[nycbug-talk] Mozilla response to IDN homograph exploit
Bob Ippolito
bob
Tue Feb 15 16:24:32 EST 2005
On Feb 15, 2005, at 16:04, Charles Sprickman wrote:
> On Tue, 15 Feb 2005, Bob Ippolito wrote:
>
>> The kind of IDN spoofing defense that IDNSnitch and Saft implement is
>> only very marginally better than just denying all IDN hosts. It's
>> very anglocentric and distrusts every IDN host, regardless of whether
>> it contains mixed scripts or any known homographs.
>
> Surprising since the author comes from a place where they use "funny
> symbols" when they type. :)
Yeah but not many. He lives in Stockholm, not Beijing :)
>> So far, I don't believe that anyone has implemented the recommended
>> approach -- certainly not for Safari, anyway.
>
> That's understandable considering Saft is just an "add on" and not a
> different browser built around WebKit. I'm sure that an update will
> follow from Apple in the next few weeks. I haven't seen anything in
> my ADC account yet, but I'm watching...
That's no excuse, the amount of black magic integration involved in
doing "nice" IDN spoof detection and doing an ugly hack like this is
precisely the same. The difference is probably about two hours worth
of work (but not Safari hacking, just extra IDN-related code on top of
the hook he is already using). Adding a graphical notice in the URL
bar rather than using a pop-up would probably be another two hours, not
because it's hard, but because *that* would require some more Safari
hacking. I would expect that it's worth his time since he's selling
this thing.
-bob
More information about the talk
mailing list