[nycbug-talk] Mozilla response to IDN homograph exploit
Bob Ippolito
bob
Tue Feb 15 00:20:04 EST 2005
As a follow-up to the Shmoo IDN exploit, Mozilla is going to set IDN to
false by default (as of Firefox 1.0.1, and Mozilla 1.8 beta):
http://weblogs.mozillazine.org/gerv/archives/007556.html
One of the authors of the IDN standard brings to attention that
although it is the registrars responsibility to handle this issue,
there are more elegant solutions than just turning it off:
http://lookit.proper.com/archives/000302.html
The Unicode Consortium also has an early draft of their technical
report on this and related issues:
http://unicode.org/reports/tr36/
So far, it does not seem like anyone has implemented a "nice" version
of IDN awareness, though I might take a whack at it later this week if
I find the time. The hardest part is just designing the UI, looking up
the block that a particular code point resides in is pretty trivial
actually, though you would have to parse the relevant section of the
UCD <http://www.unicode.org/Public/UNIDATA/Blocks.txt>.
-bob
More information about the talk
mailing list