FW: Discouraging the Use of Emoji in Domain Names
FYI From: Cathy Petersen [mailto:cathy.petersen@icann.org] Sent: Tuesday, May 08, 2018 3:39 AM To: Katrina Sataki <katrina@nic.lv> Cc: David Conrad <david.conrad@icann.org> Subject: Discouraging the Use of Emoji in Domain Names Sent by Cathy Petersen on behalf of David Conrad: 30 April 2018 RE: Discouraging the use of emoji in domain names by ccTLDs for end user security Ms. Katrina Sataki Chair, Country Code Names Supporting Organization Dear Ms. Sataki, Lately, there has been increasing interest in the use of emoji in domain names, with some country code Top Level Domain operators (ccTLDs) allowing domain names with emoji to be newly registered at the second level. The ICANN Security and Stability Advisory Committee (SSAC) studied the use of emoji in the domain name system and issued an advisory ( <https://www.icann.org/en/system/files/files/sac-095-en.pdf> SAC095) highlighting various associated risks. SSAC has identified at least three significant factors that may cause confusion in the use of emoji, making them a security risk and thus, unsuitable for use in domain names: 1. Many emoji are visually similar and can be difficult to distinguish, especially when displayed in smaller fonts or by different applications, as no standard specifies exactly how they should be displayed 2. 3. Some emoji can be “glued” together using a special joining character allowing them to be displayed as a single symbol by some systems. This creates the following two ways in which confusion can occur a. To a user, a single unmodified emoji might look exactly the same as its “glued together” counterpart; and b. For the systems that do not support emoji composition with the joiner character, they would display the individual components of a “glued together” emoji as a sequence of separate emoji, which may visually be very different from what was intended 4. The ability to apply different colors to some emoji by appending one of five skin tone modifiers for an anthropomorphic emoji is highly sensitive to user interpretation Such confusability creates significant issues and concerns in the use of domain name system. As has been noted in an earlier SSAC report ( <https://www.icann.org/en/system/files/files/sac-060-en.pdf> SAC060), confusion in domain names can lead to denial of service or, worse, misconnection. Such confusion exposes domain names for phishing and other social engineering attacks, leading to security problems for end users ( <https://www.icann.org/en/system/files/files/sac-089-en.pdf> SAC089). Noting these risks, the ICANN Board has <https://www.icann.org/resources/board-material/resolutions-2017-11-02-en#1.e> resolved that “that the Country Code Names Supporting Organization (ccNSO) ... inform their respective communities about these risks.” We would respectfully request the Country Code Names Supporting Organization help by publicly reaching out to all ccTLDs, and specifically to the ccTLDs offering emoji domains, to inform them about the end-user and systemic security risks in offering the emoji in domain names, and to discourage them from this practice to improve domain name system security for all users. We thank the ccNSO in advance for considering this matter and look forward to a favourable reply. The ICANN organization stands ready to provide any support as necessary for this purpose. Sincerely, David Conrad ICANN Chief Technology Officer Cathy Petersen Manager, Office of the CTO ICANN T +1 310 578 8634 M +1 424 353 9647 E cathy.petersen@icann.org <mailto:cathy.petersen@icann.org> S cathy.petersen.icann
I suggest this request is placed on the agenda of the next call and that we (a) note it formally (b) briefly discus the request itself (not a dicussion in the topic, which as we saw in AD has many implications) Does that seem reasonable? On 05/08/2018 08:15 AM, Katrina Sataki wrote:
FYI
*From:*Cathy Petersen [mailto:cathy.petersen@icann.org] *Sent:* Tuesday, May 08, 2018 3:39 AM *To:* Katrina Sataki <katrina@nic.lv> *Cc:* David Conrad <david.conrad@icann.org> *Subject:* Discouraging the Use of Emoji in Domain Names
/Sent by Cathy Petersen on behalf of David Conrad:/
30 April 2018
RE: Discouraging the use of emoji in domain names by ccTLDs for end user security
Ms. Katrina Sataki
Chair, Country Code Names Supporting Organization
Dear Ms. Sataki,
Lately, there has been increasing interest in the use of emoji in domain names, with some country code Top Level Domain operators (ccTLDs) allowing domain names with emoji to be newly registered at the second level.
