Jean-Marc Desperrier wrote:
Which blacklist ? There's a blacklist inside the browser ?
Yes. See
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpref/src/init/all.js&rev=3.762&mark=704-708#704
The oppposite seems obviously said here :
http://www.mozilla.org/projects/security/tld-idn-policy-list.html
« it does not [] require multiple DNS lookups, large character tables in
the browser [] »
Indeed. This is a quite small character list. The large character
tables would have been tables of characters that look like each other.
Blacklist at the registrar level can not protect from attacks on the
third-level domain name (or fourth, or more).
Indeed. The key is to make it clear what the hostname is.
You know, you can exclude "╱".
Yep.
But then you start wondering how many user will *really* notice if
there's a "∕" or a "⁄", or "ʃ", or "Ɉ", or "͵ʹ", or "٪", or "ޙ" ,"ހ",
"৴", "૮", "८", "།", "༼", "ᚋ", "ᤣ", "⁒", "⅟", "∠" instead of "/".
Indeed.
And then you begin to think that maybe just having "." would work very
often, that most user have the most cursory look at the url bar, so that
making security depend on the url bar is just bad.
I happen to think so, yes.
-Boris
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
