[Pkg-kde-bugs-fwd] [Bug 98788] Possible solution to IDN domain spoofing/phising
Thiago Macieira
98788@bugs.kde.org
28 Mar 2005 04:10:41 -0000
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
http://bugs.kde.org/show_bug.cgi?id=98788
------- Additional Comments From thiago kde org 2005-03-28 06:10 -------
I am in agreement with some other developers who think the IDN specs are broken when they allow punctuation characters that look like / to be allowed. It is different if a language has a character that happens to look like /: tough luck, but we can't restrict.
I think that per-language restriction isn't enough. I am a Portuguese-language speaker, which means the i-acute (í) character is allowed for me -- that means I can reasonably be expected to notice it. However, it is also true that this character in particular is very easily mistaken for the normal i, which can be used to create phishing sites like íntel.com. All you have to do is have a smallish font.
The same is also true for Turkish speakers and the dotless i (ı). Try going to mıcrosoft.com -- it exists.
So, the bottom line is: unless the strict registration rules are enforced, per-language isn't enough security. Hence the need for a white-listing of domains, and/or a blacklisting of others.