The ICANN Security and Stability Advisory Committee (SSAC) studied the use of emoji in the domain name system and issued an advisory (SAC095 <https://www.icann.org/en/system/files/files/sac-095-en.pdf>) highlighting various associated risks. SSAC has identified at least three significant factors that may cause confusion in the use of emoji, making them a security risk and thus, unsuitable for use in domain names:
1.Many emoji are visually similar and can be difficult to distinguish, especially when displayed in smaller fonts or by different applications, as no standard specifies exactly how they should be displayed
2.
3.Some emoji can be “glued” together using a special joining character allowing them to be displayed as a single symbol by some systems. This creates the following two ways in which confusion can occur
a.To a user, a single unmodified emoji might look exactly the same as its “glued together” counterpart; and
b.For the systems that do not support emoji composition with the joiner character, they would display the individual components of a “glued together” emoji as a sequence of separate emoji, which may visually be very different from what was intended
4.The ability to apply different colors to some emoji by appending one of five skin tone modifiers for an anthropomorphic emoji is highly sensitive to user interpretation
Such confusability creates significant issues and concerns in the use of domain name system. As has been noted in an earlier SSAC report (SAC060 <https://www.icann.org/en/system/files/files/sac-060-en.pdf>), confusion in domain names can lead to denial of service or, worse, misconnection. Such confusion exposes domain names for phishing and other social engineering attacks, leading to security problems for end users (SAC089 <https://www.icann.org/en/system/files/files/sac-089-en.pdf>).
Noting these risks, the ICANN Board has resolved <https://www.icann.org/resources/board-material/resolutions-2017-11-02-en#1.e>that “that the Country Code Names Supporting Organization (ccNSO) ... inform their respective communities about these risks.”
We would respectfully request the Country Code Names Supporting Organization help by publicly reaching out to all ccTLDs, and specifically to the ccTLDs offering emoji domains,
to inform them about the end-user and systemic security risks in offering the emoji in domain names, and to discourage them from this practice to improve domain name system security for all users.
We thank the ccNSO in advance for considering this matter and look forward to a favourable reply. The ICANN organization stands ready to provide any support as necessary for this purpose.
Sincerely,
David Conrad
ICANN Chief Technology Officer
*Cathy Petersen*
Manager, Office of the CTO
*ICANN*
*T*+1 310 578 8634 *M* +1 424 353 9647
*E*cathy.petersen@icann.org <mailto:cathy.petersen@icann.org>
*S *cathy.petersen.icann
_______________________________________________ Ccnso-council mailing list Ccnso-council@icann.org https://mm.icann.org/mailman/listinfo/ccnso-council
What can we do to discourage our CTO from sending out of .DOC and .DOCX files like this? The security risks of macro viruses are extremely well known and have been for a long time. Microsoft warns that macro viruses are transmitted by opening email attachments. See https://support.microsoft.com/en-us/help/211607/frequently-asked-questions-a... In addition, the proprietary Microsoft .DOC and .DOCX files do not display correctly with all recipients causing risk of misinterpretation of the document contents. (I've seen this problem with table layout and even currency representation). (See https://askubuntu.com/questions/28342/how-to-maintain-document-compatibility... for example.) Nigel PS: Despite the rather unfortunate irony considering the contents of this particular missive, it seems to me the above is a serious, and long-standing security issue that ICANN has chosen repeatedly to disregard. On 05/08/2018 08:15 AM, Katrina Sataki wrote:
FYI
*From:*Cathy Petersen [mailto:cathy.petersen@icann.org] *Sent:* Tuesday, May 08, 2018 3:39 AM *To:* Katrina Sataki <katrina@nic.lv> *Cc:* David Conrad <david.conrad@icann.org> *Subject:* Discouraging the Use of Emoji in Domain Names
/Sent by Cathy Petersen on behalf of David Conrad:/
30 April 2018
RE: Discouraging the use of emoji in domain names by ccTLDs for end user security
Ms. Katrina Sataki
Chair, Country Code Names Supporting Organization
Dear Ms. Sataki,
Lately, there has been increasing interest in the use of emoji in domain names, with some country code Top Level Domain operators (ccTLDs) allowing domain names with emoji to be newly registered at the second level.
