Re: mozilla.org short term IDN/punycode spoofing strategy

Mon, 14 Feb 2005 18:56:52 -0800

Stephan Hohe wrote: 
Gervase Markham wrote:

After today's staff and drivers meetings, mozilla.org has decided on a short-term course of action for dealing with the IDN/punycode problem.

http://weblogs.mozillazine.org/gerv/archives/007556.html 


I think a better (temporary) solution than just dropping IDN support would
be to always display the punycode encoded domain name instead of the
unicode version (Urlbar/Statusbar always shows www.xn--mozlla-5va.org
instead of www.moz�lla.org). This way there is no security problem because
the displayed punicode names don't look simular to "regular" domains
anymore, but they would still work and are reachable even through Unicode
links.

IDN domain names would look ugly, but at least they would still work.

While I can understand the suggestion you're making I can see the flip side of it as well, and you have to ask, do we really want band aide solutions or should we get the peace of mind the RFC already covers and to have the problem fixed at the root of the cause.

By taking the stance of causing complaints to be raised with the cause of the issue, they are sending a message to registries/registrars that they have to fix this issue or face the wraith of their users and potential users unless this problem is nipped in the bud before it becomes an even worst problem. If this issue is let go, no browser in future could have the ability to persuade registries/registrars to get the problem fixed in future, the browsers themselves would be the ones getting the complaints about how insecure they are, when it's not just the browsers at fault (system unicode fonts etc that simply copied and pasted similar characters etc)...

In response to this issue, CAcert put measures in place to prevent punycode certificates from being issued unless people have verified themselves under our code signing policy...

--

Best regards,
 Duane

http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://happysnapper.com.au - Sell your photos over the net!
http://e164.org - Using Enum.164 to interconnect asterisk servers

"In the long run the pessimist may be proved right,
    but the optimist has a better time on the trip."
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security

Reply via email to