Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday March 11 2018, @10:39AM   Printer-friendly
from the söylêntnéws.org dept.

Brian Krebs writes on how browsers choose to display IDN. The issue here is of course spoofing valid URLs with visually similar letters. You probably would notice the lame attempt in the department line but some of the international characters are very similar or indeed identical. Depending on your personal preferences it might be a good idea to use punycode instead. Could save you a headache later.

https://krebsonsecurity.com/2018/03/look-alike-domains-and-visual-confusion/

Here are some of the applicable RFCs:

  • RFC 3490 - Internationalizing Domain Names in Applications (IDNA)
  • RFC 3491 - Nameprep: A Stringprep Profile for Internationalized Domain Names (IDN)
  • RFC 3492 - Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA)
  • RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax
  • RFC 4690 - Review and Recommendations for Internationalized Domain Names (IDNs)
  • RFC 5890 - Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework
  • RFC 5891 - Internationalized Domain Names in Applications (IDNA): Protocol
  • RFC 5892 - The Unicode Code Points and Internationalized Domain Names for Applications (IDNA)
  • RFC 5893 - Right-to-Left Scripts for Internationalized Domain Names for Applications (IDNA)
  • RFC 5894 - Internationalized Domain Names for Applications (IDNA): Background, Explanation, and Rationale

Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by cocaine overdose on Sunday March 11 2018, @04:08PM (8 children)

    And here we are. After years of appealing to mouth-breathers who couldn't remember 5 sets of 1-3 characters each (or 4 sets of 4 characters, woe is me), and facing the consequences, we're now at another absolutely avoidable exploit (it's an old one, Apple users were phished with it last year). The only two things domain names do well is: make it easier for retards to remember the Pinterest IP and make it easier for sysadmins to play hot potato with service providers. There's also the metadata aspect, but you can get past that with a little bit of finger grease.

    Besides those, I cannot think of any other reason to use domain names (except making name squatters and "registrats" a.k.a licensed-squatters loads of dosh). But I can think of many reasons not to:

    1. The aforementioned attack vector of third world countries wanting a piece of the internet pie -- before they even have access to broadband
    2. Domain squatters and fees
    3. Mobile users, i.e regular plebs who like bright colors, lots of javascript-based transitions, and content aggregators. In other words, the cancer that killed the internet
    4. Domain "regulators" that can suspend your domain on a discretionary basis
    5. Host records
    6. Having to come up with a retard-short name like "Twitter" so the handicapped don't strain their minds trying to type it all out
    7. WHOIS records
    8. DNS servers that add another piece of the spy-on-you puzzle
    9. Registrars at all. They're about as needed as paid cert authorities
    10. Brand inequality. It's simpler to filter out "competing" mail servers into spam and disregard any domain name that's longer than 12 letters
    11. TLDs. The cancerous domain squatters were addressed by giving them another city to shit up. There should be two types of TLDs, government and then the rest. There's no need for ".io" or ".ru" or ".biz" or ".org." It just introduces another attack vector, e.g .biz and .bz with the same domain name
    12. DNS is still cancer and should be replaced with a decentralized keyserver
    13. TLS certs per domain name/subdomain. This is a scam and you'll be on the block when the day of the rope comes, Comodo
    14. Subdomains

    Abolish domain names. IPv6 addresses are the future.

    Starting Score:    1  point
    Moderation   +1  
       Troll=1, Insightful=2, Total=3
    Extra 'Insightful' Modifier   0  

    Total Score:   2  
  • (Score: 3, Informative) by MichaelDavidCrawford on Sunday March 11 2018, @05:10PM (1 child)

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Sunday March 11 2018, @05:10PM (#650963) Homepage Journal

    Back in the day the only way to host multiple sites on just one box required that box to have multiple IP addresses

    Everyone knew that hilarity would soon ensue so HTTP 1.1 enables multiple sites by putting the domain in the header:

    GET /hello.jpg goatse.cx

    Or something like that

    --
    Yes I Have No Bananas. [gofundme.com]
  • (Score: 2) by requerdanos on Monday March 12 2018, @01:01AM (5 children)

    by requerdanos (5997) Subscriber Badge on Monday March 12 2018, @01:01AM (#651150) Journal

    Abolish domain names

    With what shall we replace them?

    a. "On AOL go to keyword 'twitter'"
    b. Google it... Uh, I mean, remember a google ip address and "number it" (we remember 8.8.8.8 for dns, ironically, so why not e.g. 1.2.3.4 for web search?)
    c. DHT or the equivalent
    d. Call us at 1-800-toll-free or visit our website at https://[2001:0db8:0a0b:12f0:0000:0000:0000:0001] [2001:0db8:0a0b:12f0:0000:0000:0000]
    e. Other, please specify

    I ask mostly out of curiosity. I have given namecheap a pretty good chunk of money over the years.

    • (Score: 2, Interesting) by cocaine overdose on Monday March 12 2018, @03:11AM (4 children)

      Procedurely generated network keysigns. You don't get to chose your keysign, it's randomly assigned to your organization and it's kept in a simpler "DNS"-like system. Basically, onion domains.
      • (Score: 0) by Anonymous Coward on Monday March 12 2018, @02:37PM

        by Anonymous Coward on Monday March 12 2018, @02:37PM (#651342)

        So someone at Google writes a script to request new keysigns until they get google again? And then discards the ready, or just hangs on to them for other purposes?

      • (Score: 2) by requerdanos on Monday March 12 2018, @03:11PM (2 children)

        by requerdanos (5997) Subscriber Badge on Monday March 12 2018, @03:11PM (#651357) Journal

        Basically, onion domains.

        Well, onion domains are almost good enough.

        Almost means "not".

        • (Score: 1) by cocaine overdose on Monday March 12 2018, @03:43PM (1 child)

          Sure, if you can produce some qualitative evidence.
          • (Score: 2) by requerdanos on Monday March 12 2018, @04:41PM

            by requerdanos (5997) Subscriber Badge on Monday March 12 2018, @04:41PM (#651411) Journal

            Purpose of DNS [business.com]: Translate unique easy-to-remember words or phrases to harder-to-remember IP addresses.
            Number of onion domains that are easy-to-remember words or phrases: ~= 0 [imgur.com]
            Number of onion domains that are indisputably easier to remember than arbitrary IP addresses: ~= 0 [imgur.com]

            Scores (Any "No" means "Fails to provide functionality of DNS"):
            Do onion domains provide unique mapping? Yes, the mapping is unambiguous.
            Do onion domains provide easily memorable words/phrases? No, although onion domains may contain words or phrases as components, the domains themselves are either gibberish, gibberish+word(s), or word(s)+gibberish.
            Do onion domains translate the domain to an IP address or other appropriate record type? Yes, but the IP address may well be easier to remember.

            ∴ Onion domains provide functionality of DNS? No. If there were no DNS and the world had to use onion or nothing, it's debatable which would win out. Slight edge to onion for potential to support things like MX records which bare IP addresses don't address; but then you'd be edging back into DNS territory.

            Analysis: Like the unreadable punycode-gibberish solution, an unreadable onion-gibberish solution proposes to replace readable names of sites with gibberish, arguably with the goal of of improving the system, but unable to do so because of the fatal flaw of being made of unintelligible gibberish by design. Our current system has serious problems, but introducing additional problems such as removing human-readability is no improvement nor solution.