The ICANN Security and Stability Advisory Committee (SSAC) studied the use of emoji in the domain name system and issued an advisory (SAC095 <https://www.icann.org/en/system/files/files/sac-095-en.pdf>) highlighting various associated risks. SSAC has identified at least three significant factors that may cause confusion in the use of emoji, making them a security risk and thus, unsuitable for use in domain names:
1.Many emoji are visually similar and can be difficult to distinguish, especially when displayed in smaller fonts or by different applications, as no standard specifies exactly how they should be displayed
2.
3.Some emoji can be “glued” together using a special joining character allowing them to be displayed as a single symbol by some systems. This creates the following two ways in which confusion can occur
a.To a user, a single unmodified emoji might look exactly the same as its “glued together” counterpart; and
b.For the systems that do not support emoji composition with the joiner character, they would display the individual components of a “glued together” emoji as a sequence of separate emoji, which may visually be very different from what was intended
4.The ability to apply different colors to some emoji by appending one of five skin tone modifiers for an anthropomorphic emoji is highly sensitive to user interpretation
Such confusability creates significant issues and concerns in the use of domain name system. As has been noted in an earlier SSAC report (SAC060 <https://www.icann.org/en/system/files/files/sac-060-en.pdf>), confusion in domain names can lead to denial of service or, worse, misconnection. Such confusion exposes domain names for phishing and other social engineering attacks, leading to security problems for end users (SAC089 <https://www.icann.org/en/system/files/files/sac-089-en.pdf>).
Noting these risks, the ICANN Board has resolved <https://www.icann.org/resources/board-material/resolutions-2017-11-02-en#1.e>that “that the Country Code Names Supporting Organization (ccNSO) ... inform their respective communities about these risks.”
We would respectfully request the Country Code Names Supporting Organization help by publicly reaching out to all ccTLDs, and specifically to the ccTLDs offering emoji domains,
to inform them about the end-user and systemic security risks in offering the emoji in domain names, and to discourage them from this practice to improve domain name system security for all users.
We thank the ccNSO in advance for considering this matter and look forward to a favourable reply. The ICANN organization stands ready to provide any support as necessary for this purpose.
Sincerely,
David Conrad
ICANN Chief Technology Officer
*Cathy Petersen*
Manager, Office of the CTO
*ICANN*
*T*+1 310 578 8634 *M* +1 424 353 9647
*E*cathy.petersen@icann.org <mailto:cathy.petersen@icann.org>
*S *cathy.petersen.icann
_______________________________________________ Ccnso-council mailing list Ccnso-council@icann.org https://mm.icann.org/mailman/listinfo/ccnso-council
Nigel, Look at the bright side - at least you received it from someone you know (i.e. me). It is always nice to know who infected you. I am going to talk about email notifications with the Chairs of other SO/ACs; happy to raise the issue of infection with them as well. Kind regards, ]{atrina -----Original Message----- From: Ccnso-council [mailto:ccnso-council-bounces@icann.org] On Behalf Of Nigel Roberts Sent: Tuesday, May 08, 2018 10:51 AM To: ccnso-council@icann.org Subject: Re: [ccnso-council] FW: Discouraging the Use of Emoji in Domain Names What can we do to discourage our CTO from sending out of .DOC and .DOCX files like this? The security risks of macro viruses are extremely well known and have been for a long time. Microsoft warns that macro viruses are transmitted by opening email attachments. See https://support.microsoft.com/en-us/help/211607/frequently-asked-questions-a... In addition, the proprietary Microsoft .DOC and .DOCX files do not display correctly with all recipients causing risk of misinterpretation of the document contents. (I've seen this problem with table layout and even currency representation). (See https://askubuntu.com/questions/28342/how-to-maintain-document-compatibility... for example.) Nigel PS: Despite the rather unfortunate irony considering the contents of this particular missive, it seems to me the above is a serious, and long-standing security issue that ICANN has chosen repeatedly to disregard. On 05/08/2018 08:15 AM, Katrina Sataki wrote:
FYI
*From:*Cathy Petersen [mailto:cathy.petersen@icann.org] *Sent:* Tuesday, May 08, 2018 3:39 AM *To:* Katrina Sataki <katrina@nic.lv> *Cc:* David Conrad <david.conrad@icann.org> *Subject:* Discouraging the Use of Emoji in Domain Names
/Sent by Cathy Petersen on behalf of David Conrad:/
30 April 2018
RE: Discouraging the use of emoji in domain names by ccTLDs for end user security
Ms. Katrina Sataki
Chair, Country Code Names Supporting Organization
Dear Ms. Sataki,
Lately, there has been increasing interest in the use of emoji in domain names, with some country code Top Level Domain operators (ccTLDs) allowing domain names with emoji to be newly registered at the second level.
