Re: [idn] space-like unicode char

[Soobok Lee <lsb@lsb.org>]

The real problem comes when "com.%1160%1160*" is punycoded into "xn--blah".
( You can increase the number of "%1160"s until 63-char limit is reached)

"www.microsoft.xn--blah.uni.cc"
is decoded and displayed in the native form on the MSIE/i-Nav or Firefox
1.x.
what would you see on the address bar and in the webpage?

The legitimate ASCII url http://www.microsoft.xn--blah.uni.cc would
succeed to be resolved and deliver the phishing page, while the end user see
"www.microsoft.com" isolated in the beginning part of the address bar.

the end user may not see "uni.cc" part if the frame width of the MSIE
window instance
is narrow enough to hide ".uni.cc" .


Soobok



Soobok Lee wrote:

>For those who do not have a webserver: plz copy this url into your MSIE
>addressbar .
>
>javascript:void(window.open(unescape("http://www.microsoft.com%u2044%u1160%u1160.uni.cc/";),"_self"))
>
>You will see an error page if you have recent MSIE patch.
>
>Soobok
>
>Soobok Lee wrote:
>
>  
>
>>You can paste this html/javascript codelet to an html file in your
>>webserver and see in your MSIE brower.
>>You will see "www.microsoft.com" isolated in the addressbar from the
>>"mozilla.org" domain suffix.
>>Fortunately, you will see blank space (no phishing page) if you have
>>recent IE patch.
>>This won't work in firefox 1.x which strips off those special chars
>>for unknow reasons before sending to
>>the address bar.
>>
>><script>
>>window.open(unescape("http://www.microsoft.com%u1160%u1160%u1160%u1160%u1160%u1160.mozilla.org/";),"_blank");
>>
>></script>
>>
>>U+1160 is a space-like char and even stringprep/nameprep does not
>>filter it out because
>>the char is not for punctuational purpose.
>>U+1160 is just one example, and i guess there may be many alternatives
>>that can be
>>used as blank char alternatives.
>>
>>U+1160 in the above example is placed in the 3rd level domain name label,
>>over which .org registry cannot impose any regulations.
>>
>>Soobok Lee
>>    
>>
>
>
>
>  
>