Director of Data Communications

Slides:



Advertisements
Similar presentations
Unicode Security Mark Davis. The Unicode Consortium Software globalization standards: define properties and behavior for every character in every script.
Advertisements

Unicode/IDN Security Mark Davis President, Unicode Consortium Chief SW Globalization Arch., IBM.
Mark Davis President, Unicode Consortium
IDN TLD Variants Implementation Guideline draft-yao-dnsop-idntld-implementation-01.txt Yao Jiankang.
Internationalizing WHOIS Preliminary Approaches for Discussion Internationalized Registration Data Working Group ICANN Meeting, Brussels, Belgium Jeremy.
ICANN Rio Meeting IDN Authorization for TLDs with ICANN agreements 26 March, 2003 Andrew McLaughlin.
Internationalized Domain Names Introduction & Update MENOG 1 Bahrain April 3-5, 2007 By: Baher Esmat Middle East Liaison.
MINISTRY OF INFORMATION AND COMMUNICATIONS VIETNAM INTERNET NETWORK INFORMATION CENTER (VNNIC) Hanoi, Aug 2011 VNNIC’s UPDATES ON IDN.VN.
Text #ICANN50. Text #ICANN50 IDN Variant TLD Program GNSO Update Saturday 21 June 2014.
Internationalized Domain Names Status Report Prepared for: ICANN Meeting, Lisbon 29 March, 2007 Tina Dam IDN Program Director ICANN
New.net and Multilingual Names Andrew Duff Director of Mktg and Policy, New.net December 2001.
CIS 234: Character Codes Dr. Ralph D. Westfall April, 2011.
Introduction to Chinese Domain Name ZHANG Hong Aug 24, 2003.
Implementation Recommendation Team (IRT) Proposal Comments Sue Todd, Director, Product Management Monday 11 May 2009, San Francisco.
1 © 2000, Cisco Systems, Inc. DNSSEC IDN Patrik Fältström
Internationalized Domain Names: Overview of ICANN Activities Masanobu Katoh, Chair, IDN Committee Director, ICANN Board Joint ITU/WIPO Symposium on Multilingual.
Internationalized Domain Names Technical Review and Policy Implications John C Klensin APTLD Manila 23 February 2009.
Internationalized Domain Names: Overview of ICANN Activities Masanobu Katoh, Chair, IDN Committee Director, ICANN Board CDNC-CNSG-MINC IDN Joint Meeting.
Launching IDN & IDN TLDs: A gTLD Registry Perspective APNIC, Beijing
Universal Acceptance of IDN ICANN London |
Domain Names, Internationalization, and Alternatives John C KLENSIN © John C Klensin, 2002.
IDN Standards and Implications Kenny Huang Board, PIR
Using 2.0 for collaboration in the classroom
CcTLD IDN TF Report ccTLD Meeting, Rio de Janero Mar. 25, 2003 Young-Eum Chair, ccTLD IDN TF.
NASK: at the cutting edge of technology Andrzej Bartosiewicz ITU-T SG17 meeting Moscow, 2005.
Internationalized Domain Names (IDN) APAN Busan James Seng former co-chair, IDN Working Group.
Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.
Internationalized Domain Names Dr. Cary Karp MUSENIC Project Manager Second MUSENIC Project Workshop Stockholm, March 2004 MUSENIC – The Museum Network.
Downloading and Installing Autodesk Revit 2016
Forms and Server Side Includes. What are Forms? Forms are used to get user input We’ve all used them before. For example, ever had to sign up for courses.
Community Readiness for IDN Variant TLDs Arabic Script Case Sarmad Hussain Center for Language Engineering Al-Khawarizmi Institute of Computer.
ccTLD IDN Report ccTLD Meeting, Montreol June 24, 2003 Young-Eum
1 1 The Why & How of IDN Generic Domain Names Presented by: Chuck Gomes Date: 13 May 2010.
Downloading and Installing Autodesk Inventor Professional 2015 This is a 4 step process 1.Register with the Autodesk Student Community 2.Downloading the.
1 Updated as of 1 July 2014 Issues of the day at ICANN Universal Acceptance of All TLDs KISA-ICANN Language Localisation Project Module 2.2.
Legal Informatics & E-Governance as tools for the Knowledge Society LEFIS Seminar, Reykjavik (Iceland), July 12-13, 2007 Oleksandr Pastukhov MPhil (Koretsky.
Internationalised Domain Names European Work Gabriella Schittek + Kim Davies – CENTR Montreal 24 June 2003.
Welcome to the PowerPoint tutorial for the online Photo Album at GregoryConnect.com. Please watch this brief instruction.
The original Internationalized Domain Name (IDN) WG set the requirements for international characters in domain names in RFC 3454, RFC3490, RFC3491 and.
Internet Governance Forum Brazil, 2007 Workshop: “ Internet Users' Voices on Internationalized Domain Names ” Andrzej Bartosiewicz, NASK.
1 CSC160 Chapter 1: Introduction to JavaScript Chapter 2: Placing JavaScript in an HTML File.
IDN issues ITU-T SG16-Q7 26 July Objective Provide a set of examples why IDN study at ITU-T could be considered Demonstrate the need of ITU recommendation.
GNSO IDN work Dr Bruce Tonkin Chair, GNSO Council IDN Workshop Marrakech, June 25, 2006.
1 Internationalized Domain Names Paul Twomey 7 April 2008.
CCS Information and Support Center Introduction. What is the information center for? Not only does our web-based.
Etisalat/I&eS/SOM/Amani PAGE 1 Amani M. Bin Sewaif Senior Engineer Services Operations & Maintenance Etisalat – Intenet & e Solution
JavaScript Part 1 Introduction to scripting The ‘alert’ function.
Internationalized Domain Names
Cyrillic scripts in IDN
Two different issues ref. country codes
11 October Building a Web Site.
Community Session - Next-Generation gTLD Registration Directory Service (RDS) to replace WHOIS
Auditing Cloud Services
Unit 36: Internet Server Management
IDN Variant TLDs Program Update
CitiManager Cardholder Self- Registration
Introducing HTML & XHTML:
How to Create and Start a Test Session
COMP 150-IDS: Internet Scale Distributed Systems (Spring 2016)
Program Documentation
Emojis in Domain Names: A Security Risk for Everyone
IDN – behind scenes Душан Стојичевић UA ambassador ( Гранси (
Make a free wiki as easily as a
Two different issues ref. country codes
Geant4 Documentation Geant4 Workshop 4 October 2002 Dennis Wright
International Domain Name Committee Proceedings Report
John C Klensin APNIC Beijing, 25 August 2009
Transaction, Code Sets and Identifier Update
Sarmad Hussain Internationalized Domain Names (IDN) Programs Director
Complete exercise 8-11 in the workbook.
Presentation transcript:

