Re: IDN security violation? Please comment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi John,
    
    
    --On Tuesday, 08 February, 2005 13:41 +0100 Jaap Akkerhuis
    <jaap@xxxxxxxxxxxx> wrote:
    
    >     May be IDN specialists will want to comment this.
    >     http://www.shmoo.com/idn/homograph.txt
    > 
    > This is nothing new, analog to YAHOO.COM and YAH00.COM.
    
    Well, it is a little worse because there are tools that make
    detection of the YAH00.COM problem and its relatives pretty easy
    and those tools are widely understood.  For example, forcing
    those domain names to lower case makes them very distinguishable
    (yahoo.com and yah00.com) are pretty clearly different) and
    using fonts that make zeros and "o"s, ones and "l"s, etc.,
    clearly different helps a lot too.

And for me personally this is not really new, because I have been
following the IDN debate from the beginning and seen the problems
of mixed scripts on other occasions.

The principle is not really new. And yes, it is a matter of tools
fonts, etc. The example at my machine displays quite different (in
than on the of a co-worker next to me (same operating system,
freeBSD; same browser (firefox)).  I just happen to have cyrillic
fonts installed.

    
    With IDNs, the simple fact that there are tens of thousands of
    characters with which one can try to create confusion, rather
    than 37 or so, means there are going to be more "opportunities".
    What is more important, perhaps, is that we just don't have the
    experience with the design of user interfaces that make problem
    detection easy.   For example, the moment I touched the Firefox
    cursor to the examples at the examples at
    http://www.shmoo.com/idn/, I realized that I really wanted to
    see the punycode in the status line as well as the "native
    character" rendering.  That hadn't occurred to me before,
    despite having been thinking about the problems long enough to
    have had precisely this Roman-A versus Cyrillic-A example on a
    slide in a talk I gave in March of 2001.

We are likely in violent agreement. I've been using cyrillic
characters looking like Latin ones in my slides as well as examples.
And when I explained my co-worker what was going on, he also wanted
to see the punycode.
    
    There have been other suggestions along the line that would help
    although the community (with some notable exceptions) hasn't
    been good at deploying them and the IETF decided (perhaps
    appropriately, perhaps not) that they were someone else's
    problem.  For example, Mark Davis made a suggestion early on
    that registration of labels containing mixed scripts be
    prohibited.

That's what the polish registry does on the moment. Although it
isn't 100%

    If that had been done in the relevant zone, this
    particular attack would have been impossible.  A corollary to
    his suggestion might be a warning message from software that
    interfaces with users that would flag mixed-script labels and
    put up warnings.

But still, with some characters of one script looking like other
ones, it is still a possible ``phishing style'' attack. It will
lower the chance that one can make up something meaningfull.
    
    Just as with the YAH00.COM case, no single measure is going to
    "fix" or prevent the various problems we can encounter with
    IDNs.  But a combination of some thinking, good policies,
    adapting tools on the basis of experience, and the level of user
    vigilance that seems a requirement for being attached to the
    Internet at all these days ought to permit us to use IDNs at
    risk comparable to that for LDH-style ASCII names.

Agreed. One of the things that had been proposed was ``bundeling''.
That would help a bit in this case (although I can imagine court
cases disputing whether the bundeling was done properly).
    
    I can only hope that our colleagues at Mozilla will rapidly
    supercede their apparent advice to disable IDNs --advice that
    seems to me to be equivalent to "you should be happy just using
    English"-- with patches or extensions that enable punycode
    display in addition to native-script display in the status line
    and that they consider warnings about mixed-script labels.
    And, while I am engaging in hope, I hope that the other
    browser-producing teams will get with the program: The IESG has
    warned, I have warned, Mark has warned, and innumerable others
    have warned, that a compliant implementation of IDNA is _not_
    sufficient for a competent implementation of IDNs.  This
    particular problem, however exciting, is just another example of
    that general principle.
    
In full agreement here,

	jaap

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]