hi Ping,
I have a different perspective on the Shmoo thing, below.
Ka-Ping Yee wrote:
When i asked "what happened", i meant that i'd like to know the story
of how IDN support got added to Firefox in the first place. (Sorry i
wasn't so clear.) Were security folks aware that it was being added?
Did they have an argument with the IDN developers and lose? I'm
wondering why the whole "fake URLs" discussion happened *after* the
spoof was publicized, rather than *before* IDN was added.
Conceptually, adding IDNs was no different to domains
with other artifacts like digits and so forth. Conceptually,
I don't see why anyone would not add IDNs on that basis.
Whether the security guys said anything at the time, it
doesn't seem to be a big deal. Nobody lost any money,
and the Shmoo thing was just a demo. The fact that it
was a really good demo is neither here nor there in the
overall scheme of things.
AFAICS, the risk of attack based on Shmoo is unchanged.
Until changes are made to the UI portions of the security
model to thrust the SSL protection closer to the user's
face, most phishing will ignore the SSL and just concentrate
on the domain name looking plausible. And we can't really
conquer the plausible domain issue until we get to SSL
cert usage, as we need a handle on which to solidly test
the user's relationship.
To put this clear, even if I knew the Shmoo exploit was
coming, I'd still as a security guy say that IDNs should
be added in whatever form possible.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
