[ISN] URLs in Urdu?

From: InfoSec News (isnat_private)
Date: Tue May 28 2002 - 01:26:11 PDT

  • Next message: InfoSec News: "RE: [ISN] MS Outlook booted off campus"

    Forwarded from: William Knowles <wkat_private>
    June 2002
    By: Wendy M. Grossman
    Is this the Web address of tomorrow: ? At the moment, non-Latin
    alphabets and scripts are not compatible with ASCII, the lingua franca
    of the Internet also known as plain text. But as of March only 40
    percent of the 561-million-strong global online population were native
    English speakers, according to online marketing firm Global Reach.  
    Work has been proceeding for some time, therefore, to internationalize
    the system that assigns domain names (sciam.com, for example) to the
    dotted clumps of numbers that computers use (such as
    The technical side of things has been managed by the Internationalized
    Domain Name Working Group of the Internet Engineering Task Force
    (IETF). In April, VeriSign, the single largest registrar of domain
    names, claimed to have registered about a million international names.  
    But turning Web addresses into a multilingual forum may open the door
    to a dangerous new hazard--hackers could set up fake sites whose
    domain names look just like the ASCII version.
    One example is a homograph of microsoft.com incorporating the Russian
    Cyrillic letters "c" and "o," which are almost indistinguishable from
    their Latin alphabet counterparts. The two students who registered it,
    Evgeniy Gabrilovich and Alex Gontmakher of the Technion-Israel
    Institute of Technology in Haifa did so to make a point: they suggest
    that a hacker could register such a name and take advantage of users'
    propensity to click on, rather than type in, Web links. These fake
    domain names could lead to a spoof site that invisibly captures bank
    account information or other sensitive details.
    In their paper, published in the Communications of the ACM, they paint
    scary, if not entirely probable, scenarios. For instance, a hacker
    would be able to put up an identical-looking page, hack several major
    portals to link to the homographed site instead of the real one, and
    keep it going unnoticed for perhaps years.
    On a technical level, homograph URLs are not confusing. International
    domain names depend on Unicode, a standard that provides numeric codes
    for every letter in all scripts worldwide. And at its core, the
    internationalization of the domain name system is a veneer: the
    machines underneath can still only read ASCII.
    According to the proposed standard, the international name will be
    machine-translated at registration into an ASCII string composed of an
    identifying prefix followed by two hyphens followed by a unique chunk
    of letters and numbers: "iesg--de-jg4avhby1noc0d," for example. This
    string would be translated back into Unicode and compared with the
    retranslation of the original. So right now anyone using a standard
    browser can easily see the difference between an internationalized
    domain name and an ordinary one.
    This situation, however, is temporary. Technical drafts by the IETF
    state that users should not be exposed to the ugly ASCII strings, so
    increasingly users will have little way of identifying homographs.  
    Computer scientist Markus G. Kuhn of the University of Cambridge notes
    that for users to be sure they are connected to the desired site, they
    will have to rely on the secure version of the Web protocol (https)  
    and check that the site has a matching so-called X.509 certificate.  
    "That has been common recommended practice for electronic banking and
    commerce for years and is not affected by Unicode domain names," Kuhn
    observes. Certification agencies (which include VeriSign) ensure that
    encoded names are not misleading and that the registration corresponds
    with the correct real-world entity.
    But experience shows that the Internet's majority of unsophisticated
    users "are vulnerable to all kinds of simple things because they have
    no concept of what's actually going on," explains Lauren Weinstein,
    co-founder of People for Internet Responsibility. Getting these users
    to inspect site certificates is nearly impossible. Weinstein therefore
    thinks that a regulatory approach will be necessary to prohibit
    confusing names. Such an approach could be based on the current
    uniform dispute resolution procedure of the Internet Corporation for
    Assigned Names and Numbers (ICANN), the organization that oversees the
    technical functions of handing out domain names. But it will require
    proactive policing on the part of the registrars, such as VeriSign,
    something they have typically resisted.
    But are international domain names even necessary? Kuhn, who is
    German, doesn't think so: "Familiarity with the ASCII repertoire and
    basic proficiency in entering these ASCII characters on any keyboard
    are the very first steps in computer literacy worldwide."  
    Internationalizing names might succeed only in turning the global
    network into a Tower of Babel.
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue May 28 2002 - 05:13:25 PDT