[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] Mac OS X Safari and IDN spoofing

To: James Seng <james@seng.cc>, Gervase Markham <gerv@mozilla.org>
Subject: Re: [idn] Mac OS X Safari and IDN spoofing
From: Erik van der Poel <erik@vanderpoel.org>
Date: Wed, 23 Mar 2005 11:34:07 -0800
Cc: idn@ops.ietf.org
In-reply-to: <9271f2a6d20072ae7e9f1cf9e74cce45@seng.cc>
References: <p06210212be663c22ba1c@[10.20.30.249]> <4240917F.30801@mozilla.org> <9271f2a6d20072ae7e9f1cf9e74cce45@seng.cc>
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)

Opera addressed the IDN spoofing issue with a number of changes:

In 8.0 beta 2, they introduced a whitelist of TLDs that they consider safe because they appear to have good policies in place: no, jp, de, se, kr, tw, cn, at, dk, ch, and li. TLDs not on this list have their domain labels checked for characters outside Latin-1 (ISO 8859-1, Unicodes up to U+00FF). If there are characters outside Latin-1, the label is displayed in Punycode.

In 8.0 beta 3, they added hu and museum to the TLD whitelist, and they allowed the user to switch to a blacklist using the tilde (~), e.g. ~:com:tw:. The character checking now allows a single script or specific script combinations in each domain label or sublabel, separated by dot (.) and hyphen (-). This allows e.g. xml-ccccccc where xml is ASCII and cccccc is the Russian word for "documents" in Cyrillic (I think).

I have added links to Opera's 8.0 beta 2 and 3 release notes and IDN Security Advisory to my Related Work section:

http://nameprep.org/#related-work

Another idea that I mentioned a while ago in a couple of forums is to check for characters used in the user's languages, which can be found in the browser localization and HTTP Accept-Language list. There are many different ways to display these labels, e.g. Punycode for labels with characters outside the user's languages. Another idea is to use pale green for characters in the user's main language, pale yellow for those in the user's secondary languages, and pale red for characters outside those languages. These colors are based on traffic lights.

James Seng wrote:

now, do we want to standard "this" or do we want apps people to continue to evolve the mechanism to deal with spoofing? i prefer the latter.

I agree that the IETF should not standardize these types of UI policies, though it might be a good idea to have some recommendations in an informative appendix or something.

However, the IETF may wish to consider standardizing a limited set of characters in IDN. For example, we may wish to extend RFC 952's host name rules (LDH = Letters, Digits and Hyphen) to a Unicode equivalent, thereby disallowing such characters as the slash homographs (e.g. math symbol for division).

As I wrote this email, Mark Davis sent a very relevant email to the Unicode list:

http://www.unicode.org/mail-arch/

Click the first link, user unicode-ml, password unicode.

Erik

References:
- [idn] Mac OS X Safari and IDN spoofing
  - From: Paul Hoffman <phoffman@imc.org>
- Re: [idn] Mac OS X Safari and IDN spoofing
  - From: Gervase Markham <gerv@mozilla.org>
- Re: [idn] Mac OS X Safari and IDN spoofing
  - From: James Seng <james@seng.cc>

Prev by Date: Re: [idn] Mac OS X Safari and IDN spoofing
Next by Date: Re: [idn] Mac OS X Safari and IDN spoofing
Previous by thread: Re: [idn] Mac OS X Safari and IDN spoofing
Next by thread: Re: [idn] Mac OS X Safari and IDN spoofing
Index(es):
- Date
- Thread