Hi, folks!
My name is Ping. I do research at UC Berkeley in human-computer
interaction. I've spent a fair amount of time thinking, writing, and
talking to people about human factors and security, and though I
haven't developed anything as large as Mozilla Firefox, I have some
experience with implementing and testing usable security tools and
have made a few contributions to other open source projects. I look
forward to learning from you through my participation on this list
and hope my comments will be a positive contribution.
Getting to know Firefox has been a happy experience for me. Finally,
I thought, here is a design team that is starting to get it. Finally
a development team that understands that computer security is not just
a matter of adding incomprehensible error messages, pop-up prompts,
or more settings to a Security Options dialog. (In my opinion, a bloated
and complex Security Options dialog can be worse than extra security --
it can constitute security theater. By contrast, Firefox's simplicity
and secure-by-default design has been refreshing and welcome.)
I came to this list after hearing about the widely publicized IDN
spoofing attack on Firefox. My first reaction to the report was
surprise. How could this happen to our dear Firefox? The homograph
problem is not at all a new discovery; it was anticipated as early as
2002 in Communications of the ACM [1], by ICANN [2], and in my own
conference paper [3]. The problem is also described in the IDN
specifications themselves. RFC 3490 [4] specifically mentions
homographs, and the first sentence of the "Security Considerations"
section of RFC 3491 [5] says:
The Unicode and ISO/IEC 10646 repertoires have many characters
that look similar.
So, what happened? I can guess at some possibilities -- perhaps the
specifications were not carefully consulted, or the implementors of
the IDN feature were not aware of security considerations, or they
were aware but decided it was not their responsibility to address.
Were there communication problems between feature implementors and
security people? Was security deprioritized? Maybe there are other
possibilities I haven't thought of?
Please understand that my goal here is not to personally attack the
developers of Firefox. I'd like to help make Firefox better. I want
to learn about the development process and see if we can figure out
how to prevent this kind of problem from happening again. Would
somebody be kind enough to tell me the story of how IDN was added to
Firefox from an inside developer's perspective?
Thanks for all your hard work on Firefox!
-- ?!ng
[1] http://www.csl.sri.com/users/neumann/insiderisks.html#140
[2] http://www.icann.org/committees/idn/idn-codepoint-paper.htm
[3] http://zesty.ca/sid/uidss.pdf
[4] http://www.faqs.org/rfcs/rfc3490.html
[5] http://www.faqs.org/rfcs/rfc3491.html
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
