[nycbug-talk] Mozilla response to IDN homograph exploit

csnyder chsnyder
Tue Feb 15 10:18:54 EST 2005


It totally sucks that Mozilla would turn IDN off rather than implement
the logic to detect if multiple codepages were being used in the same
url.

What about Mozilla users in the rest of the world? Download an XPI
with annoying warnings about how "dangerous" it is to use my native
characterset is not really acceptable.

>From the IDN in Applications RFC
http://www.apps.ietf.org/rfc/rfc3490.html#sec-10 (page 20)
 To help prevent confusion between characters that are visually 
similar, it is suggested that implementations provide visual 
indications where a domain name contains multiple scripts. Such 
mechanisms can also be used to show when a name contains a mixture of 
simplified and traditional Chinese characters, or to distinguish zero 
and one from O and l. DNS zone adminstrators may impose restrictions 
(subject to the limitations in section 2) that try to minimize 
homographs.

It's something they should have been doing all along, which gives
Opera no excuse either.




More information about the talk mailing list