The ICANN Security and Stability Advisory Committee (SSAC) studied the use of emoji in the domain name system and issued an advisory (SAC095 <https://www.icann.org/en/system/files/files/sac-095-en.pdf>) highlighting various associated risks. SSAC has identified at least three significant factors that may cause confusion in the use of emoji, making them a security risk and thus, unsuitable for use in domain names:
1.Many emoji are visually similar and can be difficult to distinguish, especially when displayed in smaller fonts or by different applications, as no standard specifies exactly how they should be displayed
2.
3.Some emoji can be “glued” together using a special joining character allowing them to be displayed as a single symbol by some systems. This creates the following two ways in which confusion can occur
a.To a user, a single unmodified emoji might look exactly the same as its “glued together” counterpart; and
b.For the systems that do not support emoji composition with the joiner character, they would display the individual components of a “glued together” emoji as a sequence of separate emoji, which may visually be very different from what was intended
4.The ability to apply different colors to some emoji by appending one of five skin tone modifiers for an anthropomorphic emoji is highly sensitive to user interpretation
Such confusability creates significant issues and concerns in the use of domain name system. As has been noted in an earlier SSAC report (SAC060 <https://www.icann.org/en/system/files/files/sac-060-en.pdf>), confusion in domain names can lead to denial of service or, worse, misconnection. Such confusion exposes domain names for phishing and other social engineering attacks, leading to security problems for end users (SAC089 <https://www.icann.org/en/system/files/files/sac-089-en.pdf>).
Noting these risks, the ICANN Board has resolved <https://www.icann.org/resources/board-material/resolutions-2017-11-02 -en#1.e>that “that the Country Code Names Supporting Organization (ccNSO) ... inform their respective communities about these risks.”
We would respectfully request the Country Code Names Supporting Organization help by publicly reaching out to all ccTLDs, and specifically to the ccTLDs offering emoji domains,
to inform them about the end-user and systemic security risks in offering the emoji in domain names, and to discourage them from this practice to improve domain name system security for all users.
We thank the ccNSO in advance for considering this matter and look forward to a favourable reply. The ICANN organization stands ready to provide any support as necessary for this purpose.
Sincerely,
David Conrad
ICANN Chief Technology Officer
*Cathy Petersen*
Manager, Office of the CTO
*ICANN*
*T*+1 310 578 8634 *M* +1 424 353 9647
*E*cathy.petersen@icann.org <mailto:cathy.petersen@icann.org>
*S *cathy.petersen.icann
_______________________________________________ Ccnso-council mailing list Ccnso-council@icann.org https://mm.icann.org/mailman/listinfo/ccnso-council
_______________________________________________ Ccnso-council mailing list Ccnso-council@icann.org https://mm.icann.org/mailman/listinfo/ccnso-council
And I did indeed open this one . . . But the irony of the CTO's office doing this doesn't not escape me. On 05/09/2018 09:37 AM, Katrina Sataki wrote:
Nigel,
Look at the bright side - at least you received it from someone you know (i.e. me). It is always nice to know who infected you.
I am going to talk about email notifications with the Chairs of other SO/ACs; happy to raise the issue of infection with them as well.
Kind regards,
]{atrina
-----Original Message----- From: Ccnso-council [mailto:ccnso-council-bounces@icann.org] On Behalf Of Nigel Roberts Sent: Tuesday, May 08, 2018 10:51 AM To: ccnso-council@icann.org Subject: Re: [ccnso-council] FW: Discouraging the Use of Emoji in Domain Names
What can we do to discourage our CTO from sending out of .DOC and .DOCX files like this?
The security risks of macro viruses are extremely well known and have been for a long time.
