Gervase Markham <[EMAIL PROTECTED]> wrote: > What someone posted a day ago about "/" homograph attacks has meant > that one thing we plan to do is have a short number of characters > which are completely forbidden in IDN domains at any level - in that, > mozilla.org products would refuse to recognise IDNs containing them.
Please think twice before creating a precedent of a browser completely blackholing a technically valid (albeit devious) site. I think it would be sufficient, security-wise, for the browser to inhibit the display of domain names believed to be misleading, and to display them in ASCII form instead, but still allow access to the site. > My initial list includes the homographs of ":", ".", "/" and probably > "\" too, plus all the space characters. I imagine you'd want all the characters that could immediately follow the host name in a URI, so add "?" and "#" to that list. But how well do average users know URI syntax anyway? What would they think of: http://foo.com&bar.baz.xx http://foo.com~bar.baz.xx http://foo.com|bar.baz.xx Maybe we either need to ban all punctuation (as in my proposal about internationalized host names), or always make the boundaries of the domain name apparent to the user (using color or highlighting or underlining or something). > P.S. Of course, the slash homograph attack wouldn't fool the Firefox > SSL domain security indicator anyway, which would still display the > entire domain, fake slashes and all. Yes, but do users understand what that indicator means? If they see foo.com/bar.baz.xx in the indicator, do they understand that it is unrelated to foo.com? AMC
