Hi, folks! My name is Ping. I do research at UC Berkeley in human-computer interaction. I've spent a fair amount of time thinking, writing, and talking to people about human factors and security, and though I haven't developed anything as large as Mozilla Firefox, I have some experience with implementing and testing usable security tools and have made a few contributions to other open source projects. I look forward to learning from you through my participation on this list and hope my comments will be a positive contribution.
Getting to know Firefox has been a happy experience for me. Finally, I thought, here is a design team that is starting to get it. Finally a development team that understands that computer security is not just a matter of adding incomprehensible error messages, pop-up prompts, or more settings to a Security Options dialog. (In my opinion, a bloated and complex Security Options dialog can be worse than extra security -- it can constitute security theater. By contrast, Firefox's simplicity and secure-by-default design has been refreshing and welcome.) I came to this list after hearing about the widely publicized IDN spoofing attack on Firefox. My first reaction to the report was surprise. How could this happen to our dear Firefox? The homograph problem is not at all a new discovery; it was anticipated as early as 2002 in Communications of the ACM [1], by ICANN [2], and in my own conference paper [3]. The problem is also described in the IDN specifications themselves. RFC 3490 [4] specifically mentions homographs, and the first sentence of the "Security Considerations" section of RFC 3491 [5] says: The Unicode and ISO/IEC 10646 repertoires have many characters that look similar. So, what happened? I can guess at some possibilities -- perhaps the specifications were not carefully consulted, or the implementors of the IDN feature were not aware of security considerations, or they were aware but decided it was not their responsibility to address. Were there communication problems between feature implementors and security people? Was security deprioritized? Maybe there are other possibilities I haven't thought of? Please understand that my goal here is not to personally attack the developers of Firefox. I'd like to help make Firefox better. I want to learn about the development process and see if we can figure out how to prevent this kind of problem from happening again. Would somebody be kind enough to tell me the story of how IDN was added to Firefox from an inside developer's perspective? Thanks for all your hard work on Firefox! -- ?!ng [1] http://www.csl.sri.com/users/neumann/insiderisks.html#140 [2] http://www.icann.org/committees/idn/idn-codepoint-paper.htm [3] http://zesty.ca/sid/uidss.pdf [4] http://www.faqs.org/rfcs/rfc3490.html [5] http://www.faqs.org/rfcs/rfc3491.html _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security