[Pkg-kde-bugs-fwd] [Bug 98788] Possible solution to IDN domain spoofing/phising

Peter Thomassen 98788@bugs.kde.org
28 Mar 2005 13:39:49 -0000 

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
         
http://bugs.kde.org/show_bug.cgi?id=98788         




------- Additional Comments From info peter-thomassen de  2005-03-28 15:39 -------
Then, why do we need whitelists at all? Other tests, especially per-language list checks, are also performed and either confirm the whitelist (whitelisted IDN with local characters) or trigger a warning (whitelisted TLD, but foreign characters), overriding the whitelist decision. This makes whitelists useless.

BTW, I have thought again about per-language whitelists. They should not only contain characters outside the ASCII range, but all characters valid for an IDN of that language. That is, the German list should contain [a-z]äöü, but the Cyrillic one must _not_ contain ASCII [a-z] since there aren't any ASCII characters in the Cyrillic charset. If we didn't do that (--> allowing mixtures), Cyrillic users would still be affected by the paypal.com problem. Furthermore, a mixture of characters from different per-language lists should not be allowed by the same reason. --> An IDN must be monolingual to not trigger a warning.

We have come to the agreement that blacklists are necessary because similar characters could be used to mislead people (comment #42). But this probably is true for all IDN-enabled TLDs. Can't microsöft.de as easily be mistaken with Microsoft, as mícrosoft.pt? Or, in general, isn't it often possible to register similar-looking domains? Additionally, this is also possible without IDNs (consider intel.com and inte1.com), so all TLDs are unsafe and would have to be blacklisted, making things even worse than before. Originally, blacklisting was mentioned to forbid identical-looking domains (which is not necessary because an IDN containing only characters from one per-language list is safe anyway). Taking everything into account, I don't consider blacklists to be helpful.

In short, do the following if a domain is not pure ASCII:
1) Check if all characters are in the same per-language list. If not, trigger a warning.

This rule also applies for punctuation homographs like / unless they are in a per-language list, and than they should be allowed (I don't believe that this will take place). Nevertheless, the idea of rule #4 from comment #45 is included.

(And, if my considerations above should be wrong:
2) Check if the TLD is blacklisted because it is known to be unsafe. If true, trigger a warning.)

These are, as everything, only my thoughts that have to be discussed.