Re: Homonym attacks
Kyle Hamilton
specified in Unicode Technical Corrigendum #22, IIRC.
Punycode is difficult for the average user to comprehend, but in
languages where there are no extended characters (English, for
example) there should be no reason to prevent the punycode form from
being displayed.
My opinion is that it would be good to look at the default
language/locale of the system, and generate sane defaults for the
profile according to that. (en-US would always show punycode, for
example, while Spanish would allow converted display for ñ
(composition: n + ~), etc. This would require experts or at least
native speakers/writers of each language to tell exactly which
characters are part of the language(s) specified as the official
languages of the country in each TLD. (This list would be of
tremendous value, not only to Mozilla, but also to other DNS-bound
punycode-interpreting systems.)
I am only a native speaker of English, and I don't speak any other
spoken languages (nor do I read any other languages, except extremely
laboriously). I'm not a linguist or an expert with any other
languages, and so I'm very unlikely to be of assistance to such a
task... and the Open Source nature of Firefox et al seems to require
that at least 70% of the project be completed before it can
successfully be announced as requiring participation. Thus, I can't
start this. It can only really be initiated by at least a bilingual
person, or preferably polylingual in different language branches
(Latin-rooted, Germanic, Cyrillic, Farsi, etc).
-Kyle H
2009/12/23 Varga Viktor <var...@netlock.hu>:
> Hello,
>
> In Hungary there was some phising attack against a bank, with homonym domain.
> Of-course, it has not to large success because the domain registration rules in Hungary, that rule doesnot allows other non-latin chars, than hungarian non latins.
>
> Maybe the domain resitration rules for other coundtries is the same, i think for example in the Slovak Republic
> under the .sk TLD you can register only a domain name with non latin chars only, when you have only slovakian non-latins in your domain name.
>
> But this rule is not a must for other TLDs, so it is possible to request an SSL certificate for a homonym domain name.
>
> A simple example:
>
> The TV station gets a domain name adult.net and has online Payperview contetn on it, which can be paid by credit card, and it has a valid SSL too.
>
> The hacker gets the same domain name adult.net, the inly difference, that the "a" at the start of the domain is not a latin "a" its a cirillic "a" (the form of these is completly same).
> He wants an SSL and because this domain is owned by the hacker, the hacker can get the SSL certificate, because the whois record for the hacker is valid.
>
> Then the hacker sends a lot of emails, and in those mails he has the domain name.
>
>
> At our company wehad some alerts system for this kind of homonym attack, but it can be a big problem int he future, maybe some technical and some policy change is needed regarding this problem.
>
> What is your opinion?
>
> Üdvözlettel/Regards,
>
> Varga Viktor
> Üzemeltetési és Vevőszolgálati Vezető
> IT Service and Customers Service Executive
> Netlock Kft.
>
>
>
>
> _______________________________________________________________________
> Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail MessageLabs rendszerrel. Tovabbi informacio: http://www.filtermax.hu
>
> This email has been scanned for viruses and SPAM by the filter:mail MessageLabs System. More information: http://www.filtermax.hu ________________________________________________________________________________________
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
makrober
> ...My opinion is that it would be good to look at the default
> language/locale of the system, and generate sane defaults...
I hope not.
The whole idea of "locale" as a "computer-wide" specification
is lame to the extreme: it was born in the early days of computer
era, when the wast majority of users were "one computer, one user,
one country, one language..." simpletons. This is clearly no
longer a reasonable assumption, especially outside of North America.
Mark Roberts
Kyle Hamilton
HannuChristmaKwanzaakah, if you don't celebrate Christmas :) ).
Every user has the ability to change his own locale, with the LANG
environment variable (or his locale settings, in Windows). If the
user sets it before starting Firefox the first time, then there's no
reason for Firefox not to be able to import that locale.
Remember, everything has grown organically. This means that we have
some cruft in the Internet DNA that only exists for
backward-compatibility, or that exists for a purpose that was decided
to be bad but never removed from the specifications. LANG is the *nix
method of setting the locale, and it's been that way for at least 10
years. If that's not reliable, then *nothing* is reliable to generate
any kind of sane default.
In that case, the only default that doesn't rely on third parties and
having to react to their decisions related to the characters they
allow in their certificates would be to show the punycode for
everything.
-Kyle H
Martin Paljak
Contrary to your opinion I would say that "one computer, one user"
phenomena is not something historic but something from this century,
as laptops have become the norm and prices for such machines are
reasonable.
Gervase Markham
> My opinion is that it would be good to look at the default
> language/locale of the system, and generate sane defaults for the
> profile according to that.
This is what IE does. The reason it's a terrible idea, and near-fatal
for the whole idea of IDNs, is that the company which owns the IDN now
has no idea what percentage of its customers will actually be able to
see the domain as intended, and what percentage will see gobbledygook.
This makes owning and using an IDN domain significantly less attractive
than an ASCII domain.
Gerv