Brandon Butterworth wrote:
Already, some 21 TLDs are whitelisted, including .cn, .tw, a number
of European ccTLDs, .museum, and .info. Any other registrars who
want to be supported can simply E-mail Gerv at the Mozilla
Foundation, or his Opera counterpart, and give them a pointer to
their anti-spoofing rules.
I don't think it's a good idea to introduce a system with a known
vulnerability and try and work around it by having some people agree
they'll police the exploit. No doubt the people protecting us
will be tempted to exploit it themselves by trying to sell
the spoofs to the spoofed domain owner as essential international
branding (.mobi, yeah. .com is shorter and people should learn
about content negotiation to present suitable content to mobiles,
no need to buy your domains all over again)
If this goes ahead the browser needs a default on button for
"please don't expose me to this spoofing attack"
brandon
Unfortunately, the problem is inherent in human writing systems.
Consider rnicrosoft.com and paypaI.com.
The good news is that fairly simple homograph rules can be applied to
collapse the namespace into visually distinct labels: see TR #36. See
also https://bugzilla.mozilla.org/show_bug.cgi?id=279099 for a lengthy
group discussion of the issues involved.
As a side-effect of this, implementing either a blocking bundling or
inclusive bundling policy has the effect of precluding a registry from
selling potential spoofs to others. The former requires no change to
existing software, apart from a check at name registration time; the
latter requires either the generation of huge zonefiles, or a few lines
of code and a ~128kbyte static lookup table to be added to DNS server
software: see RFC 3743 for more detail than you ever wanted to know
about bundling.
Neither is beyond the wit of man, particularly given commercial pressure
from registry customers.
Neil
(my personal views only, not that of any organization)
