[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] upstream and downstream

To: IETF idn working group <idn@ops.ietf.org>
Subject: Re: [idn] upstream and downstream
From: Gervase Markham <gerv@mozilla.org>
Date: Mon, 21 Feb 2005 00:00:26 +0000
In-reply-to: <20050220234256.GB31308~@nicemice.net>
Organization: mozilla.org
References: <4217D4DA.4000908@vanderpoel.org> <20050220110817.GD14603~@nicemice.net> <4218A1D0.2040703@vanderpoel.org> <002c01c51770$b0f74be0$030aa8c0@DEWELL> <421746D7.4070102@vanderpoel.org> <42176970.3050704@vanderpoel.org> <20050219214029.GA5457~@nicemice.net> <4217D4DA.4000908@vanderpoel.org> <20050220110817.GD14603~@nicemice.net> <4218A1D0.2040703@vanderpoel.org> <20050220234256.GB31308~@nicemice.net>
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)

Adam M. Costello wrote:

I'm with you both.  I wanted the IDN working group to define a subset,
but ultimately I was persuaded that it was not feasible for the IETF to
reach consensus on such a subset, and that subsetting could and should
be done on a per-registry basis, inside the registry rather than the
applications.  But the slash-homograph attack now makes that approach
(in its pure form) appear hopeless.

Just to delurk for a moment... I'm currently kicking around ideas here at mozilla.org for dealing with this issue. We hope to be able to present a proposal soon.

What someone posted a day ago about "/" homograph attacks has meant that one thing we plan to do is have a short number of characters which are completely forbidden in IDN domains at any level - in that, mozilla.org products would refuse to recognise IDNs containing them.

My initial list includes the homographs of ":", ".", "/" and probably "\" too, plus all the space characters.

Of course, there may be some good reason why this doesn't fly.

Gerv

P.S. Of course, the slash homograph attack wouldn't fool the Firefox SSL domain security indicator anyway, which would still display the entire domain, fake slashes and all.

Follow-Ups:
- Re: [idn] upstream and downstream
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>

References:
- Re: [idn] upstream and downstream
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] upstream and downstream
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>
- Re: [idn] upstream and downstream
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] upstream and downstream
  - From: "Doug Ewell" <dewell@adelphia.net>
- [idn] RRP and language tags
  - From: Erik van der Poel <erik@vanderpoel.org>
- [idn] upstream and downstream
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] upstream and downstream
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>
- Re: [idn] upstream and downstream
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>

Prev by Date: Re: [idn] quick & dirty (but not too dirty) homograph defense
Next by Date: Re: [idn] quick & dirty (but not too dirty) homograph defense
Previous by thread: Re: [idn] upstream and downstream
Next by thread: Re: [idn] upstream and downstream
Index(es):
- Date
- Thread