Henrik Gemal wrote:
damn that's an ugly one
Conversing with my friend early (who seemed quite knowledgeable on punycode domains) said he had the same argument with opensrs 2 years ago about this same issue, and that even on a smaller scale who will know if you register a domain similar to a competitor if both businesses are small etc.
Further more he made the comment that if a CA was turn into the world web police, you could still get certs on valid domains by suing for restraint of trade if they didn't issue it. So the problem has to be dealt with on a domain level not a CA level.
So basically punycode is a bad hack that will be very exploitable until the day it dies and unicode replaces it, which isn't likely to happen any time soon... Making characters bold isn't going to do much for the average joe with respect to phising scams, and throwing up a warning message is self-defeating...
So with all that in mind there is discussions going on now whether CAcert should actually disallow punycode certificate registrations due to the apparent ease at not only getting a domain to look like another, but getting valid certificates from CAs built into existing browsers...
--
Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
