[dns-operations] Spoofing, emojis, &c &c (was Re: Emoji "Female" symbol fails to resolve at Google's 8.8.8.8 & 8.8.4.4)

Andrew Sullivan ajs at anvilwalrusden.com
Mon Jul 17 11:59:54 UTC 2017


On Mon, Jul 17, 2017 at 12:44:59PM +0100, James Stevens wrote:
> http://www.unicode.org/reports/tr36/#User_Recommendations
> 
> "2.11.1 Recommendations for End-Users
> 
> A. Use browsers, mail clients, and other software that have put user-agent
> guidelines into place to detect spoofing."

Yes, but also you need to follow the actual protocol, which doesn't
allow emojis because they're not letters or digits ;-)

> Although "D. Where there are alternative domain names, choose those that are
> less spoofable" - seems tough to achieve given the number of Latin
> characters where one that is visually identical can be found in Cyrillic.

Several years ago I wrote a draft that was intended originally to
solve the problem of boundaries for cookies, but that had an obvious
and trivial extension by which you could get other policies about a
domain.  One such policy would be the available repertoire of code
points in a domain.  It would potentially allow some controls along
these lines.  It didn't go anywhere because browser builders dismissed
it as too expensive and not worth the additional RTT.  I think they're
right, but the basic problem here is that getting these policies in
real time is going to add latency.  And of course, you can't cache the
Internet, so you'd have to get the data in near real time or else
optimistically succeed until you get a positive failure.

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com



More information about the dns-operations mailing list