Bugtraq mailing list archives

Re: Thoughts and a possible solution on homograph attacks


From: Riccardo Murri <riccardo.murri () ictp it>
Date: Wed, 16 Mar 2005 11:02:03 +0100

[khockenb, Tue, Mar 15, 2005 at 07:10:16PM -0500]
On Tue, 15 Mar 2005, Riccardo Murri wrote:

I would rather suggest that the string comparison function used in IDN
takes "homograph caracters"[1] into account: just like the current DNS
considers 'a' == 'A', the IDN DNS should consider "LATIN SMALL LETTER
a" == "CYRILLIC SMALL LETTER a" == "CYRILLIC CAPITAL LETTER A" ==
"GREEK CAPITAL LETTER A"[2], and similarly for the other homograph chars.

But that breaks case insensitivity for Greek, for instance (other
languages, too, I am sure).

Consider Greek letters eta and nu.

A upper case eta looks like an upper case Latin "H", but a lower
case eta looks like a lower case Latin "n".

Similarly, an uppercase nu looks like a upper case Latin "N", but a lower
case nu looks like a lower case Latin "v".

If such a system as you suggest is in place, and someone in Greece wants
the site (Greek nu).gr, they would have to have control of both N.gr and
v.gr, otherwise people who type in the wrong case would go to the wrong
site.  Now let's say a competitor comes along, and wants (Greek eta).gr.
They can get H.gr, but n.gr is already take, since N=n.

I suppose we could get around that by making H=n=N=v(=V=H), but that would
get cohfusivg.


You're perfectly right - this equivalence relation would backfire on
ASCII-only domains too. 

Riccardo

-- 
Riccardo Murri
EGRID Project
The Abdus Salam ICTP

Strada Costiera, 11
34016 Trieste
Italy

email: riccardo.murri () ictp it
phone: +39 040-2240-542
fax:   +39 040-224531


Current thread: