Bugtraq mailing list archives
Re: Thoughts and a possible solution on homograph attacks
From: Riccardo Murri <murri () dmmm uniroma1 it>
Date: Tue, 15 Mar 2005 12:27:09 +0100
[Paul Smith, Fri, Mar 11, 2005 at 10:42:47AM +0000]
My proposal would be: 1) IDNs only allowed on ccTLDs (not gTLDs). After all , the whole point of IDNs is to have a domain name in the locally readable script to target people within your own region/nation/etc. gTLDs are to have domains to target people globally. I see no purpose (other than vanity) to having an IDN in a gTLD . 2) IDNs should only be allowed to consist of a single character set - be that Latin, Western European, Japanese, Cyrillic etc. 3) A ccTLD should only allow IDNs in their local character set(s). So, you couldn't have a cyrillic IDN on a .us domain, and you couldn't have a greek IDN on a .ru domain. (4) A domain registry's DRS system should take into account homograph/pseudograph attacks. (5) Possibly any domains containing only characters which are graphically equivalent to latin characters should not be allowed, but I'm not sure of this one.
I would rather suggest that the string comparison function used in IDN takes "homograph caracters"[1] into account: just like the current DNS considers 'a' == 'A', the IDN DNS should consider "LATIN SMALL LETTER a" == "CYRILLIC SMALL LETTER a" == "CYRILLIC CAPITAL LETTER A" == "GREEK CAPITAL LETTER A"[2], and similarly for the other homograph chars. A true fix in this way cannot be implemented browser-side, but rather in the IDN implementation; still, one can make the browser put the IDN names in a *canonical form* using this equivalence relation: that is, "CYRILLIC SMALL LETTER a" in a hostname is always sent on the wire as a "LATIN SMALL LETTER a". Riccardo [1] or whatever the correct term for these is... [2] so, the transitive closure of the (uppercase == lowercase) and the homograph equivalence relation implies for instance "LATIN CAPITAL LETTER A" == "GREEK SMAL LETTER \alpha", which are not homograph, but I see less harm in this than in the current IDN. -- Riccardo Murri EGRID Project The Abdus Salam ICTP Strada Costiera, 11 34016 Trieste Italy email: riccardo.murri () ictp it phone: +39 040-2240-542 fax: +39 040-224531
Current thread:
- Re: thoughts and a possible solution on homograph attacks, (continued)
- Re: thoughts and a possible solution on homograph attacks Denis Jedig (Mar 08)
- Re: thoughts and a possible solution on homograph attacks James Youngman (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Thomas Wana (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Benjamin Franz (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Dmitry Yu. Bolkhovityanov (Mar 08)
- RE: thoughts and a possible solution on homograph attacks Scovetta, Michael V (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Mike Nice (Mar 08)
- Re: houghts and a possible solution on homograph attacks Sven Putteneers (Mar 08)
- Re: houghts and a possible solution on homograph attacks Nick FitzGerald (Mar 10)
- Re: Thoughts and a possible solution on homograph attacks Paul Smith (Mar 12)
- Re: Thoughts and a possible solution on homograph attacks Riccardo Murri (Mar 15)
- Re: Thoughts and a possible solution on homograph attacks Valdis . Kletnieks (Mar 15)
- Re: Thoughts and a possible solution on homograph attacks khockenb (Mar 16)
- Re: Thoughts and a possible solution on homograph attacks Riccardo Murri (Mar 16)
- Re: Thoughts and a possible solution on homograph attacks Nick FitzGerald (Mar 22)