On 25/03/09 00:09, Jan Schejbal wrote:
For
example, one of the characters allowed in the policy is n (n with a
small dash below it). While their online domain query tool seems to
block invalid domains, they show "postbank.de" (postbank.de with the
fake n, xn--postbak-pkb.de) as a valid domain, so I assume it would be
possible to a phisher to register it. This is of course just an example.
Of course there is a visible difference between "n" and "n", but I doubt
many average users (many of them not knowing that IDN is possible) would
notice/care about this. I think they might even take the dash/dot below
the n for dirt on the screen. Similar problematic characters probably
exist in other whitelisted domains too.
Yes, indeed. It's hard to know where to draw the line on character
similarity. At the moment, my general policy is not to enforce
registries to block or bundle domains which vary only in accenting,
although we strongly advise it. There were two practical reasons for this:
- It would be a big, intrusive and politically difficult requirement to
enforce;
and
- There is some justification for arguing that people who speak
languages which have characters differing by an accent have learned to
spot the accents, so they can read their own language.
Gerv
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
