[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] Re: Unicode and Security



On Feb 7, 2002, 12:22 (-0500) Elliotte Rusty Harold <elharo@metalab.unc.edu...:

> For the sake of argument, let's call the company they work at
> Microsoft, but this attack could hit most companies with a .com
> address. Let's say I register microsoft.com, only the fifth letter
> isn't a lower-case Latin o. It's actually a lower case Greek omicron.
> I then forge a believable letter from alice@microsoft.com to
> bob@microsoft.com saying "Can you please update me on your budget?"
> Bob, noticing that the e-mail appears to come from Alice, whom he
> knows and trusts, fires off a reply with his confidential
> information. Only it doesn't go to Alice. It goes to me. I can then
> reply to Bob, asking for clarification or more details. I can ask him
> to attach the latest build of his software. I can carry on a
> conversation in which Bob believes me to be Alice and spills his
> guts. This is very, very bad.
(...)
> Specifying requirements for internationalized domain names does not
> itself raise any new security issues. However, any change to the DNS
> MAY affect the security of any protocol that relies on the DNS or on
> DNS names. A thorough evaluation of those protocols for security
> concerns will be needed when they are developed. In particular, IDNs
> MUST be compatible with DNSSEC and, if multiple charsets or
> representation forms are permitted, the implications of this
> name-spoof MUST be throughly understood.

DNSsec is compatible with ACE encoded IDN's. But the DNSsec keys and
signatures will be based on the ACE encoded domain, not the native IDN
domain.

Bob will not be helped by DNSsec in your scenario. Bob has been fooled to
use another mail domain, and that is beyond the scope of DNSsec.



Mats

----------------------------------------------------------------------
Mats Dufberg <dufberg@nic-se.se>
----------------------------------------------------------------------