--On Tuesday, 08 February, 2005 13:41 +0100 Jaap Akkerhuis
<jaap(_at_)NLnetLabs(_dot_)nl> wrote:
May be IDN specialists will want to comment this.
http://www.shmoo.com/idn/homograph.txt
This is nothing new, analog to YAHOO.COM and YAH00.COM.
Well, it is a little worse because there are tools that make
detection of the YAH00.COM problem and its relatives pretty easy
and those tools are widely understood. For example, forcing
those domain names to lower case makes them very distinguishable
(yahoo.com and yah00.com) are pretty clearly different) and
using fonts that make zeros and "o"s, ones and "l"s, etc.,
clearly different helps a lot too.
With IDNs, the simple fact that there are tens of thousands of
characters with which one can try to create confusion, rather
than 37 or so, means there are going to be more "opportunities".
What is more important, perhaps, is that we just don't have the
experience with the design of user interfaces that make problem
detection easy. For example, the moment I touched the Firefox
cursor to the examples at the examples at
http://www.shmoo.com/idn/, I realized that I really wanted to
see the punycode in the status line as well as the "native
character" rendering. That hadn't occurred to me before,
despite having been thinking about the problems long enough to
have had precisely this Roman-A versus Cyrillic-A example on a
slide in a talk I gave in March of 2001.
There have been other suggestions along the line that would help
although the community (with some notable exceptions) hasn't
been good at deploying them and the IETF decided (perhaps
appropriately, perhaps not) that they were someone else's
problem. For example, Mark Davis made a suggestion early on
that registration of labels containing mixed scripts be
prohibited. If that had been done in the relevant zone, this
particular attack would have been impossible. A corollary to
his suggestion might be a warning message from software that
interfaces with users that would flag mixed-script labels and
put up warnings.
Just as with the YAH00.COM case, no single measure is going to
"fix" or prevent the various problems we can encounter with
IDNs. But a combination of some thinking, good policies,
adapting tools on the basis of experience, and the level of user
vigilance that seems a requirement for being attached to the
Internet at all these days ought to permit us to use IDNs at
risk comparable to that for LDH-style ASCII names.
I can only hope that our colleagues at Mozilla will rapidly
supercede their apparent advice to disable IDNs --advice that
seems to me to be equivalent to "you should be happy just using
English"-- with patches or extensions that enable punycode
display in addition to native-script display in the status line
and that they consider warnings about mixed-script labels.
And, while I am engaging in hope, I hope that the other
browser-producing teams will get with the program: The IESG has
warned, I have warned, Mark has warned, and innumerable others
have warned, that a compliant implementation of IDNA is _not_
sufficient for a competent implementation of IDNs. This
particular problem, however exciting, is just another example of
that general principle.
john
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf