Lauren Weinstein recently posted the following to his NNSquad Mailing List.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=cdfc24ba-cc95-4c8e-8cc3-754458c496ed)
Example of how "de-Latinized" domain names can be subverted
http://bit.ly/6YbTBR (Dean Collins' Blog)
Dean, the "fun" has only just begun. Some of us have been warning of
this consequence for ... well ... pretty much since day one of the
concept.
As the character of Margo Channing (Bette Davis) so accurately warned
in "All About Eve":
"Fasten your seatbelts, it's going to be a bumpy night!"
To say the least ...
--Lauren--
NNSquad Moderator
The article starts off discussing the trademark issues when someone registers an identical word in a different language, but then hits the more critical (and long-anticipated) issue that it is now possible to have the domain name.
раyраl.comwhich, when pasted in your browser window looks like "paypal.com" but is actually cyrillic and goes to an entirely different site.
Here's my take on the situation (I've sent this to Lauren, it may or may not appear in the mailing list).
Things like the alternate character sets in раyраl.com are one reason why I depend on browser's and/or packages like http://agilewebsolutions.com/'s 1Password (Mac & iPhone, formerly 1Passwd for you Unix geeks) or http://supergenpass.com/ (bookmarklet-based, cross-browser) to remember passwords. They aren't fooled by what the URL looks like, they only enter the password if the site actually has the same domain. That said, depending on lack of feedback (the browser didn't enter the password automatically) is lousy security. I'm very surprised that the browsers makers weren't prepared to at least provide a character set indicator on the URL (we all knew this was coming) not that it would make a huge difference for the majority of users.
I've become convinced that there is no UI solution to phishing. Password entry (or a completely different authentication model) needs to be done outside of the browser, and the interaction between the browser and the web site needs to be under secured program control. The system is too complex, and the possible failure modes so varied, that the average user simply cannot be expected to tell a legitimate error from a forged one. The other day my mother cut up her credit card because an online store said it wasn't valid, so she assumed it had expired. Presumably she either entered a typo, or their back-end was down (it was a valid site). No UI in the world is going to help when the system is too complex for the user to understand.
Solutions like 1Password and SuperGenPass work 90% of the time, until the domain name changes, or the form field names change*; then you have to enter the info by hand. A secure certificate solution for filling out and remembering forms, per-site randomly generated passwords, and a protocol for passing the information back and forth might put a dent in the phishing market, but like spam and viruses--this isn't a solvable problem, it's an ongoing battle.
* And yes, obviously a software password repository creates single target to all of the user's information. But given that most people use the same password for all sites, and those sites are in their browser history, I don't see the security issue as significantly different from the current situation.
