[Pkg-kde-bugs-fwd] [Bug 98788] Possible solution to IDN domain spoofing/phising

Thiago Macieira 98788@bugs.kde.org
24 Mar 2005 22:34:38 -0000 

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
         
http://bugs.kde.org/show_bug.cgi?id=98788         
thiago kde org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|critical                    |normal



------- Additional Comments From thiago kde org  2005-03-24 23:34 -------
Tuning down the severity now. The issue is not critical anymore because we have prevented the phishing attack, even if the solution can still be greatly improved upon.

My opinion is that we should implement a solution with:
1) whitelisting of TLDs known to be safe -- those that have implemented rules that restrict the characters allowed, such as .de (allows only ä, ö and ü aside from the normal ASCII ones)

2) blacklisting the TLDs known to be unsafe: .com, .net, .org, .biz, etc.

3) on top of 1 & 2, implement per-language list of valid characters outside the ASCII range

4) create a list of blacklisted characters (Unicode codepoints that look like /, for instance)

The algorithm would be like this:
- if the domain is ASCII-only, never mind it
- verify the #4 list. If there is any such forbidden character, refuse to use IDN and don't warn the user.
- verify the #3 list. If any characters fall outside the language rules, warn the user.
- verify the #2 list. If the domain is explicitly blacklisted, warn the user.
- verify the #1 list. If the domain isn't explicitly whitelisted, warn the user with the option to not show the warning again.

libkdecore would provide a method of checking those, but not the warnings (since that would be in libkdeui). Applications like Konqueror and KMail should provide the proper warnings when necessary.

So a German user would not see a warning if he went to möller.de, but a Portuguese-speaking one would, since "ö" doesn't occur in the Portuguese language.

For those domains that match the language rules, but aren't explicitly whitelisted or blacklisted, we should provide a warning that has the "do not show this again" option. That means a German-speaking user would see a warning for "möller.de.vu", but could turn that off for the site or globally.

This is just an idea. It has to be refined before implemented.