[nycbug-talk] Mozilla response to IDN homograph exploit

Bob Ippolito bob
Tue Feb 15 15:03:30 EST 2005


On Feb 15, 2005, at 14:49, Charles Sprickman wrote:

> On Tue, 15 Feb 2005, csnyder wrote:
>
>> It totally sucks that Mozilla would turn IDN off rather than implement
>> the logic to detect if multiple codepages were being used in the same
>> url.
>>
>> What about Mozilla users in the rest of the world? Download an XPI
>> with annoying warnings about how "dangerous" it is to use my native
>> characterset is not really acceptable.
>>
>>> From the IDN in Applications RFC
>> http://www.apps.ietf.org/rfc/rfc3490.html#sec-10 (page 20)
>> To help prevent confusion between characters that are visually
>> similar, it is suggested that implementations provide visual
>> indications where a domain name contains multiple scripts. Such
>> mechanisms can also be used to show when a name contains a mixture of
>> simplified and traditional Chinese characters, or to distinguish zero
>> and one from O and l. DNS zone adminstrators may impose restrictions
>> (subject to the limitations in section 2) that try to minimize
>> homographs.
>>
>> It's something they should have been doing all along, which gives
>> Opera no excuse either.
> For our OS-X using friends, I'll point this out:
>
> http://haoli.dnsalias.com/
>
> I've been using Saft with Safari for quite a while to get a ton of 
> extra "little features".  Last update added an IDN "fix"...

The kind of IDN spoofing defense that IDNSnitch and Saft implement is 
only very marginally better than just denying all IDN hosts.  It's very 
anglocentric and distrusts every IDN host, regardless of whether it 
contains mixed scripts or any known homographs.  So far, I don't 
believe that anyone has implemented the recommended approach -- 
certainly not for Safari, anyway.

-bob





More information about the talk mailing list