[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IDNA and security

* Joey Hess:

> Florian Weimer wrote:
>> People are filing security bugs because of the homograph issue.  But
>> is this a real security problem?  Do you think we should change our
>> fonts so that 1, l and I (and O and 0, of course) are more different
>> visually?
> That misses part of the point of the homograph issue, which is that
> besides characters that look confusingly alike, unicode contains
> charaters that are *identical*, except for being in a different code
> pages. See http://www.cs.technion.ac.il/~gabr/papers/homograph_full.pdf

I've written about these issues four years ago.  I still don't think
they are a security problem, given the way DNS TLDs and the browser
CAs operate.

There are fonts in which "l" and "I" are *identical* (Gill Sans is an
example, IIRC).

> FWIW, I've filed the bugs I did on this issue at normal priority,
> because it was not at all clear to me that the bug meets the criteria
> for being release critical, since the actual bug is in the basic design
> of unicode domain names, in the lacking procedures of the CAs and
> registrars who do not check for homograph issues, and in the overall
> design of so-called ecommerce "security". Any fixes in the packages can
> at best only be heuristics and workarounds, and will likely just lead to
> an escalating arms race if this problem is worth exploiting.

Oh, in this case, our opinions on this matter aren't too different
after all.

Reply to: