'th IDN Deployment

1
.th IDN Deployment

• Phisit Siprasatthong
• THAILAND

2
IDN Overview

• What is IDN?
• Why IDN?
• Benefits and drawbacks

3
What is IDN?

• IDN (Internationalized Domain Name) is a domain
  name which can contain non-ASCII characters
• ????????.th
• ???.jp
• ??.tw
• And more...

4
Why IDN?

• Increasing number of non-English speaking
  Internet users
• Native names are usually easy (for native
  speakers) to remember than romanized names
• Different words in native character set share the
  same romanized form, thus brings confusion
• e.g. ??? (temple) ? wat
• ????? (progress) ? wat
• ????? (speech) ? wat

5
Benefits Drawbacks of IDNA

• Benefits
• Can be handle by existing DNS
• Have been standardized supported by many
  applications
• Drawbacks
• Client-side applications have to be upgraded
  native supports in some popular applications have
  not be implemented yet
• Top-level domains still remain in ASCII

6
IDN in General

• IDN standards
• How IDN works
• Server-side configurations
• Client-side applications

7
IDN Standards

• Proposed by IETF (in several RFCs)
• Consists of-
• RFC 3454 Stringprep
• RFC 3490 IDNA
• RFC 3491 Nameprep
• RFC 3492 Punycode
• implementation methods following these standards
  are called Internationalizing domain names in
  applications (IDNA)

8
How IDNA works

• End user input IDN into supported application
  e.g. Web browser
• ????????.th
• IDN is splited into several levels using period
  (.) as separators
• ???????? th
• levels which contain non-ASCII character are
  converted to ASCII using punycode algorithm
• 42cl2bj2hxbd2g th
• xn-- is added to each converted level to mark
  that it is actually non-ASCII we call this
  ASCII-compatible encoding (ACE)
• xn--42cl2bj2hxbd2g th

9
How IDNA works (cont.)

• All level are combined back again before being
  sent out to the internet
• xn--42cl2bj2hxbd2g.th
• On the DNS server side, the configuration is
  similar to traditional ASCII domain names
  config., just replace it with ACE
• xn--42cl2bj2hxbd2g.th A 203.150.1.200

10
IDNA-support applications

• Most newer browsers support IDNA out of the box
• Gecko-based
• Firefox (multiplatform)
• Mozilla (multiplatform) both from Mozilla
  Foundation
• Opera (multiplatform)
• KHTML-based
• Safari (Mac OS X)
• Konquerer (Linux)
• IE has not supported IDNA yet (lastest version
  released 4 years ago!!)
• Plug-ins are available e.g. i-Nav from Verisign

11
Thai-Language Specific Topics

• Thai character set
• Thai character sequences

12
Thai Character Set

• U0E01 to U0E59 in Unicode table
• Registered with IANA effective 21 June 2004
• http//www.iana.org/assignments/idn/th-thai.html
• Some glyphs are not permitted to be used in IDN
  e.g. symbols, punctuation marks
• (following ICAAN guidelines at http//www.icann.or
  g/general/idn-guidelines-20jun03.htm)

13
Thai Character Sequences

• Thai writing system has many possible
  combinations of base consonants and combining
  marks
• Thai combining marks can be classified into at
  least 4 types upper vowels, lower vowels, tonal
  marks, and other diacritics
• Upper/lower vowel (if present) must be attached
  next to the base consonant, then tonal
  mark/diacritic can follows
• A standard for controlling Thai character
  sequences named WTT (Wing Thuk Ti Runs
  Everywhere) has been defined

14
WTT 2.0 overview

• Passthrough mode no checking is applied
• Both sequences of ? ?? ?? and ? ?? ??
  can form the word ???
• BasicCheck mode simple checking is applied so no
  ambiguous sequences should be occur
• Only sequence of ? ?? ?? can form the word
  ???
• Strict mode some grammatical checks is also be
  added so only pronounceable sequences can be input

