As a corollary: more competition by [constrained] TLDs is good because
if -say- com. allows too many embarrassing confusable domains to be
registered,
leading to noticeable and noticed phishing attacks,
I think that underestimates the users.... But "does it matter"?
I've received 4 emails today that made it through whatever spam filters for
whatever reason. All 4 of them seemed to provide the opportunity for phishing
attacks, and 0 of them leveraged IDN. For that matter, they weren't even
trying to be that clever with the ASCII paths.
I think the impact on phishing and confusables may be embarrassing perhaps, but
don't have much true impact on security. How many times have you mistyped a
URL and ended up somewhere else? Often with advertising and stuff trying to
make a few cents off of the target URL typos?
Too many companies send emails from
"company(_at_)fulfillment(_dot_)example(_dot_)com" (totally random) or send you
to "company.orderprocessing.example.com" and expect you to complete a link. So
phishing stuff with @secure.com is going to succeed. They don't need
confusable. (I've even seen papers that suggest that scammers sometimes prefer
obvious traps because they really want to get the gullible folks - obvious bad
URLs could filter those out.)
-Shawn