Benjamin Smedberg wrote, On 2009-02-19 07:39: > It sounds to me that we could and should fix this bug simply by disabling > punycode for the wildcard portion.
I'm not sure what you're proposing here, Ben, or what effect you think it would have. Homomorphic characters aren't a problem for wildcard matching. They're a problem for users' eyeballs. The attack that was demonstrated could have been done without wildcards. Changing the wildcard matching rules would not eliminate this attack (in the general case). In any case, I think Dan's recent IDN blacklist bug is on the right track. -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
