| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050315112703.GP28919@egrid-14.egrid.it> Date: Tue, 15 Mar 2005 12:27:09 +0100 From: Riccardo Murri <murri@...m.uniroma1.it> To: bugtraq@...urityfocus.com Cc: Paul Smith <paullocal@...s.co.uk> Subject: Re: Thoughts and a possible solution on homograph attacks [Paul Smith, Fri, Mar 11, 2005 at 10:42:47AM +0000] > My proposal would be: > > 1) IDNs only allowed on ccTLDs (not gTLDs). After all , the whole point of > IDNs is to have a domain name in the locally readable script to target > people within your own region/nation/etc. gTLDs are to have domains to > target people globally. I see no purpose (other than vanity) to having an > IDN in a gTLD . > > 2) IDNs should only be allowed to consist of a single character set - be > that Latin, Western European, Japanese, Cyrillic etc. > > 3) A ccTLD should only allow IDNs in their local character set(s). So, you > couldn't have a cyrillic IDN on a .us domain, and you couldn't have a greek > IDN on a .ru domain. > > (4) A domain registry's DRS system should take into account > homograph/pseudograph attacks. > > (5) Possibly any domains containing only characters which are graphically > equivalent to latin characters should not be allowed, but I'm not sure of > this one. > I would rather suggest that the string comparison function used in IDN takes "homograph caracters"[1] into account: just like the current DNS considers 'a' == 'A', the IDN DNS should consider "LATIN SMALL LETTER a" == "CYRILLIC SMALL LETTER a" == "CYRILLIC CAPITAL LETTER A" == "GREEK CAPITAL LETTER A"[2], and similarly for the other homograph chars. A true fix in this way cannot be implemented browser-side, but rather in the IDN implementation; still, one can make the browser put the IDN names in a *canonical form* using this equivalence relation: that is, "CYRILLIC SMALL LETTER a" in a hostname is always sent on the wire as a "LATIN SMALL LETTER a". Riccardo [1] or whatever the correct term for these is... [2] so, the transitive closure of the (uppercase == lowercase) and the homograph equivalence relation implies for instance "LATIN CAPITAL LETTER A" == "GREEK SMAL LETTER \alpha", which are not homograph, but I see less harm in this than in the current IDN. -- Riccardo Murri EGRID Project The Abdus Salam ICTP Strada Costiera, 11 34016 Trieste Italy email: riccardo.murri@...p.it phone: +39 040-2240-542 fax: +39 040-224531
Powered by blists - more mailing lists