15
Practical Deployment of IDN under .th

• Delegation policies
• Phases of deployment
• Feedback, issues, and future plan

16
Delegation Policies

• Royal names, country and province names are
  reserved
• Domain names consisting of Thai characters would
  be registered at second level under .th
• (contrast with ASCII domain names which would be
  registered at third level)
• Complimentary one IDN for each registered ASCII
  domain name
• Valid IDN must be a direct translation or a
  homophone (word which has the same sound) of the
  corresponding ASCII domain name
• e.g. thnic.co.th ? ????????.th (homophone)
• doctor.co.th ? ???.th (translation)
• In the beginning phases, IDNs under .th are
  provided free of charge

17
Phases of Deployment

• Sunrise Phase (Jul 26Oct 25, 2004)
• Eligible registrant must register an ASCII domain
  name under .th before Jun 25, 2004
• Intermediate Phase (Oct 26, 2004)
• Eligible registrant must have an ASCII domain
  name under .th
• Open Phase (TBA)
• IDN under .th can be registered without existing
  ASCII domain name requirement
• Registration fee may apply

18
.th IDN Statistics

• As of Feb 15, 2005 there are 1,563 IDNs
  registered under .th (about 10 of number of
  ASCII domain names)

19
Feedback, issues and future plan

• Number of applicants is not as high as previously
  expected
• IE is still dominant among end users that leads
  to complaints that they can not access web sites
  using IDN
• IDN delegation policies seems to be too strict
  for some applicants (as well as ASCII domain name
  policies)
• Therefore, we should promote both IDN usage and
  advantage of using IDN-compliant applications to
  Internet users

20
Recent IDNA security issues

• How can IDNA be spoofed
• Timeline of IDNA spoofing concerns
• How this affects IDNA
• Solutions

21
How can IDNA be spoofed

• IDNA allows full Unicode (multilingual)
• Different characters in different languages
  appear to be the same visually i.e. homograph
• Example
• Latin small letter a /e?/ (U0061) a
• Cyrillic small letter a /a/ (U0430) ?

22
How can IDNA be spoofed (cont.)

• Exploiter can register an IDN which resemble
  another existing ASCII domain name and make
  hyperlinks to it
• Unaware users can be spoofed since they do not
  see difference between both domain names
• Example
• paypal.com is an ASCII domain name
• p?ypal.com is an IDN whose ACE is
• xnpypal-4ve.com

23
Timeline of IDNA spoofing concerns

• Dec 2001 A paper describing homograph spoofing
  potential released
• http//www.cs.technion.ac.il/gabr/papers/homogra
  ph.html
• Jun 2003 ICAAN guidelines released
• Most browsers adopt IDNA implementation
• Some registries/registrars did not follow ICAAN
  guideline and allow registration of problematic
  IDN
• Feb 7, 2005 A group of hackers demonstrated the
  spoofing flaw on their website
• http//www.shmoo.com/idn/

24
Timeline of IDNA spoofing concerns (cont.)

• Feb 8, 2005 A preventive method to disable IDN
  by proxy configuration released
• Disadvantage ALL IDNs would not be accessible by
  clients connecting via such proxy
• Feb 9, 2005 A security advisory released on
  Secunia website
• http//secunia.com/advisories/14163/
• Feb 14, 2005 Mozilla Foundation announced that
  forthcoming versions of their browsers will have
  IDN disabled by default (it can be manually
  enabled later) long-term resolution is on the
  way

25
How this affects IDNA

• Exaggerated panic caused by some articles may
  leads some users to think that IDNA is not safe
  at all
• Until now, almost all solutions concern with IDNA
  disabling then IDNA will not be usable in some
  environment
• IDNA registration and usage may be decreased due
  to above reasons

26
How should TLD Operators react to this issue

• All TLD operators must conform with the ICAAN
  guidelines
• They should ensure their customers as well as end
  users that the fault is not really a technical
  issue but dues to some operators delegation
  policies
• JPRS has a good topic on this. See
  http//jprs.co.jp/en/topics/050214.html

27
Thank You