Just kidding about the "looking for quotes" line. I won't implicate anyone here unless you tell me you want to be quoted, and then I'll just garble the quote to humiliate you.
Really, I'll treat this thread as an educational experience, make up my own mind and talk about that. So far my guess is that, based on pretty much all prior experience on the Internet, there have to be exploitable software bugs and social engineering opportunities in this, probably significant ones. How much support is there right now in available software for punycode? Here's a stupid question: Is it possible that there are buffer overflows out there just from all the extra bytes in domain names? Larry Seltzer Contributing Editor, PC Magazine [email protected] http://blogs.pcmag.com/securitywatch/ -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Larry Seltzer Sent: Saturday, October 31, 2009 9:40 AM To: [email protected] Subject: Re: [funsec] ICANN Approves Non-Latin Domain Name Characters Oh I know all this, just looking for quotes. Larry Seltzer Contributing Editor, PC Magazine [email protected] http://blogs.pcmag.com/securitywatch/ -----Original Message----- From: Paul Ferguson [mailto:[email protected]] Sent: Saturday, October 31, 2009 9:35 AM To: Larry Seltzer Cc: [email protected] Subject: Re: [funsec] ICANN Approves Non-Latin Domain Name Characters -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Oct 31, 2009 at 6:14 AM, Larry Seltzer <[email protected]> wrote: > http://www.pcmag.com/article2/0,2817,2355068,00.asp?kc=PCRSS05079TX1K000 0 > 992 > > > > So have the security implications of these new domain names really been > thought through? > No. If nothing else, expanding the TLD space expands the abuse footprint. Further, expanding the TLD footprint in areas which are not clearly 'recognizable' by some applications, etc., will certainly have a tendency to be targets for abuse by criminals. Of course, this may sound obvious -- and it is. But expanding the TLD space into the IDN direction is not all sunshine and rainbows -- it also opens up a whole new gateway for enormous abuse and exploitation. It should be obvious to anyone with a clue. :-) - - ferg p.s. I'm in Taipei at the moment, which should underscore the issues that I am talking about, et al. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFK7Dzhq1pz9mNUZTMRAgxlAJ9FzZzBmRmoPfN4EHhSRo2g19/WvQCgzCJO 5V6IySqInkTmQlkoxSqb1tk= =COHl -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
