[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [idn] iDNS transition: end-system vs. infrastructure?
- To: <idn@ops.ietf.org>
- Subject: RE: [idn] iDNS transition: end-system vs. infrastructure?
- From: tale@nominum.com (David C Lawrence)
- Date: Tue, 15 May 2001 01:38:11 -0400 (EDT)
- Delivery-date: Mon, 14 May 2001 22:39:32 -0700
- Envelope-to: idn-data@psg.com
Russ Rolfe writes:
> could someone kindly post a simple list of the reasons they feel
> "Just do pure UTF-8" is *not* a valid alternative.
Besides the other reasons already mentioned, there is the issues that
the security risk is greatly increased that someone can spoof domain
names. Just craft a string in some character set or encoding other
than UTF-8 that can be interpreted as valid UTF-8, then trick people
with non-aware clients into sending the binary name as a DNS request.
Take for example a bad guy who sends a KOI-8 email to victim that has
a link within it to {TSE}{IO}.ru, perhaps the web site of a well-known
company. Victim's legacy browser requests {TSE}{IO}.ru, but it is
interpreted as UTF-8, so he gets back the address for
{LATIN SMALL LETTER O WITH ACUTE}.ru -- the bad guy's sham site.
This admittedly takes some special circumstances (I am not suggesting
that every IDN would be spoofable this way) but with all of the
permutations of non-UTF-8 and millions of IDNs, there will surely be
plenty of opportunity for either accidental or intentional
misdirection to happen.
This does not rule out UTF-8, it only rules out the "Just Send" part.
There must be some way for a program to indicate that it is aware of
the rules surrounding the use of binary goop as a DNS name.