Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
Editor's Blog and Industry Comments

Cyrillic second-level domains create phishing vulnerability

26 November, 2009
Rossia.rf is the first second-level domain to use the Cyrillic alphabet spawning a new era of potential security problems for users worldwide
The Russian RIA Novosti news agency has reported that the first domain name to fully use the Cyrillic alphabet will be rossia.rf. The ability to register second-level domains in Cyrillic will come into effect at the start of 2010 for Government sites and the owners of trademarks. Others will have to wait until April 20th to register their sites with registration charges reported to be excessively high in the initial phase, ostensibly to restrain speculators from cornering potentially popular domain names.

The latin top-level domain for Russia is currently .ru which has not been retained in the Cyrillic version because the Cyrillic characters for "ru" are identical to the latin characters "py" which is the top level domain for Paraguay. It is this cross-over between the Cyrillic and Latin characters that is now causing security scares particularly in terms of potential phishing.

As long ago as the start of 2008, Russia expressed concerns over the use of .py (Cyrillic) as a TLD because of the potential exposure to phishing from Paraguay. This is the reason for choosing .rf (Russian Federation) because the "f" character in Cyrillic doesn't exist in the Latin alphabet.


With the introduction of SLD's from 2010, the same problem extends to the rest of the domain name for the whole world.

Cyrillic characters which look like Latin characters include y, k, e, x, b, a, p, o, c and g. The implications of this is that its possible to create domain names with a mixture of Cyrillic and Latin characters which would appear the same:

Bank and Bank appear the same even though one has a Latin "a" or "k" and one has a Cyrillic "a" or "k"

The phishing implications of this are clear. There is currently nothing to prevent mixed domain names from being registered and, indeed in some world languages, the requirement for mixed alphabets is a requirement.

The industry is still arguing this point with some saying it is down to the registration process to minimise the risks and some saying it is down to the browser developers and anti-phishing vendors to recognise mixed domain names and highlight a potential security risk.

The glib answer would be never to click on links and always type the domain name manually to avoid this problem as typing a Latin "a" would not access the same code page as typing a Cyrillic "a". However, we click links all the time â€" in search engines, directories and any number of other "trusted" sources. Even cutting and pasting would not reduce the risk so our personal productivity levels would plummet if we had to start typing in every domain name. It may be OK for bank.com but would you like to re-type http://www.prosecurityzone.com/Customisation/News/IT_Security/Internet_Security_and_Content_Filtering/Non-Latin_Character_Domain_Name_Support_spells_phishing_problems.asp ? I don't think so!

The industry really needs to sort this out quickly. 2010 is upon us and we already have three Cyrillic Top Level Domains (.bg for Bulgaria, .rf for the Russian Federation and .ukr for Ukraine). The population of the Commonwealth of Independent States where the Cyrillic alphabet is widely used is nearly 300 million people and it is very likely that other countries will want their own Cyrillic domains including Eastern Europe, Central Asia, the Caucasus and even Mongolia.

There are other issues too. By using Cyrillic domain names, accessibility becomes constrained and there are many commercial organisations, particularly in Russia which want to access wider markets. To access sites with Cyrillic domain names, you first have to recognise the characters (which millions don't) and you also have to be able to access them on your computer (which millions can't). It was relatively simple to load the Cyrillic character set onto Windows XP but this is one of the many features that Microsoft removed in what many see as their downgrade to Vista. For Vista Home Premium users who have the operating system packaged on their computers have to upgrade Windows Vista Ultimate and Windows Vista Enterprise and its not free.
Bookmark and Share