[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] quick & dirty (but not too dirty) homograph defense

To: Erik van der Poel <erik@vanderpoel.org>
Subject: Re: [idn] quick & dirty (but not too dirty) homograph defense
From: John C Klensin <klensin@jck.com>
Date: Tue, 22 Feb 2005 00:53:29 -0500
Cc: "Martin v. Löwis" <martin@v.loewis.de>, tedd <tedd@sperling.com>, idn@ops.ietf.org
In-reply-to: <421A792B.2050207@vanderpoel.org>
References: <200502201529.j1KFTKdU091474@bartok.nlnetlabs.nl> <4218BC15.8060208@vanderpoel.org> <p06210205be3e762b5c0a@[192.168.0.101]> <42191083.7040601@v.loewis.de> <EBFF51D5FFF2C7AF17DDF727@scan.jck.com> <421A792B.2050207@vanderpoel.org>

--On Monday, 21 February, 2005 16:13 -0800 Erik van der Poel
<erik@vanderpoel.org> wrote:

> John,
> 
> I'm probably missing something, but if the apps are not
> currently warning the user when characters from blocks that
> ought to be banned appear, then people and/or tools may be
> generating references (e.g. HTML documents) to those
> characters, without realizing that those characters are being
> mapped to some other base characters, which then work OK in
> the DNS lookup.

You are, of course, correct.  While warning others to think
about things from the user and content-generator side of things
rather than the registrar/registry side, I made a similar
mistake that probably leads to an incorrect conclusion.  My
assumption was that those who registered names and constructed
links would end up with the domain names in those links that
were equivalent of
ToUnicode(ToASCII(whatever-was-submitted-for-registration),
i.e., base characters only.  That would certainly be the result
of a number of the processes for obtaining those links that
crossed my mind.  But you are quite right, nothing requires it
and references could be constructed using non-base characters.
For languages with clear case distinctions, one would actually
predict that it would occur: just as the owner of
coolhotjunk.xyz might prefer to have it in the DNS and
references as CoolHotJunk.xyz, I'd expect funny mixed case
strings in IDNs which, under IDNA, would of course go into the
DNS as the punycode encoding of the lowercase-only form.

> Maybe it is unlikely that a lot of such references would come
> to exist, and it wouldn't be such a burden to the user of a
> new app to see the occasional error e.g. when they click on
> such a link.
> 
> But how do you determine how many HTML documents contain bad
> characters in their links, and how do you decide that that
> number is low enough to make such a change to the spec?
> 
> So I'm wondering if you would really be able to state that
> such a change "would largely impact what can be registered".
> How do you know that such a change does not also impact the
> users of new clients accessing existing documents?
> 
> Oh wait, I know! Just get Google to do a survey in their cache?

:-(

Mumble.  What a mess.
    john

References:
- Re: [idn] quick & dirty (but not too dirty) homograph defense
  - From: Jaap Akkerhuis <jaap@NLnetLabs.nl>
- Re: [idn] quick & dirty (but not too dirty) homograph defense
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] quick & dirty (but not too dirty) homograph defense
  - From: tedd <tedd@sperling.com>
- Re: [idn] quick & dirty (but not too dirty) homograph defense
  - From: "Martin v. Löwis" <martin@v.loewis.de>
- Re: [idn] quick & dirty (but not too dirty) homograph defense
  - From: John C Klensin <klensin@jck.com>
- Re: [idn] quick & dirty (but not too dirty) homograph defense
  - From: Erik van der Poel <erik@vanderpoel.org>

Prev by Date: [idn] nameprep, IDN spoofing and the registries
Next by Date: Re: [idn] quick & dirty (but not too dirty) homograph defense
Previous by thread: Re: [idn] quick & dirty (but not too dirty) homograph defense
Next by thread: Re: [idn] quick & dirty (but not too dirty) homograph defense
Index(es):
- Date
- Thread