[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] homograph attacks

To: "Martin v. Löwis" <martin@v.loewis.de>
Subject: Re: [idn] homograph attacks
From: Erik van der Poel <erik@vanderpoel.org>
Date: Thu, 17 Feb 2005 09:28:28 -0800
Cc: Martin Duerst <duerst@w3.org>, Michel Suignard <michelsu@windows.microsoft.com>, William Tan <wil@dready.org>, "Kane, Pat" <pkane@verisign.com>, idn@ops.ietf.org, ericj@shmoo.com, tedd <tedd@sperling.com>, dam@icann.org
In-reply-to: <4214C986.4020801@v.loewis.de>
References: <FD16260E2EDF204E80A22FB904A425C30BD0A0CF@WIN-MSG-10.wingroup.windeploy.ntdev.microsoft.com> <42142666.6080005@vanderpoel.org> <6.0.0.20.2.20050217174850.06842c80@localhost> <4214BF99.9050401@vanderpoel.org> <4214C986.4020801@v.loewis.de>
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)

Martin v. Löwis wrote:

Erik van der Poel wrote:
StringPrep and NamePrep are great, but I wonder if it might be good to take their ideas one step further to solve the IDN spoofing problem. I.e. to "normalize" the homographs by mapping the similar-looking characters to "base" characters.
Only by means of blocking registration. A registration can be blocked
not only because it violates static rules, but also because it is
(or could be) a homograph for a different, already registered, label.

I think it would be good to consider mapping homographs in the application too. For example, what if a user finds a domain name (or URI) in a magazine and then wants to type that into a Web browser's URI field? The most natural keyboard input language to choose is the user's (main) language. If one of the characters in the domain name is a homograph, then the user might type the "wrong" character, i.e. the wrong character code. She might type Cyrillic small 'a' instead of Latin small 'a'.

Wouldn't it then be the responsibility of the browser to map the "wrong" character code to the right one before sending it to a DNS server? Otherwise, DNS would not be able to find the right domain name.

Erik

Follow-Ups:
- Re: [idn] homograph attacks
  - From: "Martin v. Löwis" <martin@v.loewis.de>

References:
- RE: [idn] homograph attacks
  - From: "Michel Suignard" <michelsu@windows.microsoft.com>
- Re: [idn] homograph attacks
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] homograph attacks
  - From: Martin Duerst <duerst@w3.org>
- Re: [idn] homograph attacks
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] homograph attacks
  - From: "Martin v. Löwis" <martin@v.loewis.de>

Prev by Date: Re: [idn] homograph attacks
Next by Date: Re: [idn] who should be doing IDN filtering
Previous by thread: Re: [idn] homograph attacks
Next by thread: Re: [idn] homograph attacks
Index(es):
- Date
- Thread