Microsoft warns that macro viruses are transmitted by opening email attachments. See https://support.microsoft.com/en-us/help/211607/frequently-asked-questions-a...
In addition, the proprietary Microsoft .DOC and .DOCX files do not display correctly with all recipients causing risk of misinterpretation of the document contents. (I've seen this problem with table layout and even currency representation).
(See https://askubuntu.com/questions/28342/how-to-maintain-document-compatibility... for example.)
Nigel
PS: Despite the rather unfortunate irony considering the contents of this particular missive, it seems to me the above is a serious, and long-standing security issue that ICANN has chosen repeatedly to disregard.
On 05/08/2018 08:15 AM, Katrina Sataki wrote:
FYI
*From:*Cathy Petersen [mailto:cathy.petersen@icann.org] *Sent:* Tuesday, May 08, 2018 3:39 AM *To:* Katrina Sataki <katrina@nic.lv> *Cc:* David Conrad <david.conrad@icann.org> *Subject:* Discouraging the Use of Emoji in Domain Names
/Sent by Cathy Petersen on behalf of David Conrad:/
30 April 2018
RE: Discouraging the use of emoji in domain names by ccTLDs for end user security
Ms. Katrina Sataki
Chair, Country Code Names Supporting Organization
Dear Ms. Sataki,
Lately, there has been increasing interest in the use of emoji in domain names, with some country code Top Level Domain operators (ccTLDs) allowing domain names with emoji to be newly registered at the second level.
The ICANN Security and Stability Advisory Committee (SSAC) studied the use of emoji in the domain name system and issued an advisory (SAC095 <https://www.icann.org/en/system/files/files/sac-095-en.pdf>) highlighting various associated risks. SSAC has identified at least three significant factors that may cause confusion in the use of emoji, making them a security risk and thus, unsuitable for use in domain names:
1.Many emoji are visually similar and can be difficult to distinguish, especially when displayed in smaller fonts or by different applications, as no standard specifies exactly how they should be displayed
2.
3.Some emoji can be “glued” together using a special joining character allowing them to be displayed as a single symbol by some systems. This creates the following two ways in which confusion can occur
a.To a user, a single unmodified emoji might look exactly the same as its “glued together” counterpart; and
b.For the systems that do not support emoji composition with the joiner character, they would display the individual components of a “glued together” emoji as a sequence of separate emoji, which may visually be very different from what was intended
4.The ability to apply different colors to some emoji by appending one of five skin tone modifiers for an anthropomorphic emoji is highly sensitive to user interpretation
Such confusability creates significant issues and concerns in the use of domain name system. As has been noted in an earlier SSAC report (SAC060 <https://www.icann.org/en/system/files/files/sac-060-en.pdf>), confusion in domain names can lead to denial of service or, worse, misconnection. Such confusion exposes domain names for phishing and other social engineering attacks, leading to security problems for end users (SAC089 <https://www.icann.org/en/system/files/files/sac-089-en.pdf>).
Noting these risks, the ICANN Board has resolved <https://www.icann.org/resources/board-material/resolutions-2017-11-02 -en#1.e>that “that the Country Code Names Supporting Organization (ccNSO) ... inform their respective communities about these risks.”
We would respectfully request the Country Code Names Supporting Organization help by publicly reaching out to all ccTLDs, and specifically to the ccTLDs offering emoji domains,
to inform them about the end-user and systemic security risks in offering the emoji in domain names, and to discourage them from this practice to improve domain name system security for all users.
We thank the ccNSO in advance for considering this matter and look forward to a favourable reply. The ICANN organization stands ready to provide any support as necessary for this purpose.
Sincerely,
David Conrad
ICANN Chief Technology Officer
*Cathy Petersen*
Manager, Office of the CTO
*ICANN*
*T*+1 310 578 8634 *M* +1 424 353 9647
*E*cathy.petersen@icann.org <mailto:cathy.petersen@icann.org>
*S *cathy.petersen.icann
_______________________________________________ Ccnso-council mailing list Ccnso-council@icann.org https://mm.icann.org/mailman/listinfo/ccnso-council
_______________________________________________ Ccnso-council mailing list Ccnso-council@icann.org https://mm.icann.org/mailman/listinfo/ccnso-council
participants (2)
-
Katrina Sataki -
Nigel Roberts