Bugtraq mailing list archives

Re: Thoughts and a possible solution on homograph attacks

From: Riccardo Murri <murri () dmmm uniroma1 it>
Date: Tue, 15 Mar 2005 12:27:09 +0100

[Paul Smith, Fri, Mar 11, 2005 at 10:42:47AM +0000]

My proposal would be:

1) IDNs only allowed on ccTLDs (not gTLDs). After all , the whole point of 
IDNs is to have a domain name in the locally readable script to target 
people within your own region/nation/etc. gTLDs are to have domains to 
target people globally. I see no purpose (other than vanity) to having an 
IDN in a gTLD .

2) IDNs should only be allowed to consist of a single character set - be 
that Latin, Western European, Japanese, Cyrillic etc.

3) A ccTLD should only allow IDNs in their local character set(s). So, you 
couldn't have a cyrillic IDN on a .us domain, and you couldn't have a greek 
IDN on a .ru domain.

(4) A domain registry's DRS system should take into account 
homograph/pseudograph attacks.

(5) Possibly any domains containing only characters which are graphically 
equivalent to latin characters should not be allowed, but I'm not sure of 
this one.


I would rather suggest that the string comparison function used in IDN
takes "homograph caracters"[1] into account: just like the current DNS
considers 'a' == 'A', the IDN DNS should consider "LATIN SMALL LETTER
a" == "CYRILLIC SMALL LETTER a" == "CYRILLIC CAPITAL LETTER A" ==
"GREEK CAPITAL LETTER A"[2], and similarly for the other homograph chars.

A true fix in this way cannot be implemented browser-side, but rather
in the IDN implementation; still, one can make the browser put the IDN
names in a *canonical form* using this equivalence relation: that is,
"CYRILLIC SMALL LETTER a" in a hostname is always sent on the wire as
a "LATIN SMALL LETTER a".

Riccardo


[1] or whatever the correct term for these is...

[2] so, the transitive closure of the (uppercase == lowercase) and the
homograph equivalence relation implies for instance "LATIN CAPITAL
LETTER A" == "GREEK SMAL LETTER \alpha", which are not homograph, but
I see less harm in this than in the current IDN.

-- 
Riccardo Murri
EGRID Project
The Abdus Salam ICTP

Strada Costiera, 11
34016 Trieste
Italy

email: riccardo.murri () ictp it
phone: +39 040-2240-542
fax:   +39 040-224531

Current thread:

Re: thoughts and a possible solution on homograph attacks, (continued)
- - Re: thoughts and a possible solution on homograph attacks Denis Jedig (Mar 08)
- Re: thoughts and a possible solution on homograph attacks James Youngman (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Thomas Wana (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Benjamin Franz (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Dmitry Yu. Bolkhovityanov (Mar 08)
- RE: thoughts and a possible solution on homograph attacks Scovetta, Michael V (Mar 07)
  - Re: thoughts and a possible solution on homograph attacks Mike Nice (Mar 08)
  - Re: houghts and a possible solution on homograph attacks Sven Putteneers (Mar 08)
    - Re: houghts and a possible solution on homograph attacks Nick FitzGerald (Mar 10)
    - Re: Thoughts and a possible solution on homograph attacks Paul Smith (Mar 12)
    - Re: Thoughts and a possible solution on homograph attacks Riccardo Murri (Mar 15)
    - Re: Thoughts and a possible solution on homograph attacks Valdis . Kletnieks (Mar 15)
    - Re: Thoughts and a possible solution on homograph attacks khockenb (Mar 16)
    - Re: Thoughts and a possible solution on homograph attacks Riccardo Murri (Mar 16)
- Re: Thoughts and a possible solution on homograph attacks Duncan Simpson (Mar 21)
  - Re: Thoughts and a possible solution on homograph attacks Nick FitzGerald (Mar 22)