New IDN Homograph Spoofing Response: IDN Will Not Be Disabled (MozillaZine)

Posted Feb 22, 2005 9:36 UTC (Tue) by eru (subscriber, #2753) [Link]

In lots of fonts it is very hard (or impossible) to see the difference between l (small L) and I (capital i) paypal paypaI, would *your* grandmother notice ?

But such fonts are seriously broken, at least for all applications that require accurate information to be conveyed.

It would not be too hard to require that the URL entry field and the status bar must use only fonts where different letters of the alphabet are clearly distinguishable. That does not mean going to monospaced typewriter fonts. Most of the problem goes away by just avoiding sans serif fonts.

Posted Feb 22, 2005 18:32 UTC (Tue) by iabervon (subscriber, #722) [Link]

It is not really necessary to have a client certificate; the server certificate is sufficient identification of the server. The problem is that browsers use certificate authorities to determine whether a certificate should be trusted, which is the real flaw. The browser should really store the certificates of sites you have a relationship with and tell you if you get a new certificate. If you go to an encrypted page where you haven't seen the certificate before, you should go through a process where the browser tells you that the certificate is new, tells you to be suspicious if you thought you'd been there before, lets you compare the fingerprint against a known one (your bank could send you the fingerprint of their certificate in the online banking literature or your statement), and warns you if there are similar domains you've got certificates from before.

Ideally, users could store the set of certificates with their ISPs, too, so that they wouldn't lose all of their recognized certificates when changing computers, to reduce the number of times that a particular individual will legitimately see the new certificate page for the same site.

Posted Feb 23, 2005 13:19 UTC (Wed) by forthy (guest, #1525) [Link]

"paypal vs. paypaI" (with capital "I" instead of lowercase "l"): That's "solved" with normalizing URLs to all-lowercase letters (paypaI->paypai).

Punycode is a bad solution at a real problem. The real problem is that people want (and need) localized URLs. Not so much in the world with latin letters, but the rest is at least as large. The solution simply is wrong: You don't want context-free localized URLs, i.e. you don't want Unicode.

My suggestion is to drop punycode, and create a stringent set of transformations into ASCII. If you want a Chinese domain (e.g. for xinhua, the Chinese news service), you get "xinhua.zn". You are allowed to enter that text in Chinese, the transition process makes sure that you can type something like 薪华.中 in your web-browser, and still get what you need (you have to agree on a particular transcript, though).

You could still even see what you need when there's a backmapping for the preferred rendering. This should be a DNS entry, i.e. if you buy "xinhua.zn", you can ask for such an entry. The entry has to follow the rules (i.e. it has to forward translate to "xinhua.zn"), and can probably also follow further rules (if it's a .zn domain, e.g. it should be Chinese).

BTW LWN: I really wanted these &#xHEX; as above in my text, there's no fucking unescaped & in there. They would show up as unicode Chinese characters to prove my point :-(.

Posted Feb 25, 2005 16:43 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

The first time you use the bank you have to download a client-side certificate. This is installed in the browser

Does that mean you can't access your bank from another computer? If so, I'd switch banks if it were I.

What you've described doesn't seem to solve the homograph problem, though. The fake bank site would accept the certificate.