdawg.blogspot.com/
34 matches
Mail list logo
