Don’t blame phishing on IDNs

I received a friendly email from Twitter awhile back.

It was fake.

I (stupidly) clicked on the link and was greeted with a login page that looked very much like Twitter’s real login page at the time.

Here’s a screen grab (note the bogus address):

I mention this now because I keep coming across stories about how internationalized domain names (IDNs) may be inherently dangerous. That if you start allowing all these additional characters in domain names you’re going to see many more instances of phishing (or IDN spoofing or homograph attacks).

I don’t dispute that these attacks are happening and will continue to happen.

I just want to make the simple point that phishing has been alive and well with plain old ASCII characters.

Maybe IDNs, as they become more popular, will lead to more problems. They probably will. But we’ve had our fair share of phishing attacks with Latin-based characters and I don’t ever read an article or blog post suggesting we eliminate these characters from the DNS.

Risk is, unfortunately, a sad fact of life on this crazy world wide web. And, yes, there are  IDN scenarios (like mixed scripts) in which IDNs could present the “bad guys” with exciting possibilities. So far, these scenarios have been limited reasonably well.

The key is to minimize risks while still allowing people around the world to interact in their native languages.

IDNs, warts and all, are important to the future of the Internet.


(Visited 67 times, 1 visits today)