[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] upstream and downstream

To: IETF idn working group <idn@ops.ietf.org>
Subject: Re: [idn] upstream and downstream
From: "Martin v. Löwis" <martin@v.loewis.de>
Date: Tue, 22 Feb 2005 07:37:35 +0100
In-reply-to: <20050221234401.GA20718~@nicemice.net>
References: <4217D4DA.4000908@vanderpoel.org> <20050220110817.GD14603~@nicemice.net> <4218A1D0.2040703@vanderpoel.org> <20050220234256.GB31308~@nicemice.net> <4219249A.9060306@mozilla.org> <20050221045311.GC31308~@nicemice.net> <61b9d024408c83dce474862ae51abf0c@pobox.org.sg> <20050221081741.GD31308~@nicemice.net> <43983878a97b8668b5eaaaac89029891@seng.cc> <20050221111712.GE31308@nicemice.net> <20050221234401.GA20718~@nicemice.net>
User-agent: Debian Thunderbird 1.0 (X11/20050116)

Adam M. Costello wrote:

For example, someone could register a name that looks like
"foo.bar.com", where the first dot was really U+0702.  This attack
would be equally effective no matter what larger structure (URI, email
address, etc) the domain name appeared in.


I may be missing something, but I think this cannot be registered:

>>> u"foo\u0702bar.com".encode("idna")
Traceback (most recent call last):
  File "<stdin>", line 1, in ?
  File "/usr/local/lib/python2.5/encodings/idna.py", line 160, in encode
    result.append(ToASCII(label))
  File "/usr/local/lib/python2.5/encodings/idna.py", line 75, in ToASCII
    label = nameprep(label)
  File "/usr/local/lib/python2.5/encodings/idna.py", line 50, in nameprep
    raise UnicodeError, "Violation of BIDI requirement 2"
UnicodeError: Violation of BIDI requirement 2

So unless my IDNA implementation is incorrect, this label is banned.
Clients should reject it, but if they fail to, atleast the registry
should reject registration.

On second thought, the "." homograph attack is less severe than the "/"
homograph attack.  The former only allows the attacker to spoof names
in the same domain that the attacker is registered in;


I can't follow this reasoning, either: *if* foo.bar.com was possible,
then I choose foo=www, bar=microsoft, and put an A record for the
resulting label into DNS. The label would *not* be in the domain
microsoft.com.

Regards,
Martin

Follow-Ups:
- Re: [idn] upstream and downstream
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>

References:
- Re: [idn] upstream and downstream
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] upstream and downstream
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>
- Re: [idn] upstream and downstream
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] upstream and downstream
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>
- Re: [idn] upstream and downstream
  - From: Gervase Markham <gerv@mozilla.org>
- Re: [idn] upstream and downstream
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>
- Re: [idn] upstream and downstream
  - From: James Seng <jseng@pobox.org.sg>
- Re: [idn] upstream and downstream
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>
- Re: [idn] upstream and downstream
  - From: James Seng <james@seng.cc>
- Re: [idn] upstream and downstream
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>

Prev by Date: Re: [idn] quick & dirty (but not too dirty) homograph defense
Next by Date: Re: [idn] nameprep, IDN spoofing and the registries
Previous by thread: Re: [idn] upstream and downstream
Next by thread: Re: [idn] upstream and downstream
Index(es):
- Date
- Thread