"\"Martin v. L�wis\"" <[EMAIL PROTECTED]> wrote: > > For example, someone could register a name that looks like > > "foo.bar.com", where the first dot was really U+0702. > > I may be missing something, but I think this cannot be registered: > > UnicodeError: Violation of BIDI requirement 2
Sure enough. I didn't realize U+0702 was right-to-left. That helps, but I wonder if there's another dot-lookalike lurking in Unicode. > > On second thought, the "." homograph attack is less severe than the > > "/" homograph attack. The former only allows the attacker to spoof > > names in the same domain that the attacker is registered in; > > I can't follow this reasoning, either: *if* foo.bar.com was possible, > then I choose foo=www, bar=microsoft, and put an A record for the > resulting label into DNS. The label would *not* be in the domain > microsoft.com. Let use ! to denote the fake dot. What I meant was that if the attackee registers microsoft in the .com domain, then the attacker must likewise register www!microsoft in the .com domain, and maybe someday the .com registry will stop allowing such things. Let's use % to denote the fake slash. With this attack, the attacker can register www.microsoft.com%foo in the bar.blah.deep.whatever domain, unhindered by any restrictions that might someday be put on the .com domain. AMC P.S. What's up with the literal quotes in your display-name? Is that my mail program acting funny, or yours?
