[nycbug-talk] Mozilla response to IDN homograph exploit

Charles Sprickman spork
Tue Feb 15 14:49:23 EST 2005


For our OS-X using friends, I'll point this out:

http://haoli.dnsalias.com/

I've been using Saft with Safari for quite a while to get a ton of extra 
"little features".  Last update added an IDN "fix"...

Charles

On Tue, 15 Feb 2005, csnyder wrote:

> It totally sucks that Mozilla would turn IDN off rather than implement
> the logic to detect if multiple codepages were being used in the same
> url.
>
> What about Mozilla users in the rest of the world? Download an XPI
> with annoying warnings about how "dangerous" it is to use my native
> characterset is not really acceptable.
>
>> From the IDN in Applications RFC
> http://www.apps.ietf.org/rfc/rfc3490.html#sec-10 (page 20)
> To help prevent confusion between characters that are visually
> similar, it is suggested that implementations provide visual
> indications where a domain name contains multiple scripts. Such
> mechanisms can also be used to show when a name contains a mixture of
> simplified and traditional Chinese characters, or to distinguish zero
> and one from O and l. DNS zone adminstrators may impose restrictions
> (subject to the limitations in section 2) that try to minimize
> homographs.
>
> It's something they should have been doing all along, which gives
> Opera no excuse either.
> _______________________________________________
> % NYC*BUG talk mailing list
> http://lists.nycbug.org/mailman/listinfo/talk
> %Be sure to check out our Jobs and NYCBUG-announce lists
> %We meet the first Wednesday of the month
>




More information about the talk mailing list