.de is in the IDN whitelist, so international domain names from this
TLD will show up in their "human-readable" form (not punycode).
However, the .de registry DENIC seems to allow certain characters that
might be mistaken for others. I am sure they are not the only one.
Their policy [1] does not state anything about blocking similar domain
names. For example, one of the characters allowed in the policy is n (n
with a small dash below it). While their online domain query tool seems
to block invalid domains, they show "postbank.de" (postbank.de with the
fake n, xn--postbak-pkb.de) as a valid domain, so I assume it would be
possible to a phisher to register it. This is of course just an
example. Of course there is a visible difference between "n" and "n",
but I doubt many average users (many of them not knowing that IDN is
possible) would notice/care about this. I think they might even take
the dash/dot below the n for dirt on the screen. Similar problematic
characters probably exist in other whitelisted domains too.
Does this fall under "you cant do anything against stupid/careless
users" or should more be done to protect against this attack? (Like
setting network.IDN_show_punycode to true by default for all domains,
highlighting IDN domain name parts, etc.)
Jan
[1] http://www.denic.de/en/richtlinien.html
--
Please avoid sending mails, use the group instead.
If you really need to send me an e-mail, mention "FROM NG"
in the subject line, otherwise my spam filter will delete your mail.
Sorry for the inconvenience, thank the spammers...
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
