From: Mark E. Shoulson (mark@kli.org)
Date: Thu Feb 10 2005 - 18:38:26 CST
It seems to me unfair and misleading to call this a "flaw" in Firefox et
al. In fact, the browsers are just following the standard (whose
standard is this? I can never keep track of the alphabet soup of
standards organizations) and enabling IDNs--which people must be wanting
browsers to support, right? It's hardly the browser's fault if the
*standard* is itself subject to these shenanigans.
The simplest solution is just to pitch IDNs entirely. Is that what
people actually want?? And even that still leaves problems with
micros0ft.com and goog1e.com and such games. I thought when this was
last discussed, people were saying that the registries should perform
such checks and not permit "too-close" domain names. That does seem like
something of a burden for the registry; can they be expected to catch
them all?
The different-colors-for-different-blocks plan seems like a good start.
A warning that there *is* punycode happening is probably a good plan
too, which I had not thought of.
But to say this is a "flaw" that IE doesn't have is misrepresenting the
situation. It's a feature based on an inherently risky standard that IE
doesn't support.
~mark
John Burger wrote:
> Frank Yung-Fong Tang wrote:
>
>> Any one have any comment about
>> https://bugzilla.mozilla.org/show_bug.cgi?id=279099
>
>
> Here's a popular press description of the problem
>
> http://www.macworld.com/news/2005/02/08/spoof/index.php
>
> which points to a test for it at Secunia.com. (They registered
> paypal.com spelled with a Cyrillic "a".) Ironically, IE doesn't fall
> for the spoof, because it apparently doesn't handle IDNs. Of course,
> from a user interface perspective, browsers need to do something about
> this, but I find it annoying that it's described as a "security flaw".
> My browser doesn't warn me about g00g1e.com yet, either.
>
> - John D. Burger
> MITRE
>
>
This archive was generated by hypermail 2.1.5 : Thu Feb 10 2005 - 18:39:16 CST