Mozilla Implements TLD Whitelist for Firefox in Response to IDN Homogr aphs Spoofing
Not sure if anyone has seen this, or not... Via CircleID: [snip] Mozilla Foundation has announced changes to Firefox concerning Internationalized Domain Names (IDN) to deal with homograph spoofing attacks. According to the organization, "Mozilla Foundation products now only display IDNs in a whitelist of TLDs, which have policies stating what characters are permitted, and procedures for making sure that no homographic domains are registered to two different entities." [snip] http://www.circleid.com/article/1148_0_1_0_C/ - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg@netzero.net or fergdawg@sbcglobal.net ferg's tech blog: http://fergdawg.blogspot.com/
On Wed, Jul 27, 2005 at 01:47:14PM +0000, Fergie (Paul Ferguson) wrote:
Mozilla Foundation has announced changes to Firefox concerning Internationalized Domain Names (IDN) to deal with homograph spoofing attacks.
Does anyone else think that it's not the job of a web browser to do this? The web browser shouldn't even know about IDN details. The system's resolver library should convert non ASCII labels to the Punycode representation when sending querries, and convert back after receiving responses! Otherwise how can all my applications support IDN? -Phil
Phillip Vandry <vandry@TZoNE.ORG> writes:
On Wed, Jul 27, 2005 at 01:47:14PM +0000, Fergie (Paul Ferguson) wrote:
Mozilla Foundation has announced changes to Firefox concerning Internationalized Domain Names (IDN) to deal with homograph spoofing attacks.
Does anyone else think that it's not the job of a web browser to do this? The web browser shouldn't even know about IDN details. The system's resolver library should convert non ASCII labels to the Punycode representation when sending querries, and convert back after receiving responses!
Otherwise how can all my applications support IDN?
Please read RFC 3490. Bjørn
On Thu, Jul 28, 2005 at 03:27:58PM +0200, Bjørn Mork wrote:
Otherwise how can all my applications support IDN?
Please read RFC 3490.
Thanks for the pointer. It seems like a lot of work to do and much opportunity for it to be done inconsistently from application to application. This shim layer will have to be inserted into every application from ping on up. But it looks like there's a library ( http://www.gnu.org/software/libidn/ ) that is quite popular, so there is hope for a single point of management where such things as this Mozilla whitelist need to be updated. The less headaches there are with support cases where users can't see decoded IDNs when they should or can see decoded IDNs when it might be dangerous, due to out of date whitelists, the better. -Phil
* Phillip Vandry:
Does anyone else think that it's not the job of a web browser to do this? The web browser shouldn't even know about IDN details. The system's resolver library should convert non ASCII labels to the Punycode representation when sending querries, and convert back after receiving responses!
Otherwise how can all my applications support IDN?
Because we currently have IDNA, and "A" stands for "applications".
participants (4)
-
Bjørn Mork -
Fergie (Paul Ferguson) -
Florian Weimer -
Phillip Vandry