
Maybe It's Time to Ditch Let's Encrypt? – LinkLocker Blog - jarrod_whaley
https://linklocker.co/blog/maybe-it%27s-time-to-ditch-lets-encrypt.html
======
makecheck
We have to take the domain out of the equation completely. The entire layer of
protocols should be built to check multiple credentials that _aren’t_ using
the domain so that users never have to figure out if something from
"GøØglé•çôm" is legitimate.

One of the problems with sanity-checking URLs is that, thanks to ICANN, almost
any string can now be a valid domain. Given that "foo.bar" and "foo.bar.baz"
may both be real, how can you tell when the latter is a spoof of the former?
Furthermore, some organizations might actually _create_ multiple domains that
are subsets of each other, such as "foo.google" and "foo.google.com"; that
means you can’t apply _any_ simple expression without knowledge of the
organizations in question. There is then no _fast_ way to determine if a URL
is suspicious, without the usual downsides of blacklisting versus
whitelisting.

And that’s all before even considering Unicode in the equation. There are some
Unicode symbols that look similar-enough or even _identical_ to others, and
heck even a DOT could be replaced by a look-alike dot (I suppose, unless the
restricted Unicode ranges have excluded dot-like symbols). Any attempt to
_quickly_ scan a URL for potential scams is not just a matter of looking for
particular names, it’s a matter of looking for a huge number of variants. You
simply can’t expect a CA or anyone else to reliably determine if a URL “looks
good” by itself.

~~~
jarrod_whaley
Great points. There are any number of other factors that could be considered,
and there is no reason other than inertia not to do some hard thinking about
these issues.

Also, as I said in the post, indicating both encryption and identity via a
single icon in browsers is mega-dumb.

