On 27 May 2015, at 21:30, Tan Tanaka, Dennis wrote: 1. IDN treatment from browsers comes in different flavors. One of them is to display the IDN in Unicode if the browser is set to support the language of the IDN. Example: My browser is set up with the Chinese language, then all Chinese IDNs will be displayed in Chinese, the rest will be shown as ascii labels (i.e. xn--asdjk3d2sa). With Chrome one needs to whitelist an IDN language in order for the unicode form to be displayed instead of the punycode form. One whitelists a language by adding it in Chrome settings. But few people know this and so most users will see the punycode form. 2. I’d like to think that registry policies are preventing registration of mix-script names, but I don’t have hard data on this. Verisign have very clear and exacting registration requirements. For some languages they have a set of allowable codepoints. http://www.verisigninc.com/en_US/channel-resources/domain-registry-products/... Compare, say, KOR with RUS. KOR allows mixing of LDH (Letters, Digits & Hyphen) which is fine because LDH are not confusable with Hangeul Syllables. RUS on the other hand, only allows mixing of DH & Cyrillic to prevent mixing of Scripts (and confusables) CHI is interesting as for the CJK Compatibility Ideographs block they allow just one character U+FA28 Then we can go to the opposite extreme which is the .ws registry which, currently, appears to allow the registration of most anything. But that does make possible IDNs such as http://😇.ws With a symbol/emoji IDN such as above or http://🍺.ws one cannot whitelist in Chrome which I suppose is fair enough because according to IDNA2008 they are not allowable characters but it does spoil the fun 😜 André Schappo From: Don Hollander [mailto:don.hollander@icann.org] Sent: Wednesday, May 27, 2015 3:20 PM To: Tan Tanaka, Dennis; c.dillon@ucl.ac.uk<mailto:c.dillon@ucl.ac.uk>; ua-international@icann.org<mailto:ua-international@icann.org>; UA-discuss@icann.org<mailto:UA-discuss@icann.org> Subject: Re: [UA-International] IDNs and homographs attacks Thanks Dennis. Interest that the article also attempts to answer the question, “Why” - and attributes some of the low numbers to the way that browsers display the name – in full punycode form. I wonder if policies at the registry level have had any impact? Don From: Dennis Tan <dtantanaka@verisign.com<mailto:dtantanaka@verisign.com>> Date: Thursday, 28 May 2015 5:17 am To: "c.dillon@ucl.ac.uk<mailto:c.dillon@ucl.ac.uk>" <c.dillon@ucl.ac.uk<mailto:c.dillon@ucl.ac.uk>>, "ua-international@icann.org<mailto:ua-international@icann.org>" <ua-international@icann.org<mailto:ua-international@icann.org>>, "UA-discuss@icann.org<mailto:UA-discuss@icann.org>" <UA-discuss@icann.org<mailto:UA-discuss@icann.org>> Subject: [UA-International] IDNs and homographs attacks ICYMI: the APWG released its Global Phishing Survey 2H2014. In it they state “From January 2007 to June 2014 we found only nine true homographic phishing attacks. […] One hundred and three IDN domain names were used for phishing in 2H2014. None were homographic attacks.” Clearly, those claiming to watch out for IDNs for spoofing attacks are overstating the problem. Link to the article and survey: http://www.circleid.com/posts/20150527_phishing_in_the_new_gtlds/ From: Dillon, Chris [mailto:c.dillon@ucl.ac.uk] Sent: Tuesday, May 26, 2015 10:11 AM To: Tan Tanaka, Dennis Cc: ua-international@icann.org<mailto:ua-international@icann.org> Subject: RE: Meeting notes group call 5/26 Dear colleagues, I’ve checked the GoDaddy article I mentioned. Actually it’s a general article about the small number of law enforcement cases, disputes etc., rather than just IDNs: www.ionmag.asia/2015/02/the-right-rights-balance<http://www.ionmag.asia/2015/02/the-right-rights-balance> Regards, Chris. -- Research Associate in Linguistic Computing, Centre for Digital Humanities, UCL, Gower St, London WC1E 6BT Tel +44 20 7679 1599 (int 31599)www.ucl.ac.uk/dis/people/chrisdillon<http://www.ucl.ac.uk/dis/people/chrisdillon> From: ua-international-bounces@icann.org<mailto:ua-international-bounces@icann.org> [mailto:ua-international-bounces@icann.org] On Behalf Of Tan Tanaka, Dennis Sent: 26 May 2015 15:02 To: ua-international@icann.org<mailto:ua-international@icann.org> Subject: [UA-International] Meeting notes group call 5/26 Attendees: - Chris Dillon - Dusan - Don - Dennis Notes: 1. Re-cap i18n charter: no comments 2. Review of DRAFT working plan: a. Change title of “telling” to “identifying” on work stream titles b. Chris Dillon: GoDaddy published some stats on IDN phishing. Cases are rare. c. Dennis will develop “confusable characters” item on work stream 1. d. Dusan will develop “create test cases to identify UA/IDN gaps in applications” item on work stream 2 e. Repository of practices, gap assessment, etc. should be maintained in ICANN wiki (Action item: Dennis to set up page and share link to group members) 3. Next group meeting: Tuesday, June 9 @ 13:00 UTC End of notes From:ua-international-bounces@icann.org<mailto:ua-international-bounces@icann.org> [mailto:ua-international-bounces@icann.org] On Behalf Of Tan Tanaka, Dennis Sent: Tuesday, May 26, 2015 8:50 AM To: ua-international@icann.org<mailto:ua-international@icann.org> Subject: [UA-International] Meeting agenda 5/26 Agenda items: 1. Roll call 2. Re-cap i18n charter https://docs.google.com/document/d/1wO9ubXdg02iptqwMhacFR1UsWKjPiMizXU5M5XmW... 3. Review and discuss DRAFT i18n working plan https://docs.google.com/document/d/183UHeDMvdXVUk1W_4WJOhfFqUGx0DGWa9UeReKcC... 4. Other items 5. Adjourn I18n Project Group co-Lead Universal Acceptance: https://icann.org/universalacceptance Join the conversation: https://mm.icann.org/mailman/listinfo/ua-international Project group archive: http://mm.icann.org/pipermail/ua-international/ “This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.” “This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.” “This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.”