Director of Data Communications IDN Security Issues and solutions Dr. Ibaa Oueichek Director of Data Communications STE IDN Security 17/5/2006

Visual Security Issues visually confusable strings: two different strings of Unicode characters whose appearance in common fonts in small sizes at screen resolutions is sufficiently close that people easily mistake one for the other. Example : paypal.com and paypa1.com (and this is just pure ASCII). Homographs: Special kind of visually confusables. Two different strings that can always be represented by the same sequence of glyphs. For example, "AB" in Latin and "AB" in Greek are homographs. IDN Security 17/5/2006

IDN What does IDN have to do with this ? IDN is such a *GREAT* idea, because it allows users to write the domain name in their native language instead of English. IDN is also a *GREAT* idea for spoofs and deceptions, it gives them the whole set of Unicode characters to play with. IDN Security 17/5/2006

How serious it is ? Early Alert : In December 2002 RFC 3454 explicitly warns about the problems of "similar-looking characters" and suggests that "user applications can help disambiguate some similar-looking characters by showing the user when a string changes between scripts". In February 2005 xn--pypal-4ve.com is registered by The Shmoo Group. IDN Security 17/5/2006

Example You get an email about your paypal.com account, click on the link… You carefully examine your browser's address box to make sure that it is actually going to http://paypal.com/ But actually it is going to a spoof site: “paypal.com” with the Cyrillic letter “p”. You think that they are the same But DNS thinks they are different IDN Security 17/5/2006

More examples Cross-Script In-Script Rendering Support p in Latin vs p in Cyrillic In-Script Sequences rn may appear at display sizes like m Rendering Support ä with two umlauts may look the same as ä with one el is actually e + l IDN Security 17/5/2006

Definitions Single script confusable : Spoofing characters are within one script, or using characters common across scripts (such as numbers). Examples : a-b and a-b (U+210 hyphen). dze and dze (U+02A3 digraph). 101 is NOT one zero one, but binary 5 !! IDN Security 17/5/2006

Definitions Mixed Script confusable : Spoofing characters are within more than one script and not a single script confusable. Example : paypal (ASCII) and paypal (U+430 cyrillic) top (ASCII) and top (U+03BF Greek) IDN Security 17/5/2006

Definitions Whole script confusable: Mixed script confusables where each of the strings in entirely one script, and both look identical. Example : caxap in Latin, and caxap in Cyrillic scope in Latin, and scope in Cyrillic IDN Security 17/5/2006

More bad ideas Syntax Spoofing examples directing us to bad.com http://example.com⁄x.bad.com (beware of U+2044 Fraction Slash) http://example.com?x.bad.com (beware of missing fonts as question marks) IDN Security 17/5/2006

Quick conclusion It is a disaster We opened a can of worms with IDN Let us drop support of IDN (Mozilla ?) Or maybe not, maybe we should ask “the bodies” for a solution. Good question, WHO are the bodies ? IDN Security 17/5/2006

Interested parties ICANN : Update to the IDN guidelines (v2) ITU-T Study group 17 IETF, individual drafts. IAB, a special committee Unicode consortium : TR #36 : Unicode Security considerations. IDN Security 17/5/2006

UTR #36: Security Recommendations General Security Issues (not just IDN) V1 approved mid-2005; V2 in progress http://unicode.org/draft/reports/tr36/tr36.html Describes the problems, recommends best practices Users Programmers User-Agents (browsers, email, office apps) Registries Registrars IDN Security 17/5/2006

Restriction Levels as defined in TR36 L1 : ASCII only L2 : Highly Restrictive, all chars. From a single script with few DEFINED exceptions L3 : Moderately restrictive, all Latin and other scripts EXCEPT : Cyrillic, Greek, Cherokee. L4 : Minimally restrictive, allow free mixing of scripts. IDN Security 17/5/2006

ICANN guidelines v2 Three new guidelines : Number 3 : registration with a single script, very complex. Number 4 : Permissible code points (legal characters). Number 5 : Limitations for hyphens, because they are used as escape characters for Punycode. IDN Security 17/5/2006

Comments on ICANN guidelines Well thought in general, but almost impossible to enforce. Already several registrars register “broken” IDN names. Most of the effort should concentrate on enforcement rules and monitoring. Somehow difficult with about 400 MILLION DNS records in the world. IDN Security 17/5/2006

Conclustion IDN has added a serious threat for Internet users Several solutions have been suggested, including proposals from ICANN, IETF and Unicode forum. Our opinion is that this threat should NOT be used as an excuse to hinder IDN development, and ESPECIALLY IDN.IDN. IDN Security 17/5/2006

Thank you Questions ? IDN Security 17/5